This is the accessible text file for GAO report number GAO-15-290 entitled 'High-Risk Series: An Update' which was released on February 11, 2015. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Committees: February 2015: High-Risk Series: An Update: GAO-15-290: GAO Highlights: Highlights of GAO-15-290, a report to congressional committees. Why GAO Did This Study: The federal government is one of the world’s largest and most complex entities: about $3.5 trillion in outlays in fiscal year 2014 funded a broad array of programs and operations. GAO maintains a high-risk program to focus attention on government operations that it identifies as high risk due to their greater vulnerabilities to fraud, waste, abuse, and mismanagement or the need for transformation to address economy, efficiency, or effectiveness challenges. Since 1990, more than one-third of the areas previously designated as high risk have been removed from the list because sufficient progress was made in addressing the problems identified. The five criteria for removal are (1) leadership commitment, (2) agency capacity, (3) an action plan, (4) monitoring efforts, and (5) demonstrated progress. This biennial update describes the status of high-risk areas listed in 2013 and identifies new high-risk areas needing attention by Congress and the executive branch. Solutions to high-risk problems offer the potential to save billions of dollars, improve service to the public, and strengthen government performance and accountability. What GAO Found: Solid, steady progress has been made in the vast majority of the high- risk areas. Eighteen of the 30 areas on the 2013 list at least partially met all of the criteria for removal from the High Risk List. Of those, 11 met at least one of the criteria for removal and partially met all others. Sufficient progress was made to narrow the scope of two high-risk issues-—Protecting Public Health through Enhanced Oversight of Medical Products and DOD Contract Management. Overall, progress has been possible through the concerted actions of Congress, leadership and staff in agencies, and the Office of Management and Budget. This year GAO is adding 2 areas, bringing the total to 32. * Managing Risks and Improving Veterans Affairs (VA) Health Care. GAO has reported since 2000 about VA facilities’ failure to provide timely health care. In some cases, these delays or (VA’s failure to provide care at all) have reportedly harmed veterans. Although VA has taken actions to address some GAO recommendations, more than 100 of GAO’s recommendations have not been fully addressed, including recommendations related to the following areas: (1) ambiguous policies and inconsistent processes, (2) inadequate oversight and accountability, (3) information technology challenges, (4) inadequate training for VA staff, and (5) unclear resource needs and allocation priorities. The recently enacted Veterans Access, Choice, and Accountability Act included provisions to help VA address systemic weaknesses. VA must effectively implement the act. * Improving the Management of Information Technology (IT) Acquisitions and Operations. Congress has passed legislation and the administration has undertaken numerous initiatives to better manage IT investments. Nonetheless, federal IT investments too frequently fail to be completed or incur cost overruns and schedule slippages while contributing little to mission-related outcomes. GAO has found that the federal government spent billions of dollars on failed and poorly performing IT investments which often suffered from ineffective management, such as project planning, requirements definition, and program oversight and governance. Over the past 5 years, GAO made more than 730 recommendations; however, only about 23 percent had been fully implemented as of January 2015. GAO is also expanding two areas due to evolving high-risk issues. * Enforcement of Tax Laws. This area is expanded to include IRS’s efforts to address tax refund fraud due to identify theft. IRS estimates it paid out $5.8 billion (the exact number is uncertain) in fraudulent refunds in tax year 2013 due to identity theft. This occurs when a thief files a fraudulent return using a legitimate taxpayer’s identifying information and claims a refund. * Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information (PII). This risk area is expanded because of the challenges to ensuring the privacy of personally identifiable information posed by advances in technology. These advances have allowed both government and private sector entities to collect and process extensive amounts of PII more effectively. The number of reported security incidents involving PII at federal agencies has increased dramatically in recent years. What GAO Recommends: This report contains GAO’s views on progress made and what remains to be done to bring about lasting solutions for each high-risk area. Perseverance by the executive branch in implementing GAO’s recommended solutions and continued oversight and action by Congress are essential to achieving greater progress. View [hyperlink, http://www.gao.gov/products/GAO-15-290]. For more information, contact J. Christopher Mihm at (202) 512-6806 or mihmj@gao.gov. [End of section] GAO’s 2015 High Risk List: Strengthening the Foundation for Efficiency and Effectiveness: * Limiting the Federal Government's Fiscal Exposure by Better Managing Climate Change Risks. * Management of Federal Oil and Gas Resources. * Modernizing the U.S. Financial Regulatory System and the Federal Role in Housing Finance[A]. * Restructuring the U.S. Postal Service to Achieve Sustainable Financial Viability[A]. * Funding the Nation's Surface Transportation System[A]. * Strategic Human Capital Management. * Managing Federal Real Property. * Improving the Management of IT Acquisitions and Operations (new). Transforming DOD Program Management: * DOD Approach to Business Transformation. * DOD Business Systems Modernization. * DOD Support Infrastructure Management[A]. * DOD Financial Management. * DOD Supply Chain Management. * DOD Weapon Systems Acquisition. Ensuring Public Safety and Security: * Mitigating Gaps in Weather Satellite Data. * Strengthening Department of Homeland Security Management Functions. * Establishing Effective Mechanisms for Sharing and Managing Terrorism- Related Information to Protect the Homeland. * Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information[A]. * Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests[A]. * Improving Federal Oversight of Food Safety[A]. * Protecting Public Health through Enhanced Oversight of Medical Products. * Transforming EPA's Processes for Assessing and Controlling Toxic Chemicals[A]. Managing Federal Contracting More Effectively: * DOD Contract Management. * DOE's Contract Management for the National Nuclear Security Administration and Office of Environmental Management. * NASA Acquisition Management. Assessing the Efficiency and Effectiveness of Tax Law Administration: * Enforcement of Tax Laws[A]. Modernizing and Safeguarding Insurance and Benefit Programs: * Managing Risks and Improving VA Health Care (new). * Improving and Modernizing Federal Disability Programs. * Pension Benefit Guaranty Corporation Insurance Programs[A]. * Medicare Program[A]. * Medicaid Program[A]. * National Flood Insurance Program[A]. Source: GAO. GAO-15-290. [A] Legislation is likely to be necessary to effectively address this high-risk area. [End of table] [End of section] Contents: Letter: Background: Continued Progress: Narrowing High-Risk Areas: Progress in Selected High-Risk Areas: New High-Risk Areas: Evolving High-Risk Areas: Expanding High-Risk Areas: High-Risk Areas Undergoing Significant Transformation: Monitoring High-Risk Areas: Overview for Each High-Risk Area: Limiting the Federal Government's Fiscal Exposure by Better Managing Climate Change Risks: Management of Federal Oil and Gas Resources: Modernizing the U.S. Financial Regulatory System and the Federal Role in Housing Finance: Restructuring the U.S. Postal Service to Achieve Sustainable Financial Viability: Funding the Nation's Surface Transportation System: Strategic Human Capital Management: Managing Federal Real Property: DOD Approach to Business Transformation: DOD Business Systems Modernization: DOD Support Infrastructure Management: DOD Financial Management: DOD Supply Chain Management: DOD Weapon Systems Acquisition: Mitigating Gaps in Weather Satellite Data: Strengthening Department of Homeland Security Management Functions: Establishing Effective Mechanisms for Sharing and Managing Terrorism- Related Information to Protect the Homeland: Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information: Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests: Improving Federal Oversight of Food Safety: Protecting Public Health through Enhanced Oversight of Medical Products: Transforming EPA's Processes for Assessing and Controlling Toxic Chemicals: DOD Contract Management: DOE's Contract Management for the National Nuclear Security Administration and Office of Environmental Management: NASA Acquisition Management: Enforcement of Tax Laws: Improving and Modernizing Federal Disability Programs: Pension Benefit Guaranty Corporation Insurance Programs: Medicare Program: Medicare Improper Payments: Medicaid Program: Medicaid Improper Payments: National Flood Insurance Program: Appendix I: High-Risk Program History: Appendix II: GAO's 2015 High Risk List: GAO Related Products: Tables: Table 1: Changes to High Risk List, 1990-2015: Table 2: High-Risk Areas Rated Against Five Criteria for Removal: Table 3: Selected Examples of Congressional Actions and Administration Initiatives Leading to Progress on High-Risk Areas: Table 4: Number of Selected Investments Planning to Incrementally Deliver Functionality: Table 5: Agencies' Data Center Consolidation Cost Savings and Avoidances: Table 6: USPS Financial Results, Fiscal Years 2006 through 2014: Table 7: GAO Assessment of Department of Homeland Security Progress in Addressing Key Actions and Outcomes: Table 8: Status of Action Items: Table 9: Year That Areas on GAO's 2015 High Risk List Were Designated High Risk: Table 10: GAO's 2015 High Risk List: Figures: Figure 1: Criteria for Removal from the High Risk List and Examples of Actions Leading to Progress: Figure 2: High-Risk Progress Criteria Ratings: Figure 3: Overall Performance Ratings of Major Investments on the IT Dashboard, as of August 2014: Figure 4: Summary of Planned Fiscal Year 2015 Major and Nonmajor Investments in Development and Operations and Maintenance (Dollars in Billions): Figure 5: Projected Highway Trust Fund Balance, Fiscal Years 2015 to 2024: Figure 6: Percentage of Career Permanent Employees on Board Eligible to Retire by 2018 by Agency (as of September 30, 2013): Figure 7: Comparison of the Cost Performance of DOD's 2011, 2012, and 2013 Portfolios: Figure 8: Incidents Reported to US-CERT by Federal Agencies in Fiscal Years 2006-2014: Figure 9: Information Security Weaknesses at Major Federal Agencies for Fiscal Year 2014: Figure 10: Incidents Involving PII, Fiscal Years 2009 - 2014: Figure 11: PBGC's Net Financial Position of the Single-Employer and Multiemployer Programs Combined: Figure 12: Growth Trends in Federal Spending by Eligibility Groups: Figure 13: Areas Removed from High Risk List, 1990-2015: [End of section] United States Government Accountability Office: GAO: 441 G St. N.W. Washington, DC 20548: February 11, 2015: The Honorable Ron Johnson: Chairman: The Honorable Tom Carper: Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Jason Chaffetz: Chairman: The Honorable Elijah E. Cummings: Ranking Member: Committee on Oversight and Government Reform: House of Representatives: We maintain an ongoing program to focus attention on government operations that are high risk due to their greater vulnerabilities to fraud, waste, abuse, and mismanagement or that are in need of transformation to address economy, efficiency, or effectiveness challenges. This effort, supported by the Senate Committee on Homeland Security and Governmental Affairs and by the House of Representatives Committee on Oversight and Government Reform, has brought much-needed focus to problems impeding effective government and costing billions of dollars each year. To help improve these high-risk operations, we have made hundreds of recommendations. The administration and agencies either have addressed or are addressing many of them. Congress also continues to take actions that are important to helping resolve high- risk issues. For example, during the 113th Congress, Congress held dozens of hearings related to areas on our High Risk List. As a part of our regular updates for each new Congress, this year we are designating two new high-risk areas--Managing Risks and Improving Veterans Affairs (VA) Health Care and Improving the Management of Information Technology (IT) Acquisitions and Operations. These changes bring our 2015 High Risk List to a total of 32 areas.[Footnote 1] In two areas--Protecting Public Health through Enhanced Oversight of Medical Products and DOD Contract Management --progress has been sufficient for us to narrow the scope of the high-risk issue. Specifically, the Food and Drug Administration (FDA) made progress by improving oversight of medical recalls and by implementing the Safe Medical Devices Act of 1990, which strengthened the approval process of medical devices, while the Department of Defense (DOD) made progress by improving the management and oversight of contracting techniques and approaches. Throughout the past two decades, attention to high-risk areas has brought positive results. More than one-third of the areas previously designated as high risk have been removed from the list because sufficient progress was made to address the problems identified. [Footnote 2] In addition, progress has been made in nearly all of the areas that remain on our High Risk List as a result of congressional oversight and action, high-level administration attention, efforts of the responsible agencies, and support from us through our many recommendations and consistent follow up on the implementation of recommended actions. Since our last update in 2013, we issued 317 reports, delivered 78 testimonies to Congress, and prepared numerous other products such as briefings related to our high risk work. We documented more than $40 billion in financial benefits and 866 other improvements related to high-risk areas. Additional progress is both possible and needed in all 32 high-risk areas. Continued perseverance will ultimately yield significant benefits. Lasting solutions to high-risk problems offer the potential to save billions of dollars, dramatically improve service to the American public, strengthen public confidence and trust in the performance and accountability of the national government, and ensure the ability of government to deliver on its promises. The high-risk assessment continues to be a top priority and we will maintain our emphasis on identifying high-risk issues across government and on providing insights and sustained attention to help address them, by working collaboratively with Congress, agency leaders, and the Office of Management and Budget (OMB). As part of this effort, we continue to participate in regular meetings with OMB's Deputy Director for Management and with top agency officials to discuss progress in addressing high-risk areas. Such efforts are critical for progress to be made. This high-risk update is intended to help inform the oversight agenda for the 114TH Congress and to guide efforts of the administration and agencies to improve government performance and reduce waste and risks. We are providing this update to the President and Vice President, congressional leadership, other Members of Congress, OMB, and the heads of major departments and agencies. Signed by: Gene L. Dodaro: Comptroller General of the United States: [End of section] Background: Historical Perspective: In 1990, we began a program to report on government operations that we identified as "high risk." Since then, generally coinciding with the start of each new Congress, we have reported on the status of progress to address high-risk areas and to update the High Risk List. Our most recent high-risk update was in February 2013.[Footnote 3] That update identified 30 high-risk areas. Overall, our high-risk program has served to identify and help resolve serious weaknesses in areas that involve substantial resources and provide critical services to the public. Since our program began, the government has taken high-risk problems seriously and has made long- needed progress toward correcting them. In a number of cases, progress has been sufficient for us to remove the high-risk designation. A summary of changes to our High Risk List over the past 25 years is shown in table 1. Table 1: Changes to High Risk List, 1990-2015: Original High Risk List in 1990; Number of areas: 14. High-risk areas added since 1990; Number of areas: 43. High-risk areas removed since 1990; Number of areas: 23. High-risk areas consolidated since 1990; Number of areas: 2. High Risk List in 2015; Number of areas: 32. Source: GAO. GAO-15-290. [End of table] Additional detail on changes to the High Risk List since 1990 is provided in appendix 1. The appendix shows the time line of areas removed from the list and when the current 32 areas were added to the list. Criteria for Removal: Our experience with the high-risk series over the past 25 years has shown that the key elements needed to make progress in high-risk areas are top-level attention by the administration and agency leaders grounded in the five criteria for removal from the High Risk List, as well as any needed congressional action.[Footnote 4] The five criteria for removal are: * Leadership Commitment. Demonstrated strong commitment and top leadership support. * Capacity. Agency has the capacity (i.e., people and resources) to resolve the risk(s). * Action Plan. A corrective action plan exists that defines the root cause, solutions, and provides for substantially completing corrective measures, including steps necessary to implement solutions we recommended. * Monitoring. A program has been instituted to monitor and independently validate the effectiveness and sustainability of corrective measures. * Demonstrated Progress. Ability to demonstrate progress in implementing corrective measures and in resolving the high-risk area. These five criteria form a road map for efforts to improve and ultimately address high-risk issues. Addressing some of the criteria leads to progress, while satisfying all of the criteria is central to removal from the list. Figure 1 shows the five criteria and examples of actions taken by agencies to address the criteria. Figure 1: Criteria for Removal from the High Risk List and Examples of Actions Leading to Progress: [Refer to PDF for image: illustration] Leadership Commitment: Top Leadership Support; High Risk Criteria Examples: * Establishing long-term priorities and goals; * Developing organizational changes and initiatives; * Providing continuing oversight and accountability; * Initiating or implementing legislation. Capacity: People and Resources; High Risk Criteria Examples: * Allocating or reallocating funds or staff; * Establishing work groups with specific responsibilities; * Establishing and maintaining procedures or systems. Action Plan: Root Causes & Corrective Measures; High Risk Criteria Examples: * Identifying and analyzing root causes of problems; * Identifying critical actions and outcomes to address root causes; * Developing milestones and metrics for implementing plan goals; * Ensuring there are processes for reporting progress; * Establishing goals and performance measures. Monitoring: Substantiate Effectiveness; * Holding frequent review meetings to assess status and performance; * Reporting to senior managers on program progress and potential risks; * Tracking progress against goals. Demonstrated Progress: Resolving the High Risk Area; * Taking actions to ensure progress (or improvements) are sustained; * Using data to show action on plan implementation; * Showing high-risk issues are being effectively managed and root cases are being addressed. Source: GAO analysis of agencies’ actions to address high-risk issues and GAO criteria for removal from the High Risk List in GAO-01-159SP. GAO-15-290. [End of figure] Criteria for Rating Each High-Risk Area: In each of our high-risk updates, for more than a decade, we have assessed progress to address the five criteria for removing the high- risk areas from the list. In this high-risk update, we are adding additional clarity and specificity to our assessments by rating each high-risk area's progress on the criteria, using the following definitions: * Met. Actions have been taken that meet the criterion. There are no significant actions that need to be taken to further address this criterion. * Partially Met. Some, but not all, actions necessary to meet the criterion have been taken. * Not Met. Few, if any, actions towards meeting the criterion have been taken. Figure 2 shows a visual representation of varying degrees of progress in each of the five criteria for a high-risk area. Each point of the star represents one of the five criteria for removal from the High Risk List and each ring represents one of the three designations: not met, partially met, or met. An unshaded point at the innermost ring means that the criterion has not been met, a partially shaded point at the middle ring means that the criterion has been partially met, and a fully shaded point at the outermost ring means that the criterion has been met. Figure 2: High-Risk Progress Criteria Ratings: [Refer to PDF for image: illustration of star] Source: GAO. GAO-15-290. [End of figure] The progress ratings used to address the high-risk criteria are an important part of our efforts to provide greater transparency and specificity to agency leaders as they seek to address high-risk areas. We met with agency leaders to discuss preliminary progress ratings beginning in the spring of 2014 leading up to this high-risk update. These meetings focused on actions taken and on additional actions that needed to be taken to address the high-risk issues. Several agency leaders told us that the additional clarity provided by the progress rating helped them better target their improvement efforts. Continued Progress: Since our last high-risk update in 2013, there has been solid and steady progress on the vast majority of the 30 high-risk areas from our 2013 list. Progress has been possible through the concerted actions and efforts of Congress and the leadership and staff in agencies and within OMB. As shown in table 2, eighteen high-risk areas have met or partially met all criteria for removal from the list; eleven of these areas also fully met at least one criterion. Further, two of these areas--Protecting Public Health through Enhanced Oversight of Medical Products and DOD Contract Management--have made enough progress to remove subcategories of the high-risk areas. Overall, 28 high-risk areas were rated against the five criteria, totaling a possible 140 high-risk area criteria ratings. Of these, 122 (or 87 percent) were rated as met or partially met. Table 2: High-Risk Areas Rated Against Five Criteria for Removal: High Risk Area: NASA Acquisition Management; Number of Criteria: Met: 3; Partially Met: 2; Not Met: 0. High Risk Area: Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland; Number of Criteria: Met: 2; Partially Met: 3; Not Met: 0. High Risk Area: Protecting Public Health through Enhanced Oversight of Medical Products; Number of Criteria: Met: 2; Partially Met: 3; Not Met: 0. High Risk Area: Strengthening Department of Homeland Security Management Functions; Number of Criteria: Met: 2; Partially Met: 3; Not Met: 0. High Risk Area: DOD Contract Management; Number of Criteria: Met: 1; Partially Met: 4; Not Met: 0. High Risk Area: DOD Supply Chain Management; Number of Criteria: Met: 1; Partially Met: 4; Not Met: 0. High Risk Area: DOD Weapon Systems Acquisition; Number of Criteria: Met: 1; Partially Met: 4; Not Met: 0. High Risk Area: Management of Federal Oil and Gas Resources; Number of Criteria: Met: 1; Partially Met: 4; Not Met: 0. High Risk Area: Medicare Program; Number of Criteria: Met: 1; Partially Met: 4; Not Met: 0. High Risk Area: Mitigating Gaps in Weather Satellite Data; Number of Criteria: Met: 1; Partially Met: 4; Not Met: 0. High Risk Area: Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information; Number of Criteria: Met: 1; Partially Met: 4; Not Met: 0. High Risk Area: DOD Support Infrastructure Management; Number of Criteria: Met: 0; Partially Met: 5; Not Met: 0. High Risk Area: Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests; Number of Criteria: Met: 0; Partially Met: 5; Not Met: 0. High Risk Area: Improving and Modernizing Federal Disability Programs; Number of Criteria: Met: 0; Partially Met: 5; Not Met: 0. High Risk Area: Medicaid Program; Number of Criteria: Met: 0; Partially Met: 5; Not Met: 0. High Risk Area: Modernizing the U.S. Financial Regulatory System and the Federal Role in Housing Finance; Number of Criteria: Met: 0; Partially Met: 5; Not Met: 0. High Risk Area: National Flood Insurance Program; Number of Criteria: Met: 0; Partially Met: 5; Not Met: 0. High Risk Area: Restructuring the U.S. Postal Service to Achieve Sustainable Financial Viability; Number of Criteria: Met: 0; Partially Met: 5; Not Met: 0. High Risk Area: Enforcement of Tax Laws; Number of Criteria: Met: 1; Partially Met: 3; Not Met: 1. High Risk Area: Managing Federal Real Property; Number of Criteria: Met: 1; Partially Met: 3; Not Met: 1. High Risk Area: DOD Business Systems Modernization; Number of Criteria: Met: 0; Partially Met: 4; Not Met: 1. High Risk Area: Strategic Human Capital Management; Number of Criteria: Met: 0; Partially Met: 4; Not Met: 1. High Risk Area: Transforming EPA's Processes for Assessing and Controlling Toxic Chemicals; Number of Criteria: Met: 1; Partially Met: 2; Not Met: 2. High Risk Area: DOD Financial Management; Number of Criteria: Met: 0; Partially Met: 3; Not Met: 2. High Risk Area: Limiting the Federal Government's Fiscal Exposure by Better Managing Climate Change Risks; Number of Criteria: Met: 0; Partially Met: 3; Not Met: 2. High Risk Area: Improving Federal Oversight of Food Safety; Number of Criteria: Met: 0; Partially Met: 3; Not Met: 2. High Risk Area: DOE's Contract Management for the National Nuclear Security Administration and Office of Environmental Management; Number of Criteria: Met: 1; Partially Met: 1; Not Met: 3. High Risk Area: DOD Approach to Business Transformation; Number of Criteria: Met: 0; Partially Met: 2; Not Met: 3. High Risk Area: Funding the Nation's Surface Transportation System; Number of Criteria: Met: N/A; Partially Met: N/A; Not Met: N/A. High Risk Area: Improving the Management of IT Acquisitions and Operations; Number of Criteria: Met: N/A; Partially Met: N/A; Not Met: N/A. High Risk Area: Managing Risks and Improving VA Health Care; Number of Criteria: Met: N/A; Partially Met: N/A; Not Met: N/A. High Risk Area: Pension Benefit Guaranty Corporation Insurance Programs; Number of Criteria: Met: N/A; Partially Met: N/A; Not Met: N/A. Legend: N/A = Not applicable. Source: GAO. GAO-15-290. Note: There are four high-risk areas that received a "not applicable" rating because (1) they are either new to our 2015 High-Risk List (Managing Risks and Improving VA Health Care and Improving the Management of IT Acquisitions and Operations) or (2) addressing the high-risk area primarily involves congressional action and the high- risk criteria and subsequent ratings were developed to reflect the status of agencies' actions and the additional steps they need to take (Funding the Nation's Surface Transportation System and Pension Benefit Guaranty Corporation Insurance Programs). [End of table] Throughout the history of the high-risk program, Congress played an important role through its oversight and (where appropriate) through legislative action targeting both specific problems and the high-risk areas overall. Since our last high-risk report, several high-risk areas have received congressional oversight and legislation needed to make progress in addressing risks. Table 3 provides examples of congressional actions and of high-level administration initiatives-- discussed in more detail throughout this report--that have led to progress in addressing high-risk areas. Additional congressional actions and administrative initiatives are also included in the individual high-risk areas discussed in this report. Table 3: Selected Examples of Congressional Actions and Administration Initiatives Leading to Progress on High-Risk Areas: High-risk area: Mitigating Gaps in Weather Satellite Data; Selected example: In January 2013, Congress passed the Disaster Relief Appropriations Act, 2013, which contained $111 million in funding for satellite gap mitigation projects. According to National Oceanic and Atmospheric Administration officials, this amount was reduced by 5 percent due to budget cuts related to sequestration. High-risk area: Protecting Public Health through Enhanced Oversight of Medical Products; Selected example: Congress enacted the Drug Quality and Security Act in November 2013, which contains provisions that should help the Food and Drug Administration respond to challenges in two distinct areas that we reported on in July 2013: (1) the hazards posed by unsafe drugs from an increasingly complex pharmaceutical supply chain that includes "rogue" Internet pharmacies and (2) the public health threat posed by improperly compounded drugs. High-risk area: Pension Benefit Guaranty Corporation (PBGC) Insurance Programs; Selected example: In December 2014, Congress took action to address the growing crisis in the multiemployer pension system with passage of the Multiemployer Pension Reform Act of 2014 (MPRA), which enacted several reforms responsive to our 2013 report on PBGC's multiemployer program. MPRA provided severely underfunded plans, under certain conditions and with the approval of federal regulators, the option to reduce the retirement benefits of current retirees to avoid plan insolvency and expand PBGC's ability to intervene when plans are in financial distress. While these reforms are intended to improve the program's financial condition, the future insolvency of the multiemployer program remains likely. In addition, to help address PBGC's overall deficit, the Bipartisan Budget Act of 2013 increased premium rates for the single-employer program and MPRA increased premiums for the multiemployer program. High-risk area: Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information; Selected example: In December 2014, 5 cybersecurity-related bills were enacted into law. (1) The Federal Information Security Modernization Act of 2014 revised the Federal Information Security Management Act of 2002. Among other things, it gave DHS responsibilities to assist OMB in overseeing civilian agency information security policies and practices for information systems. In addition, it requires agencies to include automated tools in periodic testing of systems and expands requirements for reporting major incidents and data breach notifications. (2) The Cybersecurity Workforce Assessment Act requires DHS to assess its cybersecurity workforce and develop a comprehensive strategy to enhance the readiness, capacity, training, recruitment, and retention of its cybersecurity workforce. (3) The Homeland Security Cybersecurity Workforce Assessment Act requires DHS to identify cybersecurity positions and the specialty areas of critical need in the DHS cybersecurity workforce. (4) The National Cybersecurity Protection Act of 2014 codifies the role of DHS's National Cybersecurity and Communications Integration Center, a 24x7 cyber situational awareness, incident response and management center that is a national nexus of cyber and communications integration for the federal government, intelligence community, and law enforcement. (5) The Cybersecurity Enhancement Act of 2014 authorizes the Department of Commerce, through the National Institute of Standards and Technology, to facilitate and support the development of voluntary standards to reduce cyber-risks to critical infrastructure. The law also requires the Office of Science and Technology Policy in the Executive Office of the President to facilitate agencies development of a federal cybersecurity research and development plan. High-risk area: DOD Approach to Business Transformation; Selected example: The Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015 converted the Deputy Chief Management Officer to the Under Secretary of Defense for Business Management and Information. The Under Secretary of Defense for Business Management and Information will assist the Deputy Secretary of Defense in his role as the Chief Management Officer (CMO). The Under Secretary of Defense for Business Management and Information will also serve as the Chief Information Officer and Performance Improvement Officer for the Department of Defense. These changes will take effect on February 1, 2017. High-risk area: DOD Financial Management; Selected example: The National Defense Authorization Act (NDAA) for Fiscal Year 2013 required the Financial Improvement and Audit Readiness (FIAR) Plan to state the actions taken to ensure validation of the audit readiness of the Department of Defense (DOD) Statement of Budgetary Resources no later than September 30, 2014. Although the November 2014, FIAR Plan Status Report acknowledges that DOD has not met that date, Congress' action to set a specific date for the goal of DOD audit readiness is important for holding DOD accountable for progress. Congress further strengthened accountability in the NDAA for Fiscal Year 2014 by requiring a full audit of DOD's fiscal year 2018 financial statements and for those results to be submitted to Congress no later than March 31, 2019. High-risk area: Strengthening Department of Homeland Security Management Functions; Selected example: The Department of Homeland Security (DHS) has established various initiatives collectively intended to improve its unity of effort by, among other things, improving the department's planning, programming, budgeting, and execution processes through strengthened departmental structures and increased capability. In addition, DHS has increased component-level acquisition capability by, among other things, initiating monthly Component Acquisition Executive staff forums to provide guidance and share best practices. DHS has also strengthened its enterprise architecture program (or blueprint) to guide and constrain information technology acquisitions, and obtained a clean opinion on its financial statements for two consecutive years, fiscal years 2013 and 2014. High-risk area: Improving and Modernizing Federal Disability Programs; Selected example: The Administration has set goals for hiring people with disabilities and launched a training course in July 2014 to help federal agencies hire, retain, and advance employees with disabilities. The Administration continues to track--and has made some progress increasing--employment for people with disabilities at federal agencies. Source: GAO. GAO-15-290. [End of table] Top administration officials have continued to show their commitment to ensuring that high-risk areas receive attention and oversight. The OMB regularly convenes meetings for agencies to provide progress updates on high-risk issues. When a high-risk issue area ranges across agencies, OMB coordinates with representatives from multiple agencies to participate. These meetings typically include OMB's Deputy Director for Management, the Comptroller General of the United States, participating agencies' representatives to the President's Management Council, and other administration and agency staff members responsible for addressing the high-risk issue. The meetings provide an opportunity for discussion on agency initiatives, updates, and plans, as well as progress and challenges to resolving high-risk issues. As described by OMB staff, these discussions have served to keep the lines of communication open and continue to build the deeper connections needed to find solutions to these high-risk problems. To further stimulate progress in addressing high-risk issues, the Comptroller General and the OMB Deputy Director for Management led a forum on high-risk issues that we jointly sponsored with the National Academy of Public Administration on May 1, 2014.[Footnote 5] The forum focused on strategies, tactics, and tips to improve performance and address risks. Forum participants and attendees included current and former agency leaders, administration officials, and experts on management and performance improvement from the private and non-profit sectors as well as academia. The forum included a discussion of our criteria for removal from the High Risk List, which is useful in guiding agencies' efforts to address high- risk issues. We will continue to focus on high-risk issues and to provide information and recommendations to agency leaders, administrations, and Congress. Since our last update in 2013, we issued 317 reports, delivered 78 testimonies to Congress, and prepared numerous other products such as briefings. We documented more than $40 billion in financial benefits and 866 other improvements related to high-risk areas. Narrowing High-Risk Areas: In the 2 years since the last high-risk update, sufficient progress has been made in two areas--Protecting Public Health through Enhanced Oversight of Medical Products and DOD Contract Management--that we are narrowing the scope of these high-risk areas. Figure: Protecting Public Health through Enhanced Oversight of Medical Products: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Protecting Public Health through Enhanced Oversight of Medical Products: Our work has identified the following high-risk issues related to the Food and Drug Administration's (FDA) efforts to oversee medical products: 1) oversight of medical device recalls, 2) implementation of the Safe Medical Devices Act of 1990, 3) the effects of globalization on medical product safety, and 4) shortages of medically necessary drugs. We added the oversight of medical products to our High Risk List in 2009. Since our 2013 high-risk update, FDA has made substantial progress addressing the first two areas; therefore, we have narrowed this area to remove these issues from our High Risk List. However, the second two issues, globalization and drug shortages, remain pressing concerns. Medical Device Recalls: FDA has greatly improved its oversight of medical device recalls by fully implementing all of the recommendations made in our 2011 report on this topic. Recalls provide an important tool to mitigate serious health consequences associated with defective or unsafe medical devices. We found that FDA had not routinely analyzed recall data to determine whether there are systemic problems underlying trends in device recalls. We made specific recommendations to the agency that it enhance its oversight of recalls. FDA is fully implementing our recommendations and has developed a detailed action plan to improve the recall process, analyzed 10 years of medical device recall trend data, and established explicit criteria and set thresholds for determining whether recalling firms have performed effective corrections or removals of defective products. These actions have addressed this high-risk issue. Safe Medical Devices Act of 1990: The Safe Medical Devices Act of 1990 requires FDA to determine the appropriate process for reviewing certain high-risk devices--either reclassifying certain high-risk medical device types to a lower-risk class or establishing a schedule for such devices to be reviewed through its most stringent premarket approval process. We found that FDA's progress was slow and that it had never established a timetable for its reclassification or re-review process. As a result, many high- risk devices--including device types that FDA has identified as implantable, life sustaining, or posing a significant risk to the health, safety, or welfare of a patient--still entered the market through FDA's less stringent premarket review process. We recommended that FDA expedite its implementation of the act. Since then, FDA has made good progress and began posting the status of its reviews on its website. FDA has developed an action plan with a goal of fully implementing the provisions of the act by the second quarter of calendar year 2015. While FDA has more work to do, it has made sufficient progress to address this high-risk issue. Congressional Action: Congressional oversight and legislative action in recent years have also contributed to strengthening FDA's ability to better protect public health. Over the past 2 years, Congress has held hearings that have addressed globalization, the safety of the pharmaceutical supply chain, drug shortages, and oversight of compounding pharmacies. Additionally, Congress enacted the Drug Quality and Security Act in November 2013, which contains provisions that should help FDA respond to challenges in two distinct areas that we reported on in July 2013: (1) the hazards posed by unsafe drugs from an increasingly complex pharmaceutical supply chain that includes "rogue" Internet pharmacies and (2) the public health threat posed by improperly compounded drugs. Additional information on Protecting Public Health through Enhanced Oversight of Medical Products is provided on page 268 of this report. DOD Contract Management: Figure: DOD Contract Management: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] The DOD obligates more than $300 billion annually on contracts for goods and services, including major weapon systems, support for military bases, information technology, consulting services, and commercial items. Based on our reviews of DOD's contract management activities over many years, we placed this area on our High Risk List in 1992. For the past decade, our work and that of others has identified challenges DOD faces within four segments of contract management: (1) the acquisition workforce, (2) contracting techniques and approaches, (3) service acquisitions, and (4) operational contract support. DOD has made sufficient progress in one of the four segments-- its management and oversight of contracting techniques and approaches-- to warrant its removal as a separate segment within the overall DOD contract management high-risk area. Significant challenges still remain in the other three segments. Contracting techniques and approaches encompass the broad array of options available to DOD acquisition and contracting personnel to acquire goods and services. These options include choosing the most appropriate contract type and the effective use of competition. These and other techniques and approaches are critical to the successful acquisition of goods and services. However, in the past, we have found weaknesses in several of these areas. For example, we have identified weaknesses in DOD's use of undefinitized contract actions (which authorize contractors to begin work before reaching a final agreement on contract terms), time-and-materials contracts (which compensate contractors based on hours of effort rather than outcomes achieved), award fees, and competition. We made numerous recommendations to address the specific issues we identified. DOD leadership has generally taken actions to address our recommendations. For example, DOD promulgated regulations to better manage its use of time-and-materials contracts and undefinitized contract actions. In addition, the OMB directed agencies to take action to reduce the use of noncompetitive and time-and-materials contracts. Similarly, Congress has enacted legislation to limit the length of noncompetitive contracts and require DOD to issue guidance to link award fees to acquisition outcomes. Over the past several years, DOD's top leadership has taken significant steps to plan and monitor progress in the management and oversight of contracting techniques and approaches. For example, through its Better Buying Power initiatives DOD leadership identified a number of actions to promote effective competition and to better utilize specific contracting techniques and approaches. In that regard, in 2010 DOD issued a policy containing new requirements for competed contracts that received only one offer--a situation OMB has noted deprives agencies of the ability to consider alternative solutions in a reasoned and structured manner and which DOD has termed "ineffective competition." These changes were codified in DOD's acquisition regulations in 2012. In May 2014, we concluded that DOD's regulations help decrease some of the risks of one offer awards, but also that DOD needed to take additional steps to continue to enhance competition, such as establishing guidance for when contracting officers should assess and document the reasons only one offer was received.[Footnote 6] DOD concurred with the two recommendations we made in our report and has since implemented one of them. Moreover, DOD has been using its Business Senior Integration Group (BSIG)--an executive-level leadership forum--for providing oversight in the planning, execution, and implementation of these initiatives. In March 2014, the Director of the Office of Defense Procurement and Acquisition Policy presented an assessment of DOD competition trends that provided information on competition rates across DOD and for selected commands within each military department and proposed specific actions to improve competition. The BSIG forum provides a mechanism by which DOD can address ongoing and emerging weaknesses in contracting techniques and approaches, and by which DOD can monitor the effectiveness of its efforts. Further, in June 2014, DOD issued its second annual assessment of the performance of the defense acquisition system, which included data on its competition rate and goals, assessments of the effect of contract type on cost and schedule control, and the impact of competition on the cost of major weapon systems. An institution as large, complex, and diverse as DOD, and one that obligates hundreds of billions of dollars under contracts each year, will continue to face challenges with its contracting techniques and approaches. We will maintain our focus on identifying these challenges and proposing solutions. However, at this point DOD's continued commitment and demonstrated progress in this area--including the establishment of a framework by which DOD can address ongoing and emerging issues associated with the appropriate use of contracting techniques and approaches--provide a sufficient basis to remove this segment from the DOD contract management high-risk area. Additional information on DOD Contract Management is provided on page 287 of this report. Progress in Selected High-Risk Areas: In addition to the two areas that we narrowed--Protecting Public Health through Enhanced Oversight of Medical Products and DOD Contract Management--nine other areas met at least one of the criteria for removal from the High Risk List and were rated at least partially met for all four of the remaining criteria. These areas serve as examples of solid progress made to address high-risk issues through implementation of our recommendations and through targeted corrective actions. Further, each example underscores the importance of high- level attention given to high-risk areas within the context of our criteria by the administration and by coordinated congressional action. To sustain progress in these areas, and to make progress in other high-risk areas--including eventual removal from the High Risk List--focused leadership attention and ongoing action will be needed. NASA Acquisition Management: Figure: NASA Acquisition Management: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Met; Monitoring: Met; Demonstrated Progress: Partially Met. Three Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] The National Aeronautics and Space Administration's (NASA) continued efforts to strengthen and integrate its acquisition management functions have resulted in the agency meeting three criteria for removal from GAO's High Risk List--leadership commitment, a corrective action plan, and monitoring. For example, NASA has completed the implementation of its corrective action plan, which was managed by the Deputy Administrator, with the Chief Engineer, the Chief Financial Officer, and the agency's Associate Administrator having led implementation of the individual initiatives.[Footnote 7] The plan identified metrics to assess the progress of implementation, which NASA continues to track and report semi-annually. These metrics include cost and schedule performance indicators for NASA's major development projects and we have found that NASA's performance metrics generally reflect improved performance. For example, average cost and schedule growth for NASA's major projects has declined since 2011 and most of NASA's major projects are tracking metrics, which we recommended in 2011 to better assess design stability and decrease risk. In addition, NASA has taken action in response to our recommendations to improve the use of earned value management (EVM)--a tool designed to help project managers monitor progress--such as by conducting an EVM gap analysis to determine whether each center has the requisite skills to effectively utilize EVM. These actions have helped NASA to create better baseline estimates and track performance such that NASA has been able to launch more projects on time and within cost estimates. However, we found that NASA needs to continue its efforts to increase agency capacity to address ongoing issues through additional guidance and training of personnel. Such efforts should help maximize improvements and to demonstrate that the improved cost and schedule performance will be sustained, even for the agency's most expensive and complex projects. Although progress has been made, more work remains to be done to fully address the issues identified in this high-risk area. Additional information on NASA Acquisition Management is provided on page 307 of this report. Establishing Effective Mechanisms for Sharing and Managing Terrorism- Related Information to Protect the Homeland: Figure: Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] The federal government has made significant progress in promoting the sharing of information on terrorist threats and, as a result, has met our criteria for leadership commitment and capacity and has partially met the remaining criteria for this high-risk area. Significant progress was made in this area by developing a more structured approach to achieving the Information Sharing Environment (Environment) and by defining the highest priority initiatives to accomplish. In December 2012, the President released the National Strategy for Information Sharing and Safeguarding (Strategy), which provides guidance on the implementation of policies, standards, and technologies that promote secure and responsible national security information sharing. In 2013, in response to the strategy, the Program Manager for the Environment released the Strategic Implementation Plan for the National Strategy for Information Sharing and Safeguarding (Implementation Plan). The Implementation Plan provides a roadmap for the implementation of the priority objectives in the Strategy. The Implementation Plan also assigns stewards to coordinate each priority objective--in most cases, a senior department official--and provides timeframes and milestones for achieving the outcomes in each objective. Adding to this progress is the work the Environment has done to address our previous recommendations. In our 2011 report on the Environment, we recommended that key departments better define incremental costs for information sharing activities and establish an enterprise architecture management plan. Since then, senior officials in each key department reported that any incremental costs related to implementing the Environment are now embedded within each department's mission activities and operations and do not require separate funding. Further, the 2013 Implementation Plan includes actions for developing aspects of an architecture for the Environment. In 2014, the Program Manager issued the Information Interoperability Framework, which begins to describe key elements intended to help link systems across departments to enable information sharing. Although progress has been made, more work remains to be done to fully address the issues identified in this high-risk area. Additional information on Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland is provided on page 221 of this report. Strengthening Department of Homeland Security Management Functions: Figure: Strengthening Department of Homeland Security Management Functions: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] The Department of Homeland Security's (DHS) continued efforts to strengthen and integrate its management functions have resulted in the department meeting two criteria for removal from the High Risk List (leadership commitment and a corrective action plan) and partially meeting the remaining three criteria (capacity, a framework to monitor progress, and demonstrated, sustained progress). DHS's top leadership, including the Secretary and Deputy Secretary of Homeland Security (who assumed leadership of the department after our 2013 update) have continued to demonstrate exemplary commitment and support for addressing the department's management challenges. For instance, the department's Deputy Secretary, Under Secretary for Management, and other senior management officials have frequently met with us to discuss the department's plans and progress, which helps ensure a common understanding of the remaining work needed to address our high- risk designation. In April 2014, the Secretary of Homeland Security issued Strengthening Departmental Unity of Effort, a Memorandum committing the agency to, among other things, improving DHS's planning, programming, budgeting, and execution processes through strengthened departmental structures and increased capability. In addition, DHS has continued to provide updates to the report Integrated Strategy for High Risk Management, demonstrating a continued focus on addressing its high-risk designation. The integrated strategy includes key management initiatives and related corrective action plans for achieving 30 actions and outcomes, which we identified and DHS agreed are critical to addressing the challenges within the department's management areas and to integrating those functions across the department. Further, DHS has demonstrated progress to fully address nine of these actions and outcomes, five of which it has sustained as fully implemented for at least 2 years. For example, DHS fully addressed two outcomes because it received a clean audit opinion on its financial statements for 2 consecutive fiscal years, 2013 and 2014. In addition, the department strengthened its enterprise architecture program (or technology blueprint) to guide IT acquisitions by, among other things, largely addressing our prior recommendations aimed at adding needed architectural depth and breadth. Although progress has been made, more work remains to be done to fully address the issues identified in this high-risk area. Additional information on Strengthening Department of Homeland Security Management Functions is provided on page 209 of this report. DOD Supply Chain Management: Figure: DOD Supply Chain Management: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] DOD has made progress in addressing weaknesses in all three dimensions of its supply chain management areas: inventory management, materiel distribution, and asset visibility. With respect to inventory management, DOD has demonstrated considerable progress in implementing its statutorily-mandated corrective action plan. This plan is intended to reduce excess inventory and improve inventory management practices. Additionally, DOD has established a performance management framework, including metrics and milestones, to track the implementation and effectiveness of its corrective action plan, and has demonstrated considerable progress in reducing its excess inventory and improving its inventory management. For example, DOD reported that its percentage of on-order excess inventory dropped from 9.5 percent in fiscal year 2009 to 7.9 percent in fiscal year 2013. DOD calculates the percentage by dividing the amount of on-order excess inventory by the total amount of on-order inventory. In response to our 2012 recommendations on the implementation of the plan, DOD continues to re- examine its goals for reducing excess inventory, has revised its goal for reducing on-hand excess inventory (it achieved its original goal early), and is in the process of institutionalizing its inventory management metrics in policy. DOD has also made progress in addressing its materiel distribution challenges. Specifically, DOD has implemented, or is implementing, distribution-related initiatives that could serve as a basis for a corrective action plan. For example, DOD developed its Defense Logistics Agency (DLA) Distribution Effectiveness Initiative, formerly called Strategic Network Optimization, to improve logistics efficiencies in DOD's distribution network and to reduce transportation costs. This initiative accomplishes these objectives by storing materiel at strategically located DLA supply sites. Further, DOD has demonstrated significant progress in addressing its asset visibility weaknesses by taking steps to implement our February 2013 recommendation that DOD develop a strategy and execution plans that contain all the elements of a comprehensive strategic plan, including, among other elements, performance measures for gauging results. DOD's January 2014 Strategy for Improving DOD Asset Visibility represents a corrective action plan and contains goals and objectives--as well as supporting execution plans--outlining specific objectives intended to improve asset visibility. DOD's Strategy calls for organizations to identify at least one outcome or key performance indicator for assessing performance in implementing the initiatives intended to improve asset visibility. DOD has also established a structure, including its Asset Visibility Working Group, for monitoring implementation of its asset visibility improvement initiatives. Although progress has been made, more work remains to fully address the issues identified in this high-risk area. Additional information on Strengthening DOD Supply Chain Management is provided on page 184 of this report. DOD Weapon Systems Acquisition: Figure: DOD Weapon Systems Acquisition: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Congress and the DOD have long sought to improve the acquisition of major weapon systems, yet many DOD programs are still falling short of cost, schedule, and performance expectations. The results are unanticipated cost overruns, reduced buying power, and in some cases delays or reductions in the capability ultimately delivered to the warfighter. Our past work and prior high-risk updates have identified multiple weaknesses in the way DOD acquires the weapon systems it delivers to the warfighter and made numerous recommendations on how to address these weaknesses. Recent actions taken by top leadership at DOD indicate a firm commitment to improving the acquisition of weapon systems as demonstrated by the release and implementation of the Under Secretary of Defense for Acquisition, Technology, and Logistics "Better Buying Power" initiatives. These initiatives include measures such as setting and enforcing affordability constraints, instituting a long-term investment plan for portfolios of weapon systems, implementing "should cost" management to control contract costs, eliminating redundancies within portfolios, and emphasizing the need to adequately grow and train the acquisition workforce. DOD also has made progress in its efforts to assess the root causes of poor weapon system acquisition outcomes and in monitoring the effectiveness of its actions to improve its management of weapon systems acquisition. Through changes to acquisition policies and procedures, DOD has made demonstrable progress and, if these reforms are fully implemented, acquisition outcomes should improve. At this point, there is a need to build on existing reforms by tackling the incentives that drive the process and behaviors. In addition, further progress must be made in applying best practices to the acquisition process, attracting and empowering acquisition personnel, reinforcing desirable principles at the beginning of the program, and improving the budget process to allow better alignment of programs and their risks and needs. While DOD has made real progress on the issues we have identified in this area, which has been on our High Risk List since its inception in 1990, with the prospect of slowly growing or flat defense budgets for years to come the Department must continue this progress and get better returns on its weapon system investments than it has in the past. Although progress has been made, more work remains to be done to fully address the issues identified in this high-risk area. Additional information on DOD Weapon Systems Acquisition is provided on page 197 of this report. Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information: Figure: Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Although significant challenges remain, the federal government has made progress in addressing several issues that are key to improving the security of its cyber assets. For example, Congress, as part of its ongoing oversight, passed five bills, which became law, for improving the security of cyber assets. The first, The Federal Information Security Modernization Act of 2014,[Footnote 8] revises the Federal Information Security Management Act of 2002 (FISMA) [Footnote 9] and clarifies roles and responsibilities for overseeing and implementing federal agencies' information security programs. The second law, The Cybersecurity Workforce Assessment Act, [Footnote 10] requires DHS to assess its cybersecurity workforce and develop a strategy for addressing workforce gaps. The third, The Homeland Security Cybersecurity Workforce Assessment Act, [Footnote 11] requires DHS to identify all of its cybersecurity positions and calls for the department to identify specialty areas of critical need in its cybersecurity workforce. The fourth, The National Cybersecurity Protection Act of 2014,[Footnote 12] codifies the role of DHS' National Cybersecurity and Communications Integration Center as the nexus of cyber and communications integration for the federal government, intelligence community, and law enforcement. The fifth, The Cybersecurity Enhancement Act of 2014,[Footnote 13] authorizes the Department of Commerce, through the National Institute of Standards and Technology, to facilitate and support the development of voluntary standards to reduce cyber risks to critical infrastructure. The White House and senior leaders at DHS have also committed to securing critical cyber assets. Specifically, the President has signed legislation and issued strategy documents for improving aspects of cybersecurity, as well as an executive order and a policy directive for improving the security and resilience of critical cyber infrastructure. In addition, DHS and its senior leaders have committed time and resources to advancing cybersecurity efforts at federal agencies and to promoting critical infrastructure sectors' use of a cybersecurity framework. However, securing cyber assets remains a challenge for federal agencies. Continuing challenges, such as shortages in qualified cybersecurity personnel and effective monitoring of, and continued weaknesses in, agencies' information security programs need to be addressed. Although progress has been made, more work remains to be done to fully address the issues identified in this high-risk area. Additional information on Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information is provided on page 235 of this report. Management of Federal Oil and Gas Resources: Figure: Management of Federal Oil and Gas Resources: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] The Department of the Interior's (Interior) continued efforts to improve its management of federal oil and gas resources has resulted in the department meeting one of the criteria for removal from GAO's High Risk List--leadership commitment. Interior has implemented a number of strategies and corrective measures to help ensure the department collects its share of revenue from oil and gas produced on federal lands and waters. Additionally, Interior is developing a comprehensive approach to address its ongoing human capital challenges. In November 2014, Interior senior leaders briefed us on the department's commitment to address the high-risk issue area by describing the following corrective actions. * To help ensure Interior collects revenues from oil and gas produced on federal lands and waters, Interior has taken steps to strengthen its efforts to improve the measurement of oil and gas produced on federal leases by ensuring a link between what happens in the field (measurement and operations) and what is reported to Interior's Office of Natural Resources Revenue or ONRR (production volumes and dispositions). To ensure that federal oil and gas leases are inspected, Interior is hiring inspectors and engineers with an understanding of metering equipment and measurement accuracy. The department has several efforts underway to assure that oil and gas are accurately measured and reported. For example, ONRR contracted for a study to automate data collection from production metering systems. In 2012, the Bureau of Safety and Environmental Enforcement (BSEE) hired and provided measurement training to a new measurement inspection team. To better ensure a fair return to the federal government from leasing and production activities from federal offshore leases, Interior raised royalty rates, minimum bids, and rental rates. For onshore federal leases, according to Interior's November 2014 briefing document, ONRR's Economic Analysis Office will provide the Bureau of Land Management (BLM) monthly analyses of global and domestic market conditions as BLM initiates a rulemaking effort to provide greater flexibility in setting onshore royalty rates. * To address the department's ongoing human capital challenges, Interior is working with the Office of Personnel Management to establish permanent special pay rates for critical energy occupations in key regions, such as the Gulf of Mexico. Bureau managers are being trained on the use of recruitment, relocation, and retention incentives to improve hiring and retention. Bureaus are implementing or have implemented data systems to support the accurate capture of hiring data to address delays in the hiring process. Finally, Interior is developing strategic workforce plans to assess the critical skills and competencies needed to achieve current and future program goals. Although progress has been made, more work remains to be done to fully address the issues identified in this high-risk area. Additional information on Interior's management of federal oil and gas resources is provided on page 94 of this report. Medicare Improper Payments: Figure: Medicare Improper Payments: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] The Centers for Medicare & Medicaid Services (CMS), in the Department of Health and Human Services (HHS), administers Medicare. CMS has continued to focus on reducing improper payments in the Medicare program, which has resulted in the agency meeting our leadership commitment criterion for removal from the High Risk List and partially meeting our other four criteria. HHS has demonstrated top leadership support for addressing this risk area by continuing to designate "strengthened program integrity through improper payment reduction and fighting fraud" an HHS strategic priority and, through its dedicated Center for Program Integrity, CMS has taken multiple actions to improve in this area. For example, as we recommended in November 2012, CMS centralized the development and implementation of automated edits-- prepayment controls used to deny Medicare claims that should not be paid--based on a type of national policy called national coverage determinations. Such action will ensure greater consistency in paying only those Medicare claims that are consistent with national policies. In addition, CMS has taken action to implement provisions of the Patient Protection and Affordable Care Act (PPACA) that Congress enacted to combat fraud, waste, and abuse in Medicare. For instance, in March 2014, CMS awarded a contract to a Federal Bureau of Investigation-approved contractor that will enable the agency to conduct fingerprint-based criminal history checks of high-risk providers and suppliers. This and other provider screening procedures will help block the enrollment of entities intent on committing fraud. Although CMS has demonstrated its commitment and made certain progress, further work is needed to fully address this high-risk area. Additional information on Medicare Improper Payments is provided on page 359 of this report. Mitigating Gaps in Weather Satellite Data: Figure: Mitigating Gaps in Weather Satellite Data: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] The National Oceanic and Atmospheric Administration (NOAA) has made progress toward improving its ability to mitigate gaps in weather satellite data. NOAA has demonstrated leadership on both its polar- orbiting and geostationary satellite programs by making decisions on how it plans to mitigate anticipated and potential gaps, and in making progress on multiple mitigation-related activities. In addition, the agency implemented our recommendations to improve its polar-orbiting and geostationary satellite gap contingency plans. Specifically, in September 2013, we recommended that NOAA establish a comprehensive contingency plan for potential polar satellite data gaps that was consistent with contingency planning best practices. In February 2014, NOAA issued an updated plan that addressed many, but not all, of the best practices. For example, the updated plan includes additional contingency alternatives; accounts for additional gap scenarios; identifies mitigation strategies to be executed; and identifies specific activities for implementing those strategies along with associated roles and responsibilities, triggers, and deadlines. In addition, in September 2013, we reported that while NOAA had established contingency plans for the loss of geostationary satellites, these plans did not address user concerns over potential reductions in capability and did not identify alternative solutions and timelines for preventing a delay in the Geostationary Operational Environmental Satellite-R (GOES-R) launch date. We recommended the agency revise its contingency plans to address these weaknesses. In February 2014, NOAA released a new satellite contingency plan that improved in many, but not all, of the best practices. For example, the updated plan clarified requirements for notifying users regarding outages and impacts, and provided detailed information on responsibilities for each action in the plan. Although progress has been made, more work remains to be done to fully address the issues identified in this high-risk area. Additional information on Mitigating Gaps in Weather Satellite Data is provided on page 203 of this report. [End of section] New High-Risk Areas: To determine which federal government programs and functions should be designated high risk, we use our guidance document, Determining Performance and Accountability Challenges and High Risks.[Footnote 14] In making this determination, we consider whether the program or function is of national significance or is key to performance and accountability. Further, we consider qualitative factors, such as whether the risk: * involves public health or safety, service delivery, national security, national defense, economic growth, or privacy or citizens' rights, or: * could result in significantly impaired service, program failure, injury or loss of life, or significantly reduced economy, efficiency, or effectiveness. We also consider the exposure to loss in monetary or other quantitative terms. At a minimum, $1 billion must be at risk, in areas such as the value of major assets being impaired; revenue sources not being realized; major agency assets being lost, stolen, damaged, wasted, or underutilized; potential for, or evidence of improper payments; and presence of contingencies or potential liabilities. Before making a high-risk designation, we also consider corrective measures planned or under way to resolve a material control weakness and the status and effectiveness of these actions. For 2015, we are designating two new high-risk areas--Managing Risks and Improving VA Health Care and Improving the Management of IT Acquisitions and Operations. Managing Risks and Improving VA Health Care: Why Area Is High Risk: In response to serious and longstanding problems with veterans' access to care, which were highlighted in a series of congressional hearings in the spring and summer of 2014, Congress enacted the Veterans Access, Choice, and Accountability Act of 2014 (Pub. L. No. 113-146, 128 Stat. 1754), which provides $15 billion in new funding for Department of Veterans Affairs (VA) health care. Generally, this law requires VA to offer veterans the option to receive hospital care and medical services from a non-VA provider when a VA facility cannot provide an appointment within 30 days, or when veterans reside more than 40 miles from the nearest VA facility. Under the law, VA received $10 billion to cover the expected increase in utilization of non-VA providers to deliver health care services to veterans. The $10 billion is available until expended and is meant to supplement VA's current budgetary resources for medical care. Further, the law appropriated $5 billion to increase veterans' access to care by expanding VA's capacity to deliver care to veterans by hiring additional clinicians and improving the physical infrastructure of VA's facilities. It is therefore critical that VA ensures its resources are being used in a cost-effective manner to improve veterans' timely access to health care. VA operates one of the largest health care delivery systems in the nation. As of fiscal year 2014, VA was operating an expansive system of health care facilities, including 150 medical centers and more than 800 community-based outpatient clinics nationwide. In the years since the United States began conducting military operations in Afghanistan and Iraq, enrollment in the VA health care system has increased significantly--from 6.8 million veterans in fiscal year 2002 to 8.9 million veterans in fiscal year 2013. Consequently, VA has faced a growing demand by veterans for its health care services, a trend that is expected to continue. For example, the total number of annual outpatient medical appointments VA provided increased by 39.9 million visits (or about 85 percent) between fiscal years 2002 and 2013. Over that same period, Congress provided steady increases in VA's annual health care budget, with amounts more than doubling, increasing from $23.0 billion to $55.5 billion between fiscal years 2002 and 2013. Despite these substantial budget increases, for more than a decade there have been numerous reports--by GAO, VA's Office of the Inspector General, and others--of VA facilities failing to provide timely health care. In some cases, the delays in care or VA's failure to provide care at all have reportedly resulted in harm to veterans. While timely and cost-effective access to needed health care services is essential, it also is imperative that VA ensures the quality and safety of the services it provides. With the increased utilization of non-VA providers that is expected to occur as a result of the Veterans Access, Choice, and Accountability Act, veterans may be required to navigate multiple complex health care systems--the VA health care system and those of non-VA providers--to obtain needed health care services. Coordination of care between VA and non-VA providers is critical. Without it, there is increased risk of unfavorable health outcomes for veterans. For example, a lack of care coordination may lead to unnecessary duplication of services, which is not only costly, but may also pose health risks to veterans who may receive care that is not needed. Moreover, the quality of care may be adversely affected if important clinical information is not promptly communicated between VA and non-VA providers. Safeguarding the quality and safety of health care services provided within VA facilities is also essential. A series of infectious disease outbreaks at several VA facilities over the past several years--and allegations that VA officials may have withheld information about the outbreaks from the public--have raised concerns about the effectiveness of patient safety practices at its facilities. These risks to the timeliness, cost-effectiveness, quality, and safety of veterans' health care, along with other persistent weaknesses we have identified in recent years, raise serious concerns about VA's management and oversight of its health care system. Based on these concerns, we have concluded that VA health care is a high-risk area and have added it to the High Risk List in 2015. What GAO Found: We have categorized our concerns about VA's ability to ensure the timeliness, cost-effectiveness, quality, and safety of the health care the department provides into five broad areas: (1) ambiguous policies and inconsistent processes, (2) inadequate oversight and accountability, (3) information technology challenges, (4) inadequate training for VA staff, and (5) unclear resource needs and allocation priorities. We have made numerous recommendations that aim to address weaknesses in VA's management of its health care system--more than 100 of which have yet to be fully resolved, including recommendations we made in regard to each of the following findings: * Ambiguous policies and inconsistent processes. Ambiguous VA policies lead to inconsistency in the way VA facilities carry out processes at the local level. In numerous reports, we have found that this ambiguity and inconsistency may pose risks for veterans' access to VA health care, or for the quality and safety of VA health care they receive. For example, in December 2012, we reported that unclear policies led staff at VA facilities to inaccurately record the required dates for appointments, and to inconsistently track new patients waiting for outpatient medical appointments at VA facilities. These practices may have delayed the scheduling of veterans' outpatient medical appointments and may have increased veterans' wait times for accessing care at VA facilities. In some cases, we found that staff members were manipulating medical appointment dates to conform to VA's timeliness guidelines, which likely contributed further to the inaccuracy of VA's wait-times data for outpatient medical appointments. Without accurate data, VA lacks assurance that veterans are receiving timely access to needed health care. In November 2014, we reported that VA policies lacked clear direction for how staff at VA facilities should document information about veteran suicides as part of VA's behavioral health autopsy program (BHAP). The BHAP is a national initiative to collect demographic, clinical, and other information about veterans who have died by suicide and use it to improve the department's suicide prevention efforts. In a review of a sample of BHAP records from five VA facilities, we found that more than half of the records had incomplete or inaccurate information. The lack of reliable data limits the department's opportunities to learn from past veteran suicides and ultimately diminishes VA's efforts to improve its suicide prevention activities. We have also identified gaps in VA policies related to facilities' response to adverse events--clinical incidents that may pose the risk of injury to a patient as the result of a medical intervention or the lack of an appropriate intervention, such as a missed or delayed diagnosis, rather than due to the patient's underlying medical condition. Specifically, we found that VA policies were unclear as to how focused professional practice evaluations (FPPE) should be documented, particularly what information should be included. An FPPE is a time-limited evaluation during which a VA facility assesses a provider's professional competence when a question arises regarding the provider's ability to provide safe, quality patient care. In our December 2013 report, we reported that gaps in VA's FPPE policy may hinder VA facilities' ability to appropriately document the evaluation of a provider's skills, support any actions initiated, and track provider-specific incidents over time. * Inadequate oversight and accountability. We also have found weaknesses in VA's ability to hold its health care facilities accountable and ensure that identified problems are resolved in a timely and appropriate manner. Specifically, we have found that (1) certain aspects of VA facilities' implementation of VA policies are not routinely assessed by the department; (2) VA's oversight activities are not always sufficiently focused on its facilities' compliance with applicable requirements; and (3) VA's oversight efforts are often impeded by its reliance on facilities' self-reported data, which lack independent validation and are often inaccurate or incomplete. In a July 2013 report, for example, we reported that VA needed to take action to improve the administration of its provider performance pay and award systems. In that report, we found that VA had not reviewed performance goals set by its facilities for providers and, as a result, did not have reasonable assurance that the goals created a clear link between performance pay and providers' performance in caring for veterans. At four VA facilities included in our review, performance pay goals covered a range of areas, such as clinical competence, research, teaching, patient satisfaction, and administration. Providers who were eligible for performance pay received it at all four of the facilities we reviewed, despite at least one provider in each facility having personnel actions taken against them related to clinical performance in the same year. Such personnel actions resulted from issues including failing to read mammograms and other complex images competently, practicing without a current license, and leaving residents unsupervised during surgery. In March 2014, we found that VA lacked sufficient oversight mechanisms to ensure that its facilities were complying with applicable requirements and not inappropriately denying claims for non-VA care. Specifically, the March 2014 report cited noncompliance with applicable requirements for processing a sample of non-VA emergency care claims. The noncompliance caused staff at four VA facilities to inappropriately deny about 20 percent of the claims we reviewed and to fail to notify almost 65 percent of veterans whose claims we reviewed that their claims had been denied. We found VA's field assistance visits, one of the department's primary methods for monitoring facilities' compliance with applicable requirements, to be lacking. In these annual on-site reviews at a sample of VA facilities, VA officials were to examine the financial, clinical, administrative, and organizational functions of staff responsible for processing claims for non-VA care; however, we found that these visits did not examine all practices that could lead VA facilities to inappropriately deny claims. Further, although VA itself recommended that managers at its facilities audit samples of processed claims to determine whether staff processed claims appropriately, the department does not require VA facilities to conduct such audits, and none of the four VA facilities we visited were doing so. In a September 2014 report and in three previous testimonies for congressional hearings, we identified weaknesses in VA's oversight of veterans' access to outpatient specialty care appointments in its facilities. VA officials told us they use data reported by VA facilities to monitor how the facilities are performing in meeting VA's guideline of completing specialty care consults--requests from VA providers for evaluation or management of a patient for a specific clinical concern, or for a specialty procedure, such as a colonoscopy- -within 90 days. We found cases where staff had incorrectly closed a consult even though care had not been provided, and found that VA does not routinely audit consults to assess whether its facilities are appropriately managing them and accurately documenting actions taken to resolve them. Instead, VA relies largely on facilities' self- certification that they are doing so. * Information technology challenges. In recent reports, we also have identified limitations in the capacity of VA's existing information technology (IT) systems. Of particular concern is the outdated, inefficient nature of certain systems, along with a lack of system interoperability--the ability to exchange information--which presents risks to the timeliness, quality, and safety of VA health care. For example, we have reported on VA's failed attempts to modernize its outpatient appointment scheduling system, which is about 30 years old. Among the problems cited by VA staff responsible for scheduling appointments are that the system requires them to use commands requiring many keystrokes and does not allow them to view multiple screens at once. Schedulers must open and close multiple screens to check a provider's or a clinic's full availability when scheduling a medical appointment, which is time-consuming and can lead to errors. VA undertook an initiative to replace its scheduling system in 2000 but terminated the project after spending $127 million over 9 years, due to weaknesses in project management and a lack of effective oversight. The department has since renewed its efforts to replace its appointment scheduling system, including launching a contest for commercial software developers to propose solutions, but VA has not yet purchased or implemented a new system. In 2014, we reported that interoperability challenges and the inability to electronically share data across facilities led VA to suspend the development of a system that would have allowed it to electronically store and retrieve information about surgical implants (including tissue products) and the veterans who receive them nationwide. Having this capability would be particularly important in the event that a manufacturer or the Food and Drug Administration (FDA) recalled a medical device or tissue product because of safety concerns. In the absence of a centralized system, VA clinicians track information about implanted items using stand-alone systems or spreadsheets that are not shared across VA facilities, which makes it difficult for VA to quickly determine which patients may have received an implant that is subject to a safety recall. Further, as we have reported for more than a decade, VA and the DOD lack electronic health records systems that permit the efficient electronic exchange of patient health information as military servicemembers transition from DOD to VA health care systems. The two departments have engaged in a series of initiatives intended to achieve electronic health record interoperability, but accomplishment of this goal has been continuously delayed and has yet to be realized. The ongoing lack of electronic health record interoperability limits VA clinicians' ability to readily access information from DOD records, potentially impeding their ability to make the most informed decisions on treatment options, and possibly putting veterans' health at risk. One location where the delays in integrating VA's and DOD's electronic health records systems have been particularly burdensome for clinicians is at the Captain James A. Lovell Federal Health Care Center (FHCC) in North Chicago, the first planned fully integrated federal health care center for use by both VA and DOD beneficiaries. We found in June 2012 that due to interoperability issues, the FHCC was employing five dedicated, full-time pharmacists and one pharmacy technician to conduct manual checks of patients' VA and DOD health records to reconcile allergy information and identify possible interactions between drugs prescribed in VA and DOD systems. * Inadequate training for VA staff. In a number of reports, we have identified gaps in VA training that could put the quality and safety of veterans' health at risk. In other cases, we have found that VA's training requirements can be particularly burdensome to complete, particularly for VA staff who are involved in direct patient care. In a November 2014 report that examined VA's monitoring of veterans with major depressive disorder (MDD) and whether those who are prescribed an antidepressant receive recommended care, we determined that VA data may underestimate the prevalence of major depressive disorder among veterans and that a lack of training for VA clinicians on diagnostic coding may contribute to the problem. In a review of medical record documentation for a sample of veterans, we found that VA clinicians had not always appropriately coded encounters with veterans they diagnosed as having MDD, instead using a less specific diagnostic code for "depression not otherwise specified." VA's data on the number of veterans with MDD are based on the diagnostic codes associated with patient encounters; therefore, coding accuracy is critical to assessing VA's performance in ensuring that veterans with MDD receive recommended treatments, as well as measuring health outcomes for these veterans. In a May 2011 review, we found that training for staff responsible for cleaning and reprocessing reusable medical equipment (RME), such as endoscopes and some surgical instruments, was lacking. Specifically, VA had not specified the types of RME for which training was required; in addition, VA provided conflicting guidance to facilities on how to develop this training. Without appropriate training on reprocessing, we found that VA staff may not be reprocessing RME correctly, posing patient safety risks. In our October 2014 report on VA's implementation of a new, nationally standardized nurse staffing methodology, staff from selected VA facilities responsible for developing nurse staffing plans reported that VA's individual, computer-based training on the methodology was time-consuming to complete and difficult to understand. These staff members said they had difficulty finding the time to complete it while also carrying out their patient care responsibilities. Many suggested that their understanding of the material would have been greatly improved with an instructor-led, group training course where they would have an opportunity to ask questions. * Unclear resource needs and allocation priorities. In many of our reports, we have found gaps in the availability of data required by VA to efficiently identify resource needs and to ensure that resources are effectively allocated across the VA health care system. For example, in October 2014, we reported that VA facilities lacked adequate data for developing and executing nurse staffing plans at their facilities. Staffing plans are intended to help VA facilities identify appropriate nurse staffing levels and skill mixes needed to support high-quality patient care in the different care settings throughout each VA facility, and are used to determine whether their existing nurse workforce sufficiently meets the clinical needs of each unit, or whether they need to hire additional staff. At selected VA facilities, staff responsible for developing and executing the nurse staffing plans told us that they needed to use multiple sources to collect and compile the data--in some cases manually. They described the process as time-consuming, potentially error-prone, and requiring data expertise they did not always have. In a May 2013 report, we reported that VA lacked critical data needed to compare the cost-effectiveness of non-VA medical care to that of care delivered at VA facilities. Specifically, VA lacks a data system to group medical care delivered by non-VA providers by episode of care- -all care provided to a veteran during a single office visit or inpatient stay. As a result, VA cannot efficiently assess whether utilizing non-VA providers is more cost-effective than augmenting its own capacity in areas with high non-VA health care utilization. In a September 2014 report, we identified concerns with VA's management of its pilot dialysis program, which had been implemented in four VA-operated clinics. Specifically, we found that, five years into the pilot, VA had not set a timetable for the completion of its dialysis pilot or documented how it would determine whether the pilot was successful, including improving the quality of care and achieving cost savings. We also found that VA data on the quality of care and treatment costs were limited due to the delayed opening of two of the four pilot locations. Veterans who receive dialysis are one of VA's most costly populations to serve, but VA has limited capacity to deliver dialysis in its own facilities, and instead refers most veterans to non-VA providers for this treatment. VA began developing its dialysis pilot program in 2009 to address the increasing number of veterans needing dialysis and the rising costs of providing this care through non-VA providers. What Remains to Be Done: Although VA has taken actions to address recommendations we have made related to VA health care, there are currently more than 100 that have yet to be fully resolved, including recommendations related to the five broad areas of concern highlighted above. For example, to ensure that its facilities are carrying out processes at the local level more consistently--such as scheduling veterans' medical appointments and collecting data on veteran suicides--VA needs to clarify its existing policies. VA also needs to strengthen oversight and accountability across its facilities by conducting more systematic, independent assessments of processes that are carried out at the local level, including how VA facilities are resolving specialty care consults, processing claims for non-VA care, and establishing performance pay goals for their providers. We also have recommended that VA work with DOD to address the administrative burdens created by the lack of interoperability between their two IT systems. A number of our recommendations aim to improve training for staff at VA facilities, to address issues such as how staff are cleaning, disinfecting, and sterilizing reusable medical equipment, and to more clearly align training on VA's new nurse staffing methodology with the needs of staff responsible for developing nurse staffing plans. Finally, we have recommended that VA improve its methods for identifying VA facilities' resource needs and for analyzing the cost-effectiveness of VA health care. The recently enacted Veterans Access, Choice, and Accountability Act included a number of provisions intended to help VA address systemic weaknesses. For example, the law requires VA to contract with an independent entity to (1) assess its capacity to meet the current and projected demographics and needs of veterans who use the VA health care system, (2) examine VA's clinical staffing levels and productivity, and (3) review VA's IT strategies and business processes, among other things. The new law also establishes a 15- member commission, to be appointed primarily by bipartisan congressional leadership, which will examine how best to organize the VA health care system, locate health care resources, and deliver health care to veterans. It is critical for VA leaders to act on the findings of this independent contractor and congressional commission, as well as on those of VA's Office of the Inspector General, GAO, and others, and to fully commit themselves to developing long-term solutions that mitigate risks to the timeliness, cost-effectiveness, quality, and safety of the VA health care system. It is also critical that Congress maintain its focus on oversight of VA health care. In the spring and summer of 2014, congressional committees held more than 20 hearings to address identified weaknesses in the VA health care system. Sustained congressional attention to these issues will help ensure that VA continues to make progress in improving the delivery of health care services to veterans. We plan to continue monitoring VA's efforts to improve the timeliness, cost-effectiveness, quality, and safety of veterans' health care. To this end, we have ongoing work focusing on topics such as veterans' access to primary care and mental health services; primary care productivity; nurse recruitment and retention; monitoring and oversight of VA spending on training programs for health care professionals; mechanisms VA uses to monitor quality of care; and VA and DOD investments in Centers of Excellence--which are intended to produce better health outcomes for veterans and service members. GAO Contact: For additional information about this high-risk area, contact Debra Draper at (202) 512-7114 or draperd@gao.gov, or Randall Williamson at (202) 512-7114 or williamsonr@gao.gov. Related GAO Products: VA Health Care: Improvements Needed in Monitoring Antidepressant Use for Major Depressive Disorder and in Increasing Accuracy of Suicide Data. [hyperlink, http://www.gao.gov/products/GAO-15-55]. Washington, D.C.: November 12, 2014. VA Health Care: Actions Needed to Ensure Adequate and Qualified Nurse Staffing. [hyperlink, http://www.gao.gov/products/GAO-15-61]. Washington, D.C.: October 16, 2014. VA Health Care: Management and Oversight of Consult Process Need Improvement to Help Ensure Veterans Receive Timely Outpatient Specialty Care. [hyperlink, http://www.gao.gov/products/GAO-14-808]. Washington, D.C.: September 30, 2014. VA Dialysis Pilot: Documentation of Plans for Concluding the Pilot Needed to Improve Transparency and Accountability. [hyperlink, http://www.gao.gov/products/GAO-14-646]. Washington, D.C.: September 2, 2014. Veterans' Health Care: Oversight of Tissue Product Safety. [hyperlink, http://www.gao.gov/products/GAO-14-463T]. Washington, D.C.: April 2, 2014. VA Health Care: Actions Needed to Improve Administration and Oversight of Veterans' Millennium Act Emergency Care Benefit. [hyperlink, http://www.gao.gov/products/GAO-14-175]. Washington, D.C.: March 6, 2014. Electronic Health Records: VA and DOD Need to Support Cost and Schedule Claims, Develop Interoperability Plans, and Improve Collaboration. [hyperlink, http://www.gao.gov/products/GAO-14-302]. Washington, D.C.: February 27, 2014. VA Surgical Implants: Purchase Requirements Were Not Always Followed at Selected Medical Centers and Oversight Needs Improvement. [hyperlink, http://www.gao.gov/products/GAO-14-146]. Washington, D.C.: January 13, 2014. VA Health Care: Improvements Needed in Processes Used to Address Providers' Actions That Contribute to Adverse Events. [hyperlink, http://www.gao.gov/products/GAO-14-55]. Washington, D.C.: December 3, 2013. VA Health Care: Actions Needed to Improve Administration of the Provider Performance Pay and Award Systems. [hyperlink, http://www.gao.gov/products/GAO-13-536]. Washington, D.C.: July 24, 2013. VA Health Care: Management and Oversight of Fee Basis Care Need Improvement. [hyperlink, http://www.gao.gov/products/GAO-13-441]. Washington, D.C.: May 31, 2013. VA Health Care: Reliability of Reported Outpatient Medical Appointment Wait Times and Scheduling Oversight Need Improvement. [hyperlink, http://www.gao.gov/products/GAO-13-130]. Washington, D.C.: December 21, 2012. VA/DOD Federal Health Care Center: Costly Information Technology Delays Continue and Evaluation Plan Lacking. [hyperlink, http://www.gao.gov/products/GAO-12-669]. Washington, D.C.: June 26, 2012. VA Health Care: Weaknesses in Policies and Oversight Governing Medical Supplies and Equipment Pose Risks to Veterans' Safety. [hyperlink, http://www.gao.gov/products/GAO-11-391]. Washington, D.C.: May 3, 2011. [End of section] Improving the Management of IT Acquisitions and Operations: Why Area Is High Risk: Although the executive branch has undertaken numerous initiatives to better manage the more than $80 billion that is annually invested in information technology (IT), federal IT investments too frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes. We have previously testified that the federal government has spent billions of dollars on failed IT investments, such as: * the Department of Defense's (DOD) Expeditionary Combat Support System, which was canceled in December 2012, after spending more than a billion dollars and failing to deploy within 5 years of initially obligating funds; * the Department of Homeland Security's Secure Border Initiative Network program, which was ended in January 2011, after obligating more than $1 billion to the program, because it did not meet cost- effectiveness and viability standards; * the Department of Veterans Affairs' (VA) Financial and Logistics Integrated Technology Enterprise program, which was intended to be delivered by 2014 at a total estimated cost of $609 million, but was terminated in October 2011 due to challenges in managing the program; * the Office of Personnel Management's Retirement Systems Modernization program, which was canceled in February 2011, after spending approximately $231 million on the agency's third attempt to automate the processing of federal employee retirement claims; * the National Oceanic and Atmospheric Administration, Department of Defense, and the National Aeronautics and Space Administration's National Polar-orbiting Operational Environmental Satellite System, which was a tri-agency weather satellite program that was terminated in February 2010 after having spent 16 years and almost $5 billion on the program, when a presidential task force decided to disband the system; and: * the VA Scheduling Replacement Project, which was terminated in September 2009 after spending an estimated $127 million over 9 years. These and other failed IT projects often suffered from a lack of disciplined and effective management, such as project planning, requirements definition, and program oversight and governance. In many instances, agencies have not consistently applied best practices that are critical to successfully acquiring IT investments. We have identified nine critical factors underlying successful major acquisitions that support the objective of improving the management of large-scale IT acquisitions across the federal government: (1) program officials actively engaging with stakeholders; (2) program staff having the necessary knowledge and skills; (3) senior department and agency executives supporting the programs; (4) end users and stakeholders involved in the development of requirements; (5) end users participating in testing of system functionality prior to end user acceptance testing; (6) government and contractor staff being stable and consistent; (7) program staff prioritizing requirements; (8) program officials maintaining regular communication with the prime contractor; and (9) programs receiving sufficient funding.[Footnote 15] Nonetheless, agencies continue to have poorly performing projects. Such projects have often used a "big bang" approach--that is, projects are broadly scoped and aim to deliver functionality several years after initiation. According to the Defense Science Board, this approach is often too long, ineffective, and unaccommodating of the rapid evolution of IT. Further, it is inconsistent with OMB guidance directing that IT investments deliver functionality in 6-month increments. We recently reported that only slightly more than a quarter of selected investments were following this guidance.[Footnote 16] Federal IT projects have also failed due to a lack of oversight and governance. Executive-level governance and oversight across the government has often been ineffective, specifically from chief information officers (CIO). We have reported that not all CIOs have the authority to review and approve the entire agency IT portfolio and that CIOs' authority was limited. This has also been highlighted by Congress--recently enacted law is intended to strengthen CIO authority and provide the oversight IT projects need.[Footnote 17] While there have been numerous executive branch initiatives aimed at addressing these issues, implementation has been inconsistent. Over the past 5 years, we have reported numerous times on shortcomings with IT acquisitions and operations, and have made about 737 related recommendations, 361 of which were to OMB and agencies to improve the implementation of the recent initiatives and other government-wide, cross-cutting efforts. As of January 2015, about 23 percent of the 737 recommendations had been fully implemented. What GAO Found: To help address the government's poor track record of delivering new IT systems, OMB and the agencies have several key initiatives under way. However, implementation of these initiatives has been inconsistent. * We have reported on a governance initiative developed by OMB that has had shortcomings--TechStats.[Footnote 18] In January 2010, the Federal CIO began leading TechStat sessions--face-to-face meetings to terminate or turn around IT investments that are failing or are not producing results. These meetings involve OMB and agency leadership and are intended to increase accountability and transparency and to improve performance. Subsequently, OMB empowered agency CIOs to hold their own TechStat sessions within their respective agencies. We have since reported that OMB and selected agencies had held multiple TechStats, but additional OMB oversight was needed to ensure that these meetings were having the appropriate impact on underperforming projects and that resulting cost savings were valid. Specifically, OMB reported conducting TechStats at 23 federal agencies covering 55 investments, 30 of which were considered medium or high risk at the time of the TechStat. However, these reviews accounted for less than 20 percent of medium-or high-risk investments government- wide. As of August 2012, there were 162 such at-risk investments across the government. Further, we reviewed four selected agencies and found they had held TechStats on 28 investments. While these reviews were generally conducted in accordance with OMB guidance, areas for improvement existed. We concluded that until OMB and agencies develop plans to address these investments, the investments would likely remain at risk. Among other things, we recommended that OMB require agencies to address high-risk investments. OMB generally agreed with this recommendation. Highlighting the importance of focusing more oversight on high-risk initiatives, we have identified a number of ongoing investments with significant issues requiring attention: * The Department of Health and Human Services' (HHS) HealthCare.gov website, which was to establish a health insurance marketplace by January 2014, encountered significant cost increases, schedule slips, and delayed functionality. In a July 2014 report, we noted that Healthcare.gov and its related systems were developed without effective planning or oversight practices and many of its issues were attributable to changing requirements that were exacerbated by oversight gaps.[Footnote 19] We recommended that actions be taken to assess increasing contract costs, ensure that acquisition strategies were completed, and ensure oversight tools were used as required. The department generally concurred with our recommendations. In addition, we reported in September 2014 that HHS and the Centers for Medicare & Medicaid Services (CMS) had not fully implemented security and privacy controls for systems supporting Healthcare.gov and its related systems.[Footnote 20] We also have ongoing work to review CMS's implementation of system development best practices for the Healthcare.gov initiative and plan to issue the results early in 2015. * The Department of Agriculture Farm Program Modernization, which is intended to modernize the IT systems supporting the Farm Service Agency's 37 farm programs, had not implemented a number of key management and oversight practices to ensure its successful completion. As of July 2011, the implementation cost estimate was approximately $305 million, with a life-cycle cost of approximately $473 million.[Footnote 21] However, we concluded that the implementation cost estimate was uncertain because it had not been updated since 2007, and the program schedule had not been updated to account for delays. In addition, we reported that the program's management approach, while including many leading practices, could be strengthened. Finally, we found there was a lack of clarity and definition regarding the roles of executive-level governance bodies responsible for overseeing the program. We recommended that Agriculture update cost and schedule estimates, address management issues, and clarify the roles and coordination among governance bodies. The department agreed with our recommendations and described plans to address them. * The Department of Commerce Census Enterprise Data Collection and Processing investment was initiated in fiscal year 2015 and is expected to be the backbone of the Census Bureau's target IT architecture. It will be designed to integrate the disparate, program- specific survey data collection and processing systems that the bureau uses to conduct its many surveys. It consists of 14 projects, 4 of which are related to the 2020 Decennial Census Internet response option. Particular attention to this area is warranted in order to avoid repeating the mistakes of the 2010 Decennial Census, in which the bureau had to abandon its plans for the use of handheld data collection devices, due in part to fundamental weaknesses in its implementation of key IT management practices. * DOD Defense Enterprise Accounting and Management System (DEAMS), which is the agency's planned accounting system designed to provide accurate, reliable, and timely financial information, has experienced significant delays and cost increases. In March 2012, we reported that DEAMS faced a 2-year deployment delay and an estimated cost increase of about $500 million from its original life-cycle cost estimate of $1.1 billion, an increase of approximately 45 percent.[Footnote 22] Further, in February 2012, we reported that assessments by DOD users had identified operational problems with the system, such as data accuracy issues, an inability to generate auditable financial reports, and the need for manual workarounds.[Footnote 23] We recommended that DOD take actions to ensure the correction of system problems prior to further system deployment, including user training. DOD generally concurred with our recommendations and described its efforts to address them. * The DOD and VA electronic health records initiative is intended to share data among the departments' health information systems, but achieving this has been a challenge for these agencies over the last 15 years. In March 2011, the Secretaries of DOD and VA committed their two departments to developing a new, common, integrated electronic health record, and in May 2012 announced their goal of implementing it across the departments by 2017. The departments estimated the life- cycle cost of this effort at about $25 billion. However, as we noted, the Secretaries announced in February 2013 that instead of developing a new common, integrated electronic health record system, the departments would focus on integrating health records from separate DOD and VA systems.[Footnote 24] VA has stated that it will continue to modernize its existing system while pursuing the integration of health data, while DOD announced in May 2013 that it planned to purchase a commercial, off-the-shelf product. The Secretaries offered several reasons for this new direction, including cutting costs, simplifying the problem of integrating DOD and VA health data, and meeting the needs of veterans and service members sooner rather than later. Nevertheless, the departments' recent change in the program's direction and history of challenges in improving their health information systems heighten concern about whether this latest initiative will be successful. * The Department of Homeland Security United States Citizenship and Immigration Services (USCIS) Transformation program is to transition USCIS from a fragmented, paper-based filing environment to a consolidated, paperless environment using electronic case management tools, but it is unclear whether the department is positioned to successfully deliver these capabilities. Its key requirements were approved in 2011, but in 2013 they were revised due to risks with the program's approach. Since then, the program has produced a draft requirements document, but it has not yet demonstrated the extent to which it can meet any of the draft document's six key capability requirements using its new system architecture. Further, between July 2011 and September 2014, the program's life-cycle cost estimate increased from approximately $2.1 billion to approximately $2.6 billion. * The Department of Homeland Security Human Resources IT investment is to consolidate, integrate, and modernize the department's human resources IT infrastructure, but it has experienced a long history of issues. As of August 2014, this investment is rated as "moderately high risk" by the department's CIO. According to the CIO, this investment was experiencing significant governance and technical challenges as of August 2014, but the department is working to address them. * The Department of Transportation Next Generation Air Transportation System (NextGen) is an advanced technology air-traffic management system that Federal Aviation Administration (FAA) anticipates will replace the current ground-radar-based system, at an expected cost of $15 billion to $22 billion through fiscal year 2025. However, NextGen has significantly increased the number, cost, and complexity of FAA's acquisition programs, and it is imperative that these programs remain on time and within budget, particularly given current budget constraints and the interdependencies of many NextGen-acquisitions. In February 2012, we reported that key NextGen-related acquisition programs were generally proceeding on time and on budget.[Footnote 25] However, delays with the En Route Automation Modernization program--a critical program for NextGen--illustrate how delays can increase the costs and schedules of other acquisitions as well as the maintenance costs of the system that is meant to be replaced. To improve cost estimates and schedules for NextGen and other major air traffic control acquisition programs, we recommended that FAA, among other things, require cost and schedule risk analysis, independent cost estimates, and integrated master schedules, which the agency is working to implement. * VA has invested significant resources into developing a system for outpatient appointment scheduling, but these efforts have faced major setbacks. The department terminated its previous scheduling system project in September 2009, after spending an estimated $127 million over 9 years. The investment was to modernize VA's more than 25-year- old outpatient scheduling system, but the department had not yet implemented any of the planned system's capabilities before terminating the project. On October 1, 2009, VA began a new initiative that it refers to as HealtheVet Scheduling. In May 2010, we reported that VA's efforts to successfully complete the Scheduling Replacement Project were hindered by weaknesses in several key project management disciplines and a lack of effective oversight that, if not addressed, could undermine the department's second effort to replace its scheduling system.[Footnote 26] We recommended that, as the department proceeded with future development, it take actions to improve key processes, including acquisition management, system testing, and progress reporting, which are essential to the department's second outpatient scheduling system effort. VA generally concurred with our recommendations and described actions to address them. Beyond focusing attention on individual high-risk investments, an additional key reform initiated by OMB emphasizes incremental development in order to reduce investment risk. In 2010, it called for agencies' major investments to deliver functionality every 12 months and since 2012, has required investments to deliver functionality every 6 months. However, we recently reported that less than half of selected investments at five major agencies planned to deliver capabilities in 12-month cycles.[Footnote 27] Accordingly, we recommended that OMB develop and issue clearer guidance on incremental development and that selected agencies update and implement their associated policies. Most agencies agreed with our recommendations or had no comment. Table 4 shows how many of the total selected investments at each agency planned to deliver functionality every 12 months during fiscal years 2013 and 2014. Table 4: Number of Selected Investments Planning to Incrementally Deliver Functionality: Agency: Department of Defense; Total number of selected investments: 37; Investments planning to deliver functionality every 12 months: 11. Agency: Department of Health and Human Services; Total number of selected investments: 14; Investments planning to deliver functionality every 12 months: 11. Agency: Department of Homeland Security; Total number of selected investments: 12; Investments planning to deliver functionality every 12 months: 6. Agency: Department of Transportation; Total number of selected investments: 20; Investments planning to deliver functionality every 12 months: 7. Agency: Department of Veterans Affairs; Total number of selected investments: 6; Investments planning to deliver functionality every 12 months: 6. Agency: Totals; Total number of selected investments: 89; Investments planning to deliver functionality every 12 months: 41. Source: GAO analysis of agency data. GAO-15-290. [End of table] Given these issues, it is important for the federal government to be transparent both when it is acquiring new investments and when it is managing legacy investments. To help the government achieve such transparency, in June 2009, OMB established a public website, (referred to as the IT Dashboard) that provides detailed information on major IT investments at 27 federal agencies, including ratings of their performance against cost and schedule targets.[Footnote 28] The public dissemination of this information is intended to allow OMB; other oversight bodies, including Congress; and the general public to hold agencies accountable for results and performance. Among other things, agencies are to submit ratings from their CIOs, which, according to OMB's instructions, should reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals. As of August 2014, according to the IT Dashboard, 183 of the federal government's 759 major IT investments--totaling $12.3 billion--were in need of management attention (rated "yellow" to indicate the need for attention or "red" to indicate significant concerns). (See figure 3.): Figure 3: Overall Performance Ratings of Major Investments on the IT Dashboard, as of August 2014: [Refer to PDF for image: pie-chart] Normal: 70%: $28.7 billion; 576 investments; Needs attention: 26%: $10.8 billion; 149 investments; Significant concerns: 4%: $1.5 billion; 34 investments. Source: Office of Management and Budget’s IT Dashboard. GAO-15-290. [End of figure] We have identified concerns with the accuracy and reliability of cost and schedule data on the IT Dashboard, and a recent report noted that agencies had removed major investments from the site, representing a troubling trend toward decreased transparency.[Footnote 29] We also reported that, as of December 2013, the public version of the IT Dashboard had not been updated for 15 of the previous 24 months. Over the past several years, we have made over 20 recommendations to help improve the data accuracy and reliability of the information on the IT Dashboard and to increase its availability. In addition to spending money on new IT development, agencies also plan to spend a significant amount of their fiscal year 2015 IT budgets on the operations and maintenance (O&M) of legacy (i.e., steady-state) systems. Specifically, in fiscal year 2015, of the overall $79 billion budgeted for federal IT, 27 federal agencies [Footnote 30] plan to spend about $58 billion, or almost three- quarters of the total budgeted, on the O&M of these legacy investments.[Footnote 31] Figure 4 provides a visual summary of the relative cost of major and nonmajor investments, both in development and O&M. Figure 4: Summary of Planned Fiscal Year 2015 Major and Nonmajor Investments in Development and Operations and Maintenance (Dollars in Billions): [Refer to PDF for image: pie-chart] Nonmajor Investments: $33.6 billion: * Operations and maintenance: $28.5 billion; * Development: $5.1 billion; Major Investments: $40 billion: * Operations and maintenance: $29.2 billion; * Development: $10.8 billion. Source: GAO analysis of agency data. GAO-15-290. [End of figure] Given the size and magnitude of these investments, it is important that agencies effectively manage the O&M of existing investments to ensure that they (1) continue to meet agency needs, (2) deliver value, and (3) do not unnecessarily duplicate or overlap with other investments. To accomplish this, agencies are required by OMB to perform annual operational analyses of these investments, which are intended to serve as periodic examination of an investment's performance against, among other things, established cost, schedule, and performance goals. However, we have reported that agencies were not consistently performing such analyses and that billions of dollars in O&M investments had not undergone needed analyses.[Footnote 32] Specifically, as detailed in our November 2013 report, only 1 of the government's 10 largest O&M investments underwent an OMB-required operational analysis. We recommended that operational analyses be completed on the remaining 9 investments. An additional area of concern is agencies' management of their software licenses. We recently reported on federal agencies' management of software licenses and determined that better management was needed to achieve significant savings government-wide.[Footnote 33] In particular, 22 of the 24 major agencies did not have comprehensive license policies, and only 2 had comprehensive license inventories. As a result, agencies' oversight of software license spending was limited or lacking, and thus they may miss out on savings. The potential savings could be significant considering that, in fiscal year 2012, one major federal agency reported saving approximately $181 million by consolidating its enterprise license agreements, even though its oversight process was ad hoc. We recommended that OMB issue needed guidance to agencies and made more than 130 recommendations to the agencies to improve their policies and practices for managing licenses. OMB disagreed with the need for guidance. However, without such guidance, agencies will likely continue to lack the visibility into what needs to be managed. Most agencies generally agreed with the recommendations or had no comments. To address agencies' management of operational IT investments, OMB and the agencies have implemented two cross-cutting initiatives. * To better manage existing IT systems, OMB launched the PortfolioStat initiative, which requires agencies to conduct an annual, agency-wide IT portfolio review to, among other things, reduce commodity IT [Footnote 34] spending and demonstrate how their IT investments align with the agency's mission and business functions. We reported that agencies continued to identify duplicative spending as part of PortfolioStat and that this initiative had the potential to save at least $5.8 billion through fiscal year 2015; however, weaknesses existed in agencies' implementation of the initiative, such as limitations in the CIOs' authority.[Footnote 35] We made more than 60 recommendations to improve OMB and agencies' implementation of PortfolioStat. OMB partially agreed with our recommendations, and responses from 21 of the agencies varied. * Concerned about the size of the federal data center inventory and recognizing the potential to improve the efficiency, performance, and environmental footprint of federal data center activities, OMB, under the leadership of the Federal CIO, established the federal data center consolidation initiative in February 2010. In a series of reports, we found that, while data center consolidation could potentially save the federal government billions of dollars, weaknesses existed in the execution and oversight of the initiative. Most recently, we reported that, as of May 2014, agencies collectively reported that (1) they had a total of 9,658 data centers, (2) they had closed a total of 976 data centers, and (3) they were planning to close an additional 2,689 data centers--for a total of 3,655--by the end of September 2015.[Footnote 36] We also noted that between fiscal years 2011 and 2017, agencies reported planning a total of about $5.3 billion in cost savings and avoidances due to the consolidation of federal data centers. See table 5 for a summary of agencies' total cost savings and cost avoidances between fiscal years 2011 and 2017. Table 5: Agencies' Data Center Consolidation Cost Savings and Avoidances: Total savings and avoidances; Estimated and actual: FY 2011: $192 million; FY 2012: $268 million; FY 2013: $683 million; Planned: FY 2014: $895 million; FY 2015: $1.25 billion; FY 2016: $917 million; FY 2017: $1.144 billion; Total: $5.35 million. Estimated and actual: $1.143 billion total; Planned: $4.206 billion total; Source: GAO analysis of agency data. GAO-15-290. Note: Totals may not add due to rounding. [End of table] However, we noted that planned savings may be understated because of difficulties agencies encountered when calculating savings and communicating their estimates to OMB. We concluded that it was important for OMB to continue to provide leadership and guidance on this initiative, and we made recommendations to ensure the initiative improves governmental efficiency and achieves cost savings. Most agencies agreed with our recommendations or had no comment. Recognizing the severity of issues related to government-wide management of IT, in December 2014, the Federal Information Technology Acquisition Reform provisions were enacted as a part of Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015. Among other things, the law includes the following requirements:[Footnote 37] * Agencies, except for DOD, shall ensure that CIOs have a significant role in, among other things, programming and budgeting decisions, as well as management, governance, and oversight processes related to IT. For example, agencies (other than DOD) may only enter into contracts for IT and IT services that are reviewed and approved by the agency CIO. * OMB shall provide guidance that requires CIOs to certify that IT acquisitions are adequately implementing incremental development. * OMB shall issue guidance that requires the CIO to adequately reflect each major IT investment's cost, schedule, and performance in the investment evaluation. * OMB shall make available to the public a list of each major IT investment including data on cost, schedule and performance. * The General Services Administration shall identify and develop a government-wide program for the acquisition, dissemination, and shared use of software licenses. * OMB, in consultation with agency CIOs, shall implement a process to assist agencies in managing their IT portfolios. * Agencies shall annually report to OMB's Administrator of the Office of Electronic Government specific information to include progress in consolidating federal data centers and the associated savings. What Remains to Be Done: Given the federal government's continued experience with failed and troubled IT projects, coupled with the fact that OMB initiatives to help address such problems have not been fully implemented, the government will likely continue to produce disappointing results and will miss opportunities to improve IT management, reduce costs, and improve services to the public, unless needed actions are taken. Further, it will be more difficult for stakeholders, including Congress and the public, to monitor agencies' progress and hold them accountable for reducing duplication and achieving cost savings. To help address the management of IT investments, OMB and federal agencies should expeditiously implement the requirements of the December 2014 statutory provisions promoting IT acquisition reform. Doing so should (1) improve the transparency and management of IT acquisitions and operations across the government, and (2) strengthen CIOs' authority to provide needed direction and oversight. To help ensure that these improvements are achieved, congressional oversight of agencies' implementation efforts is essential. Beyond implementing the recently enacted law, OMB and the agencies need to continue to implement GAO's previous recommendations in order to improve their ability to effectively and efficiently invest in IT. Several of these are critical, such as: * conducting TechStat reviews for at-risk investments, * updating the public version of the IT Dashboard throughout the year, and: * developing comprehensive inventories of federal agencies' software licenses. To ensure accountability, OMB and agencies should also demonstrate measurable government-wide progress in the following key areas: * OMB and agencies should, within four years, implement at least 80 percent of GAO's recommendations related to the management of IT acquisitions and operations; * Agencies should ensure that a minimum of 80 percent of the government's major acquisitions should deliver functionality every 12 months; and: * Agencies should achieve no less than 80 percent of the over $6 billion in planned PortfolioStat savings and 80 percent of the more than $5 billion in savings planned for data center consolidation. GAO Contact: For additional information about this high-risk area, contact David A. Powner at (202) 512-9286 or pownerd@gao.gov, Carol Cha at (202) 512- 4456 or chac@gao.gov, or Valerie Melvin at (202) 512-6304 or melvinv@gao.gov. Related GAO Products: Data Center Consolidation: Reporting Can Be Improved to Reflect Substantial Planned Savings. [hyperlink, http://www.gao.gov/products/GAO-14-713]. Washington, D.C.: September 25, 2014. Federal Software Licenses: Better Management Needed to Achieve Significant Savings Government-Wide. [hyperlink, http://www.gao.gov/products/GAO-14-413]. Washington, D.C.: May 22, 2014. Information Technology: Agencies Need to Establish and Implement Incremental Development Policies. [hyperlink, http://www.gao.gov/products/GAO-14-361]. Washington, D.C.: May 1, 2014. Information Technology: Additional Executive Review Sessions Needed to Address Troubled Projects. [hyperlink, http://www.gao.gov/products/GAO-13-524]. Washington, D.C.: June 13, 2013. Information Technology: Agencies Need to Strengthen Oversight of Multibillion Dollar Investments in Operations and Maintenance. [hyperlink, http://www.gao.gov/products/GAO-14-66]. Washington, D.C.: November 6, 2013. Information Technology: Additional OMB and Agency Actions Are Needed to Achieve Portfolio Savings. [hyperlink, http://www.gao.gov/products/GAO-14-65]. Washington, D.C.: November 6, 2013. IT Dashboard: Agencies Are Managing Investment Risk, but Related Ratings Need to Be More Accurate and Available. [hyperlink, http://www.gao.gov/products/GAO-14-64]. Washington, D.C.: December 12, 2013. Information Technology: Critical Factors Underlying Successful Major Acquisitions. [hyperlink, http://www.gao.gov/products/GAO-12-7]. Washington, D.C.: October 21, 2011. Information Technology Dashboard: Opportunities Exist to Improve Transparency and Oversight of Investment Risk at Select Agencies. [hyperlink, http://www.gao.gov/products/GAO-13-98]. Washington, D.C.: October 16, 2012. Information Technology: Agencies Need to Strengthen Oversight of Billions of Dollars in Operations and Maintenance Investments. [hyperlink, http://www.gao.gov/products/GAO-13-87]. Washington, D.C.: October 16, 2012. [End of section] Evolving High-Risk Areas: High-risk areas sometimes change over time as programs and operations evolve and new dimensions emerge. For example, since the last high- risk update in 2013, new challenges have emerged due to the evolving nature of technology, fraud, and risk in a changing world--which led us to modify and expand the scope of two high-risk areas--Enforcement of Tax Laws and Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information. Two additional high-risk areas-- Medicaid Program and Medicare Program--face significant uncertainties as the nation considers the challenges of health care and the impact of these challenges will not be known for some time. Still other former high-risk areas--Personnel Security Clearance Reform and Internal Revenue Service (IRS) Business Systems Modernization-- continue to face new challenges, even after they have shown enough improvement to be removed from the High Risk List.[Footnote 38] We continue to monitor these areas to ensure that improvements have been sustained and that new challenges are addressed. Expanding High-Risk Areas: In the two years since the last high-risk update, two areas have expanded in scope. Enforcement of Tax Laws has been expanded to include IRS's efforts to address tax refund fraud due to identity theft. Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure has expanded to include the federal government's protection of personally identifiable information and is now called Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting Personally Identifiable Information (PII). Enforcement of Tax Laws: Since 1990, we have designated one or more aspects of Enforcement of Tax Laws as high risk. Recently, the focus of the Enforcement of Tax Laws area has been on the estimated $385 billion net tax gap--the difference between taxes owed and taxes paid--and the IRS's and Congress's efforts to address it. Given current and emerging risks, we are expanding the Enforcement of Tax Laws area to include IRS's efforts to address tax refund fraud due to identity theft (IDT), which occurs when an identity thief files a fraudulent tax return using a legitimate taxpayer's identifying information and claims a refund. While acknowledging that the numbers are uncertain, IRS estimated paying about $5.8 billion in fraudulent IDT refunds while preventing $24.2 billion during the 2013 tax filing season. While there are no simple solutions to combating IDT refund fraud, we have identified various options that could help, some of which would require legislative action. Because some of these options represent a significant change to the tax system that could likely burden taxpayers and impose significant costs to IRS for systems changes, it is important for IRS to assess the relative costs and benefits of the options. This assessment will help ensure an informed discussion among IRS and relevant stakeholders--including Congress--on the best option (or set of options) for preventing IDT refund fraud. Additional information on Enforcement of Tax Laws is provided on page 314 of this report. Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information: Since 1997, we have designated the security of our federal cyber assets as a high risk area. In 2003, we expanded this high-risk area to include the protection of critical cyber infrastructure. The White House and federal agencies have taken steps toward improving the protection of our cyber assets. However, advances in technology which have dramatically enhanced the ability of both government and private sector entities to collect and process extensive amounts of personally identifiable information (PII), pose challenges to ensuring the privacy of such information. The number of reported security incidents involving PII at federal agencies has increased dramatically in recent years. In addition, high-profile PII breaches at commercial entities have heightened concerns that personal privacy is not being adequately protected. Finally, both federal agencies and private companies collect detailed information about the activities of individuals-raising concerns about the potential for significant erosion of personal privacy. We have suggested, among other things, that Congress consider amending privacy laws to cover all PII collected, used, and maintained by the federal government and recommended that the federal agencies we reviewed take steps to protect personal privacy and improve their responses to breaches of PII. For these reasons, we added the protection of privacy to this high-risk area this year. Additional information on Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information is provided on page 235 of this report. High-Risk Areas Undergoing Significant Transformation: Two high-risk areas--Medicare Programs and Medicaid Programs--face significant uncertainties and are undergoing significant transformation as the nation considers the challenges of health care and its related costs. While the Department of Health and Human Services (HHS) and the Centers for Medicare & Medicaid Services (CMS) have made progress improving oversight of these two programs, gaps in oversight capacity have emerged with the implementation of the Patient Protection and Affordable Care Act (PPACA) and challenges continue to evolve. Medicare Program: Both Congress and the administration have focused on the integrity of the Medicare program, including decreasing improper payments and fraud and abuse. Since February 2013, congressional committees held at least 13 hearings on agency progress in addressing integrity issues. The administration also has made reducing improper payments a priority, and the CMS has set targets for reducing improper payments in all parts of Medicare, which were estimated to be $60 billion in 2014. CMS has made progress measuring improper payments and now has an estimate for each part of the program. However, CMS will need to sustain or improve on its progress in reducing improper payments and better addressing fraud and abuse by shifting more focus to prevention. Other actions by CMS, such as the implementation of payment and health care delivery reforms envisioned in the PPACA,[Footnote 39] may eventually help address Medicare's fundamental financial challenge to remain sustainable over the long-term and improve the health care delivered to beneficiaries. Several of PPACA's changes seek to implement value-based purchasing of health care and transform the program from one which has historically paid providers for the volume of services delivered. Some PPACA provisions, for example, establish financial incentives for providers to increase efficiency and improve the quality of Medicare services, or test new ways of achieving those goals. Other provisions reduced payments to certain providers in anticipation that they would offset the reductions through productivity increases. PPACA also modified the high-income thresholds used to adjust beneficiary Part B premiums. It is too soon to know whether, and to what extent, these various reforms may be successful and achieve the desired outcomes. In addition, the Medicare Trustees, the Office of the Actuary, and the Congressional Budget Office have raised concerns about whether some of the Medicare cost-containment mechanisms included in PPACA will be sustainable over the long term while maintaining provider participation in the program and appropriate beneficiary access to health care services. It is likely that lessons learned from the implementation of the Medicare reforms and cost-containment mechanisms, may, over time, suggest necessary modifications and the need for additional action by CMS or the Congress. Consequently, although we were able to rate progress in addressing Medicare improper payments, we have not yet rated progress on the rest of Medicare's challenges because of these uncertainties and the potentially evolving nature of the reforms. While CMS has made progress in addressing Medicare improper payments and important payment and other reforms are underway, our work suggests that continued attention is needed in five principal program areas: (1) provider payments and incentives in the traditional fee-for- service program; (2) payments to Medicare Advantage plans (the private health plans that serve Medicare beneficiaries), (3) financial and other program design effects on beneficiaries, (4) overall program management including oversight of contracts, and (5) oversight of patient care and safety. We have made a number of recommendations for actions that CMS could take, such as improving the timeliness of the performance reports the agency disseminates to physicians, better targeting payments to certain facilities that treat beneficiaries with end-stage renal disease (kidney failure) to ensure that beneficiaries living in more isolated areas have appropriate access to treatment, taking steps to ensure the appropriateness of the health status payment adjustment made to Medicare Advantage plans, and enhancing oversight of long term care hospitals. Our work has also suggested actions for Congress to consider, such as making physicians' financial interest in the provision of certain services more transparent to beneficiaries. The high-risk issues in Medicare will continue to be a moving target for the foreseeable future and the specific actions needed to address them will likely change over time. The aging of the country's population and rising health care costs will continue to put pressure on the Medicare program. At the same time, reforms intended to foster efficiency or improve health care quality or beneficiary access to services may have unintended consequences as health care providers adjust to new payment and other incentives. Technological advances will lead to new medical treatment options that could increase or decrease health care costs (but historically have tended to increase them) and may also change our expectations of what constitutes appropriate care. Moderating Medicare spending to ensure long-term program sustainability, improving health care quality, and continuing to ensure beneficiary access will not be easy. In a program that spent an estimated $603 billion in 2014, accounted for 17 percent of federal outlays, and 3.5 percent of GDP, even small changes can have large effects for taxpayers, beneficiaries, and providers. Therefore, a continued focus on Medicare by both CMS and Congress remains critical. Additional information on the Medicare Program is provided on page 342 of this report. Medicaid Program: As with the Medicare program, Congress and the administration have taken actions to improve the integrity of the Medicaid program, including taking steps to decrease improper payments, including fraud and abuse. Committees in Congress held multiple hearings on reducing Medicaid improper payments and on improving oversight of the program. The Department of Health and Human Services (HHS) and the Centers for Medicare & Medicaid Services (CMS) have also made progress in improving program oversight, for example, issuing guidance to improve states' corrective actions related to program integrity. However, the reported amounts of Medicaid improper payments have increased, from 5.8 percent, or $14.4 billion in federal expenditures, in fiscal year 2013 to 6.7 percent, or $17.5 billion, in fiscal year 2014. CMS continues to face persistent challenges that will require ongoing leadership commitment to ensure that efforts to reduce improper payments are efficient and effective. CMS also needs to address emerging areas where fundamental gaps in oversight capacity exist. For example, more than half of Medicaid beneficiaries receive services under managed care, and states' use of managed care is expected to increase significantly over the next 5 years. Yet, CMS and states lack effective program integrity systems for care delivered by managed care organizations (MCOs). Particularly in view of the projected growth in program spending, Medicaid improper payments remain high risk, and CMS needs to take additional actions to address this gap in oversight. In addition to the growth in the delivery of services through managed care, state Medicaid programs are rapidly changing in many other ways, complicating oversight and the measurement of progress toward reducing risks to the program. Recent changes under the PPACA will introduce more transformative changes that may exacerbate challenges and shortcomings that exist in federal oversight and management of the program. Program enrollment and spending are growing under PPACA, which allows states to expand Medicaid eligibility to new populations, particularly low-income adults without children, which could add new pressures to existing delivery systems. PPACA also provides states with new options and incentives to provide long term services and supports, which could improve the availability of such services but also increase federal costs and oversight challenges. PPACA further requires state Medicaid programs to coordinate their eligibility and enrollment systems with state health insurance exchanges and provides increased federal funding for newly eligible populations. States choosing to expand Medicaid are eligible to receive 100 percent federal funding for this newly eligible population through 2016, phasing to 90 percent federal funding for 2020 and subsequent years. States are also reforming their programs through demonstration waivers through which HHS can waive otherwise applicable Medicaid requirements or authorize new federal matching funds for otherwise ineligible expenditures. It is too soon to know how PPACA and state reforms will change Medicaid, including the effect that program changes and growth will have on beneficiaries' ability to access health care providers, or the implications for changes in how CMS oversees state programs. Consequently, as with Medicare, we are not rating progress yet on high- risk challenges in the Medicaid program apart from progress in addressing Medicaid improper payments. As the program evolves, our work on Medicaid suggests that continued attention is needed in six principle areas of risk: 1) monitoring and measurement of access to quality care; 2) financing structure and transparency of state sources of funding; 3) spending transparency and payment oversight; 4) managed care payment oversight; 5) budget neutrality and expansion of federal fiscal liability under large demonstrations; and 6) growing expenditures for long-term services and high expenditure beneficiaries. A key challenge to federal oversight in these areas is the lack of accurate, reliable, and timely data at the federal level, which is necessary to oversee the diverse and complex state Medicaid programs. We have a number of matters for congressional consideration and recommendations to HHS related to financing, payment oversight, demonstration spending and beneficiary access that still need action. The aging of the country's population, rising health care costs, emerging Medicaid expansions and additional state Medicaid flexibility under PPACA, will continue to put fiscal pressure on states and the federal government. CMS projects that federal spending for Medicaid will rise on average 7 percent per year between fiscal year 2013 and fiscal year 2020, as states expand coverage under the provisions of PPACA. The enrollment of new beneficiaries is likely to then increase the demand for services. The states and CMS will need to ensure that new and existing beneficiaries have access to providers that are able to deliver necessary services. Other changes from PPACA will further challenge areas such as increased demand for long-term care and changes in how and where long-term care is delivered. In light of these changes, the longstanding oversight challenges, and estimated federal Medicaid spending of more than $451 billion by fiscal year 2020, continued focus on Medicaid by both CMS and Congress remains critical. Additional information on the Medicaid Program is provided on page 366 of this report. Monitoring High-Risk Areas: After we remove areas from the High Risk List we continue to monitor them, as appropriate, to determine if the improvements we have noted are sustained and whether new issues emerge. If significant problems again arise, we will consider reapplying the high-risk designation. Personnel Security Clearance Reform is one former high-risk area that we continue to monitor. We also continue to closely monitor Internal Revenue Service Business Systems Modernization because of its complexity and criticality to administering and enforcing tax laws. Personnel Security Clearance Reform: The executive branch's processes for managing personnel security clearances is one former high-risk area that we continue to monitor, along with other areas, to determine whether progress previously made has been sustained. In 2013, the Director of National Intelligence reported that 5.1 million federal government and contractor employees held or were eligible to hold a security clearance which provides access to classified information, the unauthorized disclosure of which could cause exceptionally grave damage to national security.[Footnote 40] Building and monitoring quality throughout the personnel security clearance process is key to promoting oversight and positive outcomes, such as maximizing the likelihood that individuals who are security risks will be scrutinized more closely. We initially identified DOD's personnel security clearance program, which comprises the majority of clearances government-wide, as a high-risk area in 2005 because of delays in completing background investigations and adjudications. DOD's program remained on the High-Risk List in 2007 and 2009 due to ongoing timeliness and quality issues. In our 2011 High Risk report, we removed DOD's personnel security clearance program from the High-Risk List because of actions DOD had taken to strengthen program management. Actions taken included significantly improving the timeliness of clearance processing that met the congressionally mandated requirement for processing 90 percent of initial clearances on average within 60 days. However, since we removed security clearances from the High-Risk List in 2011 the reform effort that began after passage of the Intelligence Reform and Terrorism Prevention Act of 2004[Footnote 41] saw limited progress. Key agencies responsible for clearance reform had a plan and agreed in May 2010 to further develop and implement tools and metrics to measure the completeness of OPM's investigations, among other things. However, in March 2014, after the June 2013 disclosure of classified documents by a former National Security Agency contractor and the September 2013 shooting at the Washington Navy Yard, OMB released the Security and Suitability Processes Review Report to the President, a government- wide review into the oversight, nature, and implementation of security and suitability standards for federal employees and contractors. [Footnote 42] The review found that performance measures for investigative quality involved disparate and difficult to integrate data sources. Also in March 2014, OMB designated Insider Threat and Security Clearances as one of 15 Cross-Agency Priority Goals.[Footnote 43] Reform leaders have recently issued plans to implement Federal Investigative Standards approved in 2012 to guide background investigations by 2017. Reform leaders also have plans to develop performance metrics for investigation quality. Although plans are currently in place and senior leadership is once again focused on the security clearance reform efforts, these efforts are in the early stages. As a result, it is too early to tell the extent to which they will be implemented and whether they will address gaps in existing security clearance processes. Because reform efforts to improve the quality of background investigations have stalled in the past, and given the long standing challenges to improving these processes, it will be critically important for OMB, ODNI and other partner agencies to follow through with planned reform efforts. We will continue to monitor leaders' efforts to implement the reform effort moving forward, and to assess progress made and its impact on personnel security clearance management. As part of this monitoring, we currently have work underway on executive branch efforts to (1) fully develop performance measures and goals for investigation quality, (2) update and implement investigative standards, and (3) ensure security clearance reciprocity- -the decision of agencies to honor clearances previously granted by other agencies.[Footnote 44] Internal Revenue Service Business Systems Modernization: In 2013, we removed the Internal Revenue Service's (IRS) Business Systems Modernization (BSM) program from our High Risk List. This was a result of the progress the agency had made in addressing the significant weaknesses in information technology (IT) management and financial management that led to the high-risk designation in 1995, and in response to IRS' commitment to sustaining progress in the future.[Footnote 45] Nonetheless, we continue to closely monitor this area because of its complexity and criticality to IRS's administration and enforcement of tax laws. We also continue to monitor the program because recurring deficiencies in information security, along with new deficiencies we identified during our audit of IRS's fiscal year 2012 financial statements, merited continued and consistent commitment and attention from IRS management due to their potential impact on the agency's financial management. Following the removal of the IRS BSM area from the High Risk List, we worked with the House and Senate Appropriations Committees to develop a strategy for continued oversight that includes quarterly briefings from senior IT executives on the status of IRS's major IT investments and annual reviews by us.[Footnote 46] Through these briefings and reports we are monitoring IRS's efforts to continue modernizing its systems as it is faced with budget challenges and additional responsibilities such as those associated with the implementation of the Patient Protection and Affordable Care Act.[Footnote 47]. We are continuing to identify management challenges--particularly related to the reliability and reporting of IT investment performance information--and have made recommendations to address them. Through our annual audits of IRS's financial statements, we also continue to monitor the agency's efforts to address the deficiency in internal controls over financial reporting and other deficiencies we believe merit continued and consistent commitment and attention from IRS management.[Footnote 48] [End of section] Overview for Each High-Risk Area: Overall, the government continues to take high-risk problems seriously and is making long-needed progress toward correcting them. Congress has also acted to address several individual high-risk areas through hearings and legislation. The following pages provide overviews of 30 of the 32 high-risk areas on our updated list. The two areas being added to the high-risk list-- Managing Risks and Improving VA Health Care and Improving the Management of IT Acquisitions and Operations--were discussed in the body of the report on pages 26 and 37. Each overview discusses (1) why the area is high risk, (2) the actions that have been taken and that are under way to address the problem since our last update in 2013, and (3) what remains to be done. Each of these high-risk areas is also described on our High Risk List website, [hyperlink, http://www.gao.gov/highrisk/overview]. Limiting the Federal Government's Fiscal Exposure by Better Managing Climate Change Risks: Why Area Is High Risk: Climate change is considered by many to be a complex, crosscutting issue that poses risks to many environmental and economic systems-- including agriculture, infrastructure, ecosystems, and human health-- and presents a significant financial risk to the federal government. Among other reported impacts, climate change could threaten coastal areas with rising sea levels, alter agricultural productivity, and increase the intensity and frequency of severe weather events. As observed by the United States Global Change Research Program (USGCRP), the impacts and costs of weather disasters--resulting from floods, droughts, and other events--will increase in significance as what are considered "rare" events become more common and intense due to climate change.[Footnote 49] In addition, less acute changes, such as sea level rise, could also result in significant long-term impacts. According to the National Research Council (NRC), although the exact details cannot be predicted with certainty, there is a clear scientific understanding that climate change poses serious risks to human society and many of the physical and ecological systems upon which society depends, with the specific impacts of concern, and the relative likelihood of those impacts, varying significantly from place to place and over time.[Footnote 50] These impacts call attention to five areas where government-wide improvement is needed to reduce fiscal exposure, including, but not limited to the federal government's role as (1) the leader of a strategic plan that coordinates federal efforts and also informs state, local, and private-sector action; (2) the owner or operator of extensive infrastructure such as defense facilities and federal property vulnerable to climate impacts; (3) the insurer of property and crops vulnerable to climate impacts; (4) the provider of data and technical assistance to federal, state, local, and private-sector decision makers responsible for managing the impacts of climate change on their activities; and (5) the provider of aid in response to disasters. As a result, we added Limiting the Federal Government's Fiscal Exposure by Better Managing Climate Change Risks to the High Risk List in 2013. One way to reduce the potential impacts of climate change is to enhance resilience. The National Academies define resilience as the ability to prepare and plan for, absorb, recover from, and more successfully adapt to adverse events.[Footnote 51] When discussing climate change, the term adaptation--defined as adjustments to natural or human systems in response to actual or expected climate change--is synonymous with enhancing resilience. Adaptation is a risk-management strategy to help protect vulnerable infrastructure and communities that might be affected by changes in the climate. It includes, for example, raising river or coastal dikes to protect infrastructure from sea level rise, building higher bridges, and increasing the capacity of storm water systems. State and local authorities are responsible for planning and implementing many types of infrastructure projects. Decisions at these levels of government can drive the federal government's fiscal exposure. As we reported in April 2013, enhanced resilience means reducing potential future losses rather than waiting for an event to occur and paying for recovery afterward.[Footnote 52] Enhancing resilience can create additional up-front costs, but could also reduce potential future damages from climate-related events that--given expected budget pressures--would otherwise constrain federal programs. As stated in a 2010 NRC report, increasing the nation's ability to respond to a changing climate can be viewed as an insurance policy against climate change risks.[Footnote 53] Furthermore, according to NRC and USGCRP, the nation's vulnerability can be reduced by limiting the magnitude of climate change through actions to limit greenhouse gas emissions.[Footnote 54] We recognize that (1) the federal government has a number of efforts underway to decrease domestic greenhouse gas emissions, and (2) the success of greenhouse gas emissions reduction efforts depends in large part on cooperative international efforts. However, limiting the federal government's fiscal exposure to climate change risks will present a challenge no matter the outcome of domestic and international efforts to reduce emissions, in part because greenhouse gases already in the atmosphere will continue altering the climate system for many decades, according to NRC and USGCRP.[Footnote 55] What GAO Found: Figure: Limiting the Federal Government's Fiscal Exposure by Better Managing Climate Change Risks: [Refer to PDF for image: star illustration] Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] The President's June 2013 Climate Action Plan and various executive orders, task forces, and strategic planning documents identify climate change as a priority and demonstrate commitment and top leadership support.[Footnote 56] This leadership commitment needs to be sustained and enhanced to address the federal fiscal exposure to climate change. As evident from the proliferation of climate-related efforts at different federal agencies, the federal government has some capacity to address the fiscal exposure posed by climate change, but existing actions and strategies do not clearly define the roles, responsibilities, and working relationships among federal, state, local, and private-sector entities, or how such efforts will be funded, staffed, and sustained over time. There are no programs to monitor and independently validate the effectiveness and sustainability of federal efforts to reduce the fiscal exposure posed by climate change. Thus, there is no way to demonstrate progress in implementing corrective measures. Government-wide improvement is needed to reduce fiscal exposure in five areas, including, but not limited to, the federal government's role as (1) the leader of a strategic plan that coordinates federal efforts and also informs state, local, and private-sector action; (2) the owner or operator of extensive infrastructure such, as defense facilities and federal property vulnerable to climate impacts; (3) the insurer of property and crops vulnerable to climate impacts; (4) the provider of data and technical assistance to federal, state, local, and private-sector decision makers responsible for managing the impacts of climate change on their activities; and (5) the provider of aid in response to disasters. Federal Government as Leader of National Strategic Plan: Figure: Limiting the Federal Government's Fiscal Exposure by Better Managing Climate Change Risks: [Refer to PDF for image: star illustration] Federal government as leader of national strategic plan: Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] For its climate strategic planning efforts, the federal government was rated as partially met for Leadership Commitment, Capacity, and Action Plan, and not met for Monitoring and Demonstrating Progress. The federal government is not well organized to address the fiscal exposure presented by climate change, partly because of the inherently complicated, crosscutting nature of the issue. We reported in 2009 that, while policymakers increasingly viewed climate change adaptation as a risk-management strategy to protect vulnerable sectors and communities that might be affected by changes in the climate, the federal government's emerging adaptation activities were carried out in an ad hoc manner and were not well coordinated across federal agencies, let alone with state and local governments.[Footnote 57] Subsequently, our 2011 report on climate change funding found no coherent strategic government-wide approach to climate change. [Footnote 58] This report also found that federal officials do not have a shared understanding of strategic government-wide priorities. [Footnote 59] The federal government would be better positioned to respond to the risks posed by climate change if federal efforts were more coordinated and were directed toward common goals. With regard to providing climate-related information, NRC observed that no single government agency or centralized unit could perform all the required functions, and that coordination of agency roles and regional activities is a necessity. In 2009, we recommended that the appropriate entities within the Executive Office of the President, such as the Council on Environmental Quality (CEQ) and the Office of Science and Technology Policy, in consultation with relevant federal agencies, state and local governments, and key congressional committees of jurisdiction, develop a strategic plan to guide the nation's efforts to adapt to climate change, including the establishment of clear roles, responsibilities, and working relationships among federal, state, and local governments.[Footnote 60] We also recommended in May 2011 that the appropriate entities within the Executive Office of the President clearly establish federal strategic climate change priorities, including the roles and responsibilities of the key federal entities, taking into consideration the full range of climate-related activities within the federal government.[Footnote 61] Similarly, we reported in September 2014 that 11 federal agencies were involved in the federal response to ocean acidification but that the roles and responsibilities for each agency have not been defined.[Footnote 62] As a result, we recommended that the appropriate entities within the Executive Office of the President clearly define the roles and responsibilities of each agency with regard to implementing an interagency ocean acidification research and monitoring plan.[Footnote 63] We did not receive a response to this recommendation. The federal government has recently initiated many climate-related strategic planning activities. Specifically, the President's June 2013 Climate Action Plan and November 2013 Executive Order 13653 on Preparing the United States for the Impacts of Climate Change show how federal agencies have made some progress on better organizing across agencies, within agencies, and among different levels of government.[Footnote 64] In response to this executive order, agencies created climate change adaptation plans that outline steps they will take to, for example, factor resilience to the effects of climate change into grant-making and investment decisions, and into the design and construction of new and existing agency facilities and infrastructure.[Footnote 65] Agencies completed their first adaptation plans in 2012 and updated the plans in October 2014. These and other federal efforts identify climate change as a priority and demonstrate commitment and top leadership support. While agencies have begun to take specific actions, most have yet to implement aspects of these plans or sustained momentum over time. It is also unclear how the various planning efforts relate to each other or what they amount to as a government-wide approach for reducing federal fiscal exposures. Further, existing strategic planning efforts generally do not address the roles, responsibilities, and working relationships among federal, state, and local entities; identify how such efforts will be funded and staffed over time; or establish mechanisms to track and monitor progress. Hence, the federal government cannot demonstrate progress in implementing corrective measures. Federal Government as Property Owner: Figure: Limiting the Federal Government's Fiscal Exposure by Better Managing Climate Change Risks: [Refer to PDF for image: star illustration] Federal government as property owner: Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] In its role as the owner of property, the federal government was rated as partially met for Leadership Commitment, Capacity, and Action Plan, and not met for Monitoring and Demonstrating Progress. The federal government owns and operates hundreds of thousands of facilities and manages millions of acres of land that could be affected by a changing climate. For example, the Department of Defense's (DOD) 2010 and 2014 Quadrennial Defense Reviews state that climate change poses risks to defense infrastructure, particularly on the coasts. DOD's infrastructure consists of more than 555,000 defense facilities and 28 million acres of land, with a replacement value of close to $850 billion.[Footnote 66] In May 2014, we found that DOD's implementation of guidance directing the consideration of climate change in installation planning is likely to vary across the department because installation planners lacked key definitions and other information about the impacts of climate change on specific facilities.[Footnote 67] In this report, we also found that DOD processes for approving and funding infrastructure projects did not explicitly account for climate change. In May 2014, we recommended, among other things, that DOD (1) develop a plan and milestones for completing climate change vulnerability assessments of installations; (2) provide further information to installation planners that clarifies how to account for climate change in planning; and (3) clarify the processes used to compare military construction projects for funding to include consideration of potential climate change impacts. [Footnote 68] DOD concurred with our recommendations, noting that the department's goal is to integrate consideration of climate change into existing infrastructure planning processes and documents. The federal government also owns and operates hundreds of thousands of nondefense buildings and facilities that a changing climate could affect. For example, NASA's real property holdings include more than 5,000 buildings and other structures such as wind tunnels, laboratories, launch pads, and test stands. In total, these NASA assets--many of which are located in vulnerable coastal areas-- represent more than $32 billion in current replacement value.[Footnote 69] Federally funded and managed energy and water infrastructure is also vulnerable to climate change.[Footnote 70] For example, DOD's U.S. Army Corps of Engineers and the Department of the Interior's Bureau of Reclamation own and operate key water resource management infrastructure--such as canals, dams, and reservoirs--that may be affected by changes in extreme precipitation events linked to climate change, among other impacts. Professional associations, not federal agencies, generally develop the design standards--technical guidelines that promote the safety, reliability, productivity, and efficiency of infrastructure--that specify how weather and climate-related data are to be considered in project-level design and planning processes for infrastructure, including many federal facilities.[Footnote 71] These standards generally do not account for climate change, increasing potential federal fiscal exposures. In April 2013, we recommended, among other things, that the U.S. Department of Transportation and the Environmental Protection Agency work with relevant professional associations to incorporate climate change information into design standards that define how structures are to be built. These agencies did not provide official written comments to include in our report and have not directly addressed this recommendation. We have ongoing work related to climate change, design standards, and building codes. The federal government also manages nearly 30 percent of the land in the United States--about 650 million acres of land, including 408 national park units and 155 national forests--for a wide variety of purposes, such as recreation, grazing, timber, and conservation. These resources are vulnerable to changes in the climate, including the possibility of more frequent and severe droughts and wildfires. [Footnote 72] Appropriations for federal wildland fire management activities have tripled since 1999, averaging more than $3 billion annually in recent years.[Footnote 73] In 2007, we recommended that the Secretaries of Agriculture, Commerce, and the Interior develop guidance for resource managers that explains how they are expected to address the effects of climate change, identifies how managers are to obtain any site-specific information that may be necessary, and reflects best practices shared among the relevant agencies.[Footnote 74] In May 2013, we reported that these agencies had taken steps to establish strategic direction for addressing climate change and have developed guidance, training, and other tools for managers to use in adapting to climate change.[Footnote 75] However, as we noted in this report, federal land and resource managers still struggled to incorporate climate-related information into their day-to-day activities notwithstanding these actions. To further explore this issue, we have ongoing work related to the impacts of climate change on different types of resources such as coastal habitats and fisheries. Demonstrating leadership commitment, Executive Orders 13514 and 13653 direct agencies to develop climate change adaptation plans to account for the impacts of climate change on agency operations and missions. Agencies completed their first adaptation plans in 2012 and updated the plans in October 2014, identifying vulnerable federal infrastructure and plans to account for climate change in infrastructure planning, demonstrating federal capacity to address the issue. However, this commitment needs to be sustained over time. Most agencies have yet to identify specific actions to implement adaptive measures. Also, there are no programs to monitor and independently validate the effectiveness and sustainability of the measures identified in the adaptation plans. Hence, the federal government cannot yet demonstrate progress in implementing corrective measures. Also related to both federal facilities and the management of natural resources, on February 18, 2010, CEQ issued draft guidance on how federal agencies can consider the effects of climate change when Implementing the National Environmental Policy Act of 1969 (NEPA), which applies to certain types of federal projects.[Footnote 76] CEQ did not finalize the guidance or issue regulations addressing how, if at all, federal agencies are to consider the effects of climate change in the NEPA process but instead issued revised draft guidance in December 2014. CEQ has not indicated when or if the guidance would be finalized. Without finalized guidance from CEQ, it is unclear how, if at all, agencies are to consistently consider climate change when implementing NEPA. In April 2013 we recommended, among other things, that the CEQ Chairman finalize guidance on how federal agencies can consider the effects of climate change in their evaluations of proposed federal actions--such as infrastructure projects--under NEPA.[Footnote 77] CEQ has not directly addressed this recommendation. Federal Insurance Programs: Figure: Limiting the Federal Government's Fiscal Exposure by Better Managing Climate Change Risks: [Refer to PDF for image: star illustration] Federal Insurance Programs: Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] As the insurer of crops and property, the federal government was rated as partially met for Leadership Commitment and not met for Capacity, Action Plan, Monitoring, and Demonstrating Progress with respect to climate change. Two important federal insurance efforts--the National Flood Insurance Program and the Federal Crop Insurance Corporation-- face climate change and other fundamental challenges that increase federal fiscal exposure and send inaccurate price signals to policyholders about their potential risk of loss. These programs are based on conditions, priorities, and approaches that were established decades ago and are not well suited to addressing emerging issues like climate change. The National Flood Insurance Program, administered by the Department of Homeland Security's (DHS) Federal Emergency Management Agency (FEMA), has been on our High Risk List since March 2006 because of concerns about its long-term financial solvency and related operational issues.[Footnote 78] For example, as of December 31, 2014, FEMA owed the Treasury $23 billion, up from $20 billion as of November 2012. FEMA made a $1 billion principal repayment at the end of December 2014--FEMA's first such payment since 2010. In August 2014, we reported on the federal crop insurance program's important role in managing the risk of farming losses caused by droughts, floods, and other natural disasters, and the associated federal costs. [Footnote 79] Our March 2007 report assessing the financial risks to the National Flood Insurance Program and the United States Department of Agriculture's (USDA) Federal Crop Insurance Corporation found that their exposure to weather-related losses had grown substantially. [Footnote 80] Among other things, the report contrasted the experience of private and public insurers. We found that many major private insurers proactively incorporated some elements of climate change into their risk-management practices. In contrast, we noted that the agencies responsible for the nation's two key federal insurance programs had done little to develop the kind of information needed to understand their long-term exposure to climate change, and had not analyzed the potential impacts of an increase in the frequency or severity of weather-related events on their operations. We recommended that the Secretaries of Agriculture and DHS analyze the potential long- term fiscal implications of climate change for the Federal Crop Insurance Corporation and the National Flood Insurance Program, respectively, and report their findings to the Congress. As discussed below, since then, (1) Congress passed and subsequently amended the Biggert-Waters Flood Insurance Reform Act of 2012 (Biggert-Waters Act),[Footnote 81] and (2) in October 2014, we revisited these programs' exposure to climate-related losses.[Footnote 82] * Biggert-Waters Act. In June 2011, we reported that external factors continue to complicate the administration of the National Flood Insurance Program and affect its financial stability.[Footnote 83] Specifically, as it relates to climate change and sea level rise, FEMA, historically, has not been authorized to account for long-term erosion when updating flood maps used to set premium rates for the National Flood Insurance Program. Flood maps are supposed to accurately estimate the likelihood of flooding in specific areas, given certain characteristics including elevation and topography, but they can quickly become inaccurate because of changes from long-term erosion, particularly in coastal areas.[Footnote 84] This could prove problematic in areas susceptible to sea level rise. Not accurately reflecting the actual risk of flooding increases the likelihood that even full-risk premiums will not cover future losses and adds to concerns about the National Flood Insurance Program's financial stability. Consequently, among a range of other recommendations, in June 2011, we presented a matter for congressional consideration to authorize the National Flood Insurance Program to account for long- term flood erosion in its flood maps.[Footnote 85] Subsequently, Congress passed the Biggert-Waters Act, which requires FEMA to use information on topography, coastal erosion areas, changing lake levels, future changes in sea levels, and intensity of hurricanes in updating its flood maps, among other information.[Footnote 86] The Biggert-Waters Act created a technical mapping advisory council which must produce a "Future Conditions Risk Assessment and Modeling Report" with recommendations on how to ensure (1) rate maps incorporate best available climate science, and (2) that FEMA uses the best available methodology to consider the impact of rising sea levels and future development on flood risk.[Footnote 87] The act requires the council to submit the risk assessment and modeling report to FEMA. FEMA is then required to incorporate the report into its ongoing program to review and update rate maps. While these and other changes may help put the National Flood Insurance Program on a path to financial solvency, their ultimate effect is not yet known because the program faces challenges in making the changes.[Footnote 88] * Our October 2014 Report on Public Insurers' Exposure to Climate- Related Losses. Demonstrating some commitment and top leadership support, public insurers have commissioned climate change studies, incorporated climate change adaptation into their planning, and taken other steps to better understand and prepare for climate change's potential effects.[Footnote 89] Regarding FEMA's flood insurance program, the agency is phasing out most subsidies and is studying how to incorporate the projected effects of climate change, such as future sea level rise and erosion, into its flood maps. However, the mapping advisory council's recommendations are not expected until September 2015. Until the agency implements these changes, policyholders and communities may continue to build and rebuild structures to current standards that do not necessarily reflect the changing weather-related risks faced over structures' designed life spans--which could exacerbate federal fiscal exposure amid already strained federal resources. To promote forward-looking construction and rebuilding efforts, we recommended in October 2014 that the Secretary of DHS direct FEMA to consider amending flood insurance standards to incorporate, as appropriate, forward-looking information. DHS agreed with our recommendation. In addition, we reported in October 2014 that a variety of agricultural practices are available to farmers that would improve their long-term resilience to climate change, such as practices that would promote long-term water conservation and soil conservation. [Footnote 90] However, federal crop insurance policyholders may receive inaccurate price signals about their current risks because they receive premium subsidies and therefore do not bear the true cost of their risk of loss due to weather-related events--which could affect their farming decisions. Also, they may not receive signals that reflect the long-term implications of their short-term farming practice decisions. For example, certain practices, such as conventional tillage and traditional irrigation methods, may maintain historic crop yields in the short-term, but they may inadvertently reduce agriculture's long-term resilience through increased erosion, depleted soil quality, and inefficient water use.[Footnote 91] Consequently, we recommended in October 2014 that the Secretary of Agriculture direct the federal crop insurance program to consider working with agricultural experts to incorporate resilient agricultural practices into expert guidance for growers, so that good farming practices take into account long-term agricultural resilience to climate change. USDA did not specify its agreement or disagreement with our recommendation. While progress is evident, the federal commitment needs to be sustained and enhanced over time. Agencies have yet to identify specific actions to address challenges inherent to federal insurance programs--such as how to encourage policyholders to reduce their long- term exposure to climate change given the short-term nature of insurance contracts--that may impede the ability of these programs to minimize long-term federal exposure to climate change. Further, there are no programs to monitor and independently validate the effectiveness and sustainability of the measures identified in agency plans. Hence, the federal government cannot yet demonstrate progress in implementing corrective measures. Technical Assistance to Federal, State, Local, and Private-Sector Decision Makers: Figure: Technical Assistance to Federal, State, Local, and Private- Sector Decision Makers: [Refer to PDF for image: star illustration] Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] For its climate information technical assistance efforts, the federal government was rated as partially met for Leadership Commitment and Action Plan, and not met for Capacity, Monitoring, and Demonstrating Progress. Climate change has the potential to directly affect a wide range of federal services, operations, programs, assets, and national security, increasing federal fiscal exposure in many ways. State, local, and private-sector decision makers can also drive federal climate-related fiscal exposures because they are responsible for planning, constructing, and maintaining certain types of vulnerable infrastructure paid for with federal funds, insured by federal programs, or eligible for federal disaster assistance. Federal efforts are beginning to focus on providing information to these decision makers so they can make more informed choices about how to manage the risk posed by potential climate impacts. As we reported in October 2009, it is hard for decision makers at all levels to justify the current costs of resilience efforts for potentially less certain future benefits because the federal government's own climate-related data--composed of observational records from satellites and weather monitoring stations, projections from complex climate models, and other tools--is fragmented across many individual agencies that use the information in different ways to meet their respective missions.[Footnote 92] Federal, state, local, and private-sector decision makers may be unaware that this information exists or may be unable to use what is available. * Federal Decision Makers. The federal government faces increased climate-related fiscal exposures as the owner of federal facilities, manager of natural resources, and insurer of property and crops. Agencies have developed focused efforts to provide climate-related information to federal decision makers so they can better manage the risk climate change poses to these and other programs. For example, bureaus and agencies within the Department of the Interior developed a network of collaborative Landscape Conservation Cooperatives, composed of public and private agencies working to provide the science and technical expertise needed to apply climate-related data in decision making.[Footnote 93] Further, the National Park Service, also within the Department of the Interior, is developing guidance for park-based climate change adaptation plans that includes such steps as identifying conservation targets and conducting vulnerability assessments.[Footnote 94] Despite the proliferation of such efforts within federal agencies, our work shows an enduring need for local- scale information. For example, our May 2014 report on defense infrastructure adaptation showed that officials at DOD installations were not sure which information to use in their planning.[Footnote 95] We recommended that DOD provide further information to installation planners, clarifying actions that should be taken to account for climate change in planning documents. DOD concurred with this recommendation. Also, as we reported in September 2014, information related to ocean acidification that would be useful to federal, state, local, and private-sector decision makers was difficult to access because it was available on various federal websites and had not been consolidated.[Footnote 96] As a result, we recommended that the appropriate entities within the Executive Office of the President establish an information exchange to improve the national response to ocean acidification. We did not receive a response to this recommendation. * State and Local Decision Makers. The federal government annually invests billions of dollars in infrastructure projects that state and local governments prioritize and supervise. For example, state and local governments control zoning decisions and make decisions about how to build certain types of critical infrastructure that are vulnerable to climate change, such as roads and bridges. The federal government has a key interest in helping state and local decision makers increase their resilience to climate change and extreme weather events because uninsured losses may increase the federal government's fiscal exposure through federal disaster assistance programs.[Footnote 97] As we reported in April 2013, the federal government plays a critical role in producing the information needed to facilitate more informed local adaptation decisions.[Footnote 98] However, this information exists in an uncoordinated confederation of networks and is not easily accessible, so state and local officials may make decisions without it or choose not to act at all. These decision makers often struggle to identify which information among the vast number of available datasets and studies is relevant. In April 2013, we recommended that a federal entity designated by the Executive Office of the President work with agencies to identify for local infrastructure decision makers the best available climate-related information for planning and to update this information over time. The Executive Office of the President did not provide official written comments to include in our report and has not directly addressed this recommendation. We continue to evaluate the technical assistance needs of state and local decision makers and have ongoing work related to how the nation's public health system--composed primarily of state and local officials--is responding to climate change. * Private-Sector Decision Makers. Climate change also poses risks to private-sector decision makers by, for example, disrupting supply chains that provide the food, medicine, energy, and products that support the U.S. economic system. The federal government both relies on private-sector supply chains to provide these goods and services and provides assistance to the private sector in the aftermath of extreme weather events. This increases the federal government's fiscal exposure to a changing climate. We recently completed work on how climate change may affect the U.S. agriculture and energy sectors. As we reported in September 2014, the United States produced about $395 billion in agriculture commodities in 2012, with about half of this revenue from crop sales and half from livestock sales.[Footnote 99] According to USGCRP, increases in temperature, rainfall intensity, and extreme events, such as sustained droughts and heat waves, will likely have negative impacts on crop and livestock yields.[Footnote 100] USDA is taking several promising steps to help farmers mitigate and adapt to climate change. For example, it established regional Climate Hubs to deliver science-based knowledge, practical information, and program support to farmers, ranchers, and forest landowners to support decision making related to climate change.[Footnote 101] However, we found that USDA has made few efforts to quantify the costs and returns of taking certain actions that could help farmers make both short-and long-term decisions in the face of a changing climate.[Footnote 102] We recommended that its agencies develop and provide readily accessible information to farmers on the farm-level economic costs and returns of taking certain actions in response to climate change. USDA concurred with this recommendation. Further, we reported in January 2014 that U.S. energy infrastructure is at risk for damage and disruptions to service due to severe weather events, according to assessments by NRC and USGCRP.[Footnote 103] While many climate change impacts are projected to be regional in nature, the interconnectedness of the nation's energy system means that regional vulnerabilities may have wide-ranging implications for energy production and use, ultimately affecting transportation, industrial, agricultural, and other critical sectors of the economy that require reliable energy. According to this January 2014 report, the federal government can play important supporting roles in providing information to promote climate resilience in the energy sector.[Footnote 104] We have ongoing climate-related work on private- sector adaptation, fisheries management, and federal supply-chain risk. To address the climate information challenges faced by federal, state, local, and private sector decision makers, we recommended in October 2009 that the appropriate entities within the Executive Office of the President develop a government-wide strategic plan for adaptation. We stated that the plan should, among other things, identify mechanisms to increase the capacity of federal, state, and local agencies to incorporate information about current and potential climate change impacts into decision making. The November 2013 Executive Order 13653 on Preparing the United States for the Impacts of Climate Change calls on certain federal agencies to work together to provide authoritative, easily accessible, and usable climate-related information. This executive order and other efforts, such as the President's June 2013 Climate Action Plan, the U.S. Climate Resilience Toolkit, the USGCRP 2012-2021 strategic plan for climate change science, and the May 2014 Third National Climate Assessment, recognize the importance of providing and translating climate information for decision makers. [Footnote 105] These efforts also demonstrate commitment and top leadership support. However, this commitment needs to be sustained over time; the roles, responsibilities, and working relationships among federal, state, local, and private-sector entities are still unclear. Also, the resources and government-wide structure necessary to implement plans or sustain success are not yet defined. Based, in part, on this lack of capacity, no programs to monitor and independently validate the effectiveness and sustainability of corrective measures exist, and the ability to demonstrate progress is limited. We have ongoing work focused on government-wide options to provide technical assistance to decision makers. In addition, existing satellite systems important to developing the information needed by state and local officials are nearing the end of their expected life spans. These systems have troubled legacies of cost increases, missed milestones, technical problems, and management challenges that have resulted in reduced functionality and slips to planned launch dates. As a result, the continuity of satellite data is at risk. According to program officials from the Department of Commerce's National Oceanic and Atmospheric Administration (NOAA), a satellite data gap would result in less accurate and timely weather forecasts and warnings of extreme events--such as hurricanes, storm surges and floods. Such degradation in forecasts and warnings would place lives, property, and our nation's critical infrastructures in danger. Given the criticality of satellite data to weather forecasts, the likelihood of significant gaps, and the potential impact of such gaps on the health and safety of the U.S. population and economy, we concluded that the potential gap in weather satellite data is a high- risk area and added it to the High Risk List in 2013. Since then, NOAA has demonstrated leadership commitment in mitigating satellite data gaps. However, work remains to complete plans and demonstrate progress in implementing them. Disaster Aid: Figure: Disaster Aid: [Refer to PDF for image: star illustration] Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] As the provider of disaster aid, the federal government was rated as partially met for Leadership Commitment and not met for Capacity, Action Plan, Monitoring, and Demonstrating Progress, with respect to climate change. Multiple factors, including increased disaster declarations, climate change effects, and changing development patterns increase federal fiscal exposure to severe weather events.[Footnote 106] Extreme weather events have cost the nation tens of billions of dollars in damages over the past decade. For example, in January 2013, about $60 billion in budget authority was provided to support recovery from Superstorm Sandy.[Footnote 107] Further, based on a 2013 analysis of disaster relief appropriations by the Congressional Research Service, the amount of inflation-adjusted disaster relief per fiscal year increased from a median of $6.2 billion for the years 2000 to 2006, to a median of $9.1 billion for the years 2007 to 2013 (46 percent).[Footnote 108] Such federal disaster aid functions as the insurance of last resort in certain circumstances because whatever is not covered by insurance or built to be resilient to extreme weather increases the federal government's implicit fiscal exposure through disaster relief programs. Fiscal constraints will make it more difficult for the federal government to respond effectively in the future and such expenses could affect resources available for other key government programs. To prepare adequately for a disaster, federal agencies need to work with state and local governments and volunteer agencies to produce and evaluate information so that they can fully assess risk and make appropriate response and recovery decisions. However, FEMA has had difficulty implementing longstanding plans to assess national preparedness capabilities to prepare for and respond effectively to these disasters. Its efforts have been repeatedly delayed and are not yet complete.[Footnote 109] In addition, we reported in September 2012 that FEMA's indicator for determining whether to recommend that a jurisdiction receive disaster assistance is artificially low because it does not accurately reflect the ability of state and local governments to respond to disasters.[Footnote 110] As this report showed, had FEMA adjusted the indicator annually for inflation, 25 percent of the 508 disaster declarations from fiscal years 2004 through 2011 would not have met the eligibility criteria that FEMA used to determine whether federal disaster assistance should be provided, which would have likely resulted in fewer disaster declarations. Our 2012 report and others have identified challenges in the determination of costs to be borne by federal, state, and local governments or the private sector in preparing for, responding to, and recovering from disasters of all types.[Footnote 111] We have also reported that the availability of federal assistance may inhibit actions to mitigate disaster losses. As long ago as 1980, we reported that individuals may not act to protect themselves from the effects of severe weather if they believe the federal government will eventually help pay for their losses.[Footnote 112] In September 2012, we recommended, among other things, that FEMA develop a methodology to more accurately assess a jurisdiction's capability to respond to and recover from a disaster without federal assistance. FEMA concurred with this recommendation. In the event of a major disaster, federal funding for response and recovery comes from the Disaster Relief fund managed by FEMA and disaster aid programs of other participating federal agencies. These programs have been provided emergency supplemental appropriations to cover the costs of damages. The federal government does not budget for the costs of these supplemental appropriations. Without proper budgeting and forecasting to account for these events, the federal government runs the risk of facing a large fiscal exposure at any time.[Footnote 113] Further increasing the challenge faced by the federal government in managing such fiscal exposures is that annual budget requests and appropriations for disaster relief do not include all known costs from still-open disaster declarations, in particular those from catastrophic disasters.[Footnote 114] This has led to requests for supplemental appropriations not only for new disasters, but also for costs related to ongoing, past disasters. As a result, decision makers may not have a comprehensive view of overall funding claims and trade-offs. In this context, the federal response to Superstorm Sandy, other strategic planning documents, and executive orders demonstrate federal commitment and top leadership support for increasing resilience and reducing fiscal exposures posed by climate change. As we reported in October 2014, FEMA, in conjunction with other federal agencies, has taken some recent steps to manage future risks related to climate change for disaster relief.[Footnote 115] For example, in August 2013, the Sandy Rebuilding Task Force issued the Hurricane Sandy Rebuilding Strategy. This strategy contained 69 recommendations to various federal agencies and their nonfederal partners aimed at improving recovery from both Hurricane Sandy and future disasters.[Footnote 116] The Hurricane Sandy Rebuilding Task Force also implemented a minimum flood risk reduction standard for Sandy-related disaster funding to account for future sea level rise in response to Executive Order 13632.[Footnote 117] Under this standard, structures repaired or rebuilt must meet forward-looking standards, such as elevating the ground floor of a building 1 foot higher than existing FEMA standards. In addition, according to FEMA officials, a current interagency effort seeks to develop a Federal Flood Risk Reduction Standard that would apply to future disaster relief appropriations--although it is too early to know whether such a standard will incorporate future risk. [Footnote 118] Furthermore, according to a July 2014 White House statement, FEMA will issue new guidance that calls upon states to incorporate climate change into their hazard mitigation plans as a condition for receiving disaster relief.[Footnote 119] FEMA's Hazard Mitigation Assistance programs and post-disaster grants currently do not require grantees to incorporate sea level rise into their cost- benefit calculations for proposed projects, although they do allow it. [Footnote 120] However, the extent to which federal agencies have implemented these and other recommendations to make disaster aid programs more resilient to climate change is unclear because there is no government-wide corrective action plan that defines clear roles and responsibilities, and no programs to monitor or independently validate the effectiveness and sustainability of the measures identified in the strategy and other plans. Hence, the federal government cannot yet demonstrate progress in implementing corrective measures. We have work under way evaluating these emerging federal efforts. What Remains to Be Done: The federal government needs a strategic approach with strong leadership and the authority to manage climate change risks that encompasses the entire range of related federal activities and addresses all key elements of strategic planning. Such an approach includes the establishment of strategic priorities and the development of roles, responsibilities, and working relationships among federal, state, and local entities. Recognizing that each department and agency operates under its own authorities and responsibilities--and can therefore be expected to address climate change in different ways relevant to its own mission--existing federal efforts have encouraged a decentralized approach, with federal agencies incorporating climate- related information into their planning, operations, policies, and programs. While individual agency actions are necessary, a centralized national strategy driven by a government-wide plan is also needed to reduce the federal fiscal exposure to climate change, maximize investments, achieve efficiencies, and better position the government for success. Even then, such approaches will not be fully sufficient unless also coordinated with state, local, and private-sector decisions that drive much of the federal government's fiscal exposure. The challenge is to develop a cohesive approach at the federal level that also informs state, local, and private-sector action. The federal government has many climate-related strategic planning activities under way. Specifically, the President's June 2013 Climate Action Plan and November 2013 Executive Order 13653 on Preparing the United States for the Impacts of Climate Change show how federal agencies have made some progress on better organizing across agencies, within agencies, and among different levels of government. This leadership needs to be sustained, with increased focus on implementing federal plans--identifying the roles, responsibilities, and working relationships among federal, state, and local entities; identifying how such efforts will be funded and staffed over time; and establishing mechanisms to track and monitor progress. In addition to addressing these broad strategic challenges, there are specific areas among many that may require attention including: * Federal property and resources. This involves incorporating climate change information into infrastructure planning processes, working with relevant professional associations to incorporate climate change information into design standards that define how structures are to be built, and determining how to account for climate change in NEPA analyses. * Federal flood and crop insurance programs. This entails developing the information needed to understand and manage federal insurance programs' long-term exposure to climate change and to analyze the potential impacts of an increase in the frequency or severity of weather-related events on their operations. Specifically, there is a need to incorporate the projected effects of climate change, such as sea level rise and erosion, into updated flood maps and agricultural practices incentivized by the federal government. * Technical assistance to federal, state, local and private-sector decision makers. This involves developing a government-wide approach for providing (1) the best available climate-related information for making federal, state, local, and private-sector decisions, and (2) assistance for translating available climate-related data into information that officials need to make decisions. We have ongoing work focused on government-wide options to provide technical assistance to decision makers. * Environmental satellites. Potential gaps in satellite data need to be addressed. NOAA must improve its satellite mitigation plans, and implement and monitor key mitigation activities, to ensure that its plans to address potential gaps in satellite data are viable when needed. We plan to continue assessing NOAA's actions on its satellite programs to determine whether its plans are viable. * Disaster aid. FEMA needs improved criteria to assess a jurisdiction's capability to respond and recover on its own, and also to better apply lessons from past experience when developing disaster cost estimates so decision makers have a comprehensive view of overall funding claims and trade-offs. We have ongoing work related to disaster assistance and budgeting for emergencies. The State, Local, and Tribal Leaders Task Force on Climate Preparedness and Resilience established by Executive Order 13653 recommended many of the same actions in a November 2014 report to the President.[Footnote 121] Among other actions, the task force called on the federal government to incorporate resilient design standards in the building, retrofit, or repair of federal facilities; finalize guidelines for consideration of climate impacts in NEPA evaluations; provide data, tools, and guidance at a scale sufficient to guide state, local, and tribal decision making and investments; and modify disaster recovery programs to prioritize projects that are designed to withstand future climate impacts and that are located outside areas vulnerable under current or foreseeable conditions. Importantly, the task force recognized the need to designate a senior administration official to coordinate across federal agencies, and to establish implementation benchmarks and a process for reporting on progress. These are key elements of our criteria for removal from the high-risk list. GAO Contact: For additional information about this high-risk area, contact J. Alfredo Gomez at (202) 512-3841 or gomezj@gao.gov. Related GAO Products: Climate Change: Better Management of Exposure to Potential Future Losses Is Needed for Federal Flood and Crop Insurance, [hyperlink, http://www.gao.gov/products/GAO-15-28]. Washington, D.C.: October 29, 2014. Climate Change: USDA's Ongoing Efforts Can Be Enhanced with Better Metrics and More Relevant Information for Farmers, [hyperlink, http://www.gao.gov/products/GAO-14-755]. Washington, D.C.: September 16, 2014. Ocean Acidification: Federal Response Under Way, but Actions Needed to Understand and Address Potential Impacts, [hyperlink, http://www.gao.gov/products/GAO-14-736]. Washington, D.C.: September 12, 2014. Budget Issues: Opportunities to Reduce Federal Fiscal Exposures Through Greater Resilience to Climate Change and Extreme Weather, [hyperlink, http://www.gao.gov/products/GAO-14-504T]. Washington, D.C.: July 29, 2014. Climate Change Adaptation: DOD Can Improve Infrastructure Planning and Processes to Better Account for Potential Impacts, [hyperlink, http://www.gao.gov/products/GAO-14-446], Washington, D.C.: May 30, 2014. Disaster Resilience: Actions are Underway, but Federal Fiscal Exposure Highlights the Need for Continued Attention to Longstanding Challenges, [hyperlink, http://www.gao.gov/products/GAO-14-603T]. Washington, D.C.: May 14, 2014. Extreme Weather Events: Limiting Federal Fiscal Exposure and Increasing the Nation's Resilience, [hyperlink, http://www.gao.gov/products/GAO-14-364T]. Washington, D.C.: February 12, 2014. Climate Change: Energy Infrastructure Risks and Adaptation Efforts, [hyperlink, http://www.gao.gov/products/GAO-14-74]. Washington, D.C.: January 31, 2014. Climate Change: Federal Efforts Under Way to Assess Water Infrastructure Vulnerabilities and Address Adaptation Challenges, [hyperlink, http://www.gao.gov/products/GAO-14-23]. Washington, D.C.: November 14, 2013. Climate Change: Various Adaptation Efforts Are Under Way at Key Natural Resource Management Agencies, [hyperlink, http://www.gao.gov/products/GAO-13-253]. Washington, D.C.: May 31, 2013. Climate Change: Future Federal Adaptation Efforts Could Better Support Local Infrastructure Decision Makers, [hyperlink, http://www.gao.gov/products/GAO-13-242]. Washington, D.C.: April 12, 2013. [End of section] Management of Federal Oil and Gas Resources: Why Area Is High Risk: Our work has shown that management of federal oil and gas resources was a high-risk area and we added it to the High Risk List in 2011. We identified challenges in the Department of the Interior's (Interior) management of oil and gas on leased federal lands and waters. We found that Interior (1) did not have reasonable assurance that it was collecting its share of revenue from oil and gas produced on federal lands and waters; (2) continued to experience problems hiring, training, and retaining sufficient staff to provide oversight and management of oil and gas operations on federal lands and waters; and (3) was undertaking a major challenging reorganization of its oversight of both its offshore oil and gas management and revenue collection functions. In 2013, we concluded that Interior had fundamentally completed its reorganization. Accordingly, the high-risk area was narrowed to Interior's revenue collection and human capital challenges. Federal oil and gas resources provide an important source of energy for the United States; create jobs in the oil and gas industry; and generate billions of dollars annually in revenues that are shared between federal, state, and tribal governments. Interior reported collecting approximately $48 billion from fiscal year 2009 through 2013 from royalties and other payments companies made. This makes oil and gas resources one of the federal government's largest nontax source of revenue. Also, the explosion onboard the Deepwater Horizon and oil spill in the Gulf of Mexico in April 2010 emphasized the importance of Interior's management of permitting and inspection processes to ensure operational and environmental safety. Historically, Interior's Bureau of Land Management (BLM) managed onshore federal oil and gas activities while the Minerals Management Service managed offshore activities and collected royalties for all leases. Interior completed its restructuring of its oil and gas program in 2011, transferring offshore oversight responsibilities to two new bureaus--the Bureau of Ocean Energy Management (BOEM) and the Bureau of Safety and Environmental Enforcement (BSEE)--and assigning the revenue collection function to a new Office of Natural Resources Revenue. This restructuring did not include BLM's management of onshore federal oil and gas activities. What GAO Found: Figure: Management of Federal Oil and Gas Resources: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Interior's leadership has demonstrated a commitment to addressing its weaknesses in revenue collection and human capital, while partially meeting the four remaining criteria. For example, in November 2014, senior Interior officials told us that the agency has implemented a number of strategies and corrective measures to address its revenue collection weaknesses and human capital challenges. Royalty Determination and Collection: Interior has demonstrated leadership commitment towards addressing its revenue collection weaknesses and has partially met the remaining four criteria. Figure: Management of Federal Oil and Gas Resources: [Refer to PDF for image: star illustration] Royalty determination and collection: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Leadership commitment. Interior's leadership has demonstrated its commitment towards addressing revenue collection weaknesses. For example, Interior's Office of Natural Resources Revenue (ONRR) established a Data Mining Services Group to help identify potentially erroneous data submitted by companies paying royalties. ONRR is also studying whether if it can more efficiently obtain oil and gas production data from companies through automating data collection from metering systems. Capacity. Interior's capacity to address weaknesses in revenue collection is uneven. In recent years, Interior has hired offshore inspection staff to focus primarily on oil and gas measurement inspections. Based on ongoing work, we found that BSEE came close to meeting its annual oil and gas production verification inspection goals in the Gulf of Mexico for fiscal years 2009 through 2013. On the other hand, for the same time frame, we found that BLM did not meet its oil and gas production inspection goals, and that officials attributed this, in part, to insufficient inspection staff. Additionally, we have made a number of recommendations to BLM related to updating or revising its oil and gas measurement regulations and policies. However, BLM officials told us that, due to limited staff and competing rulemaking priorities--for example, issuing regulations addressing hydraulic fracturing--it has been unable to issue revised regulations. Interior most recently estimated that it would issue revised oil and gas measurement regulations in the third quarter of fiscal year 2016. Action Plan. Interior has plans in place to continue implementing our recommendations aimed at correcting weaknesses in its revenue collection policies and practices. In November 2014, Interior provided a briefing document specifying goals and time frames for several areas related to these weaknesses. For example, in December 2013, we recommended that BLM issue revised regulations that would provide it with greater flexibility in setting royalty rates to better ensure that the public is receiving a fair return from the production of oil and gas from federal leases. In November 2014, Interior stated that it plans to begin addressing this issue some time in fiscal year 2015 through issuance of an advanced notice for proposed rulemaking. Interior's briefing document also specified other goals and time frames for completing a study on automating data collection from production metering systems, and for establishing procedures on when to conduct a periodic assessment of its fiscal system. The latter of these two actions will better ensure the government is receiving a fair return on the production of oil and gas from federal leases. Monitoring. Interior has several efforts in place to monitor its performance to address revenue collections weaknesses. For example, Interior's November 2014 briefing document demonstrated that it is tracking its implementation of Inspector General recommendations as well as our recommendations related to our high-risk findings. Additionally, Interior's briefing document indicates it has established milestones for a number of actions, including updating oil and gas measurement regulations. However, in our ongoing work, we found that BLM did not schedule or complete a planned internal review within one year of newly issued oil and gas guidance to assess its overall effectiveness after its implementation by BLM staff in its field offices. The new guidance outlines criteria for approving "commingling" requests--requests to combine oil or gas from public, state, or private leases prior to the point of royalty measurement-- and identifies considerations for determining whether commingling is in the public interest. This includes ensuring that BLM has the ability to verify that production is accurately measured and properly reported. By not scheduling and completing a review of the effectiveness of the new commingling guidance after its implementation, BLM does not have reasonable assurance that its staff are consistently applying the new guidance and that staff are able to verify production. Demonstrated Progress. Interior has demonstrated considerable progress in addressing weaknesses in its revenue collection policies and practices. For example, in our ongoing work, we found that Interior had implemented a majority of the 36 recommendations we made since 2008 addressing revenue collection weaknesses, including those related to oil and gas production verification and royalty data. Human Capital Challenges: Figure: Management of Federal Oil and Gas Resources: [Refer to PDF for image: star illustration] Human capital challenges: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Interior has demonstrated its leadership commitment towards addressing its human capital challenges at the bureaus responsible for oversight and management of federal oil and gas, and has partially met the four additional criteria. Leadership commitment. In January 2014, we recommended that Interior explore the expanded use of hiring incentives and systematically collect and analyze hiring data. We found that Interior's hiring and retention challenges were largely due to lower salaries and a slow hiring process compared with similar positions in industry. The fiscal year 2012 attrition rate for petroleum engineers at BLM was more than 20 percent, or more than double the average federal attrition rate of 9.1 percent. The attrition rate for other key oil and gas staff was lower but still a challenge because some field offices had only a few employees in any given position, and a single separation could significantly affect operations. According to Interior officials, these challenges made it more difficult to carry out oversight activities, including conducting production facility inspections, in some field offices. Interior agreed with our recommendations and stated that the bureaus have begun a more systematic collection and analysis of hiring data to identify causes for delays and to expedite the hiring process. In November 2014, Interior senior leaders briefed us on their commitment to address the department's human capital challenges. Capacity. For fiscal years 2012 and 2013, Congress provided funds to BOEM and BSEE in the Gulf of Mexico to establish higher minimum pay rates--up to a 25 percent increase--for key positions, including geophysicists, geologists, and petroleum engineers. This authority was subsequently extended through fiscal year 2015. However, it is uncertain how Interior will address staffing shortfalls over time unless these funding authorities continue. Action Plan. In 2010, we found that Interior's bureaus experienced high turnover rates in key oil and gas inspection and engineering positions. As a result, Interior faces challenges meeting its oil and gas oversight responsibilities, potentially placing both the environment and royalties at risk. After Interior reorganized its offshore management of oil and gas, it developed plans to hire additional staff with expertise in inspections and engineering. However, as of January 2014, its plans had not been fully implemented. Monitoring. We found that Interior and the three bureaus had taken some actions to address these challenges, but had not fully used their existing authorities to supplement salaries and provide other recruitment, relocation, and retention incentives. Additionally, Interior records showed that the average time required to hire petroleum engineers and inspectors generally exceeded 120 calendar days--much longer than OPM's target of 80 calendar days. The department and bureaus had taken some steps to reduce hiring times, but did not have complete and accurate data to identify the causes of delays in the hiring process. Without reliable data, Interior's bureaus cannot effectively implement changes to expedite the hiring process. In November 2014, Interior senior officials told us that BOEM, BSEE, and BLM are developing and implementing a tracking system to support the accurate capture of hiring data and address delays in the hiring process. Additionally, officials told us that BSEE and BOEM are developing plans to transition to a hiring software that is expected to reduce applicant processing time and decrease costs. Once Interior has the systems in place to capture accurate data on hiring, the department will be able to monitor hiring times and the causes of delays in the hiring process. Demonstrated Progress. In March 2010, we found Interior had not consistently provided appropriate training for offshore inspection and engineering staff. In July 2012, we found that Interior was creating a new training program for its offshore inspection and engineering staff. We also found that Interior has made progress in providing its inspectors and engineers with standardized training. What Remains to Be Done: Interior has partially met the criteria to address the revenue collection and human capital challenges we identified, and has implemented some of the recommendations we made. However, Interior needs to do more to meet its responsibilities to manage federal oil and gas resources and to maintain leadership commitment in addressing the remaining four criteria. Capacity. To address its revenue collection challenges, Interior will need to identify the staffing resources necessary to consistently meet its annual goals for oil and gas production verification inspections. It will also need to complete updates to oil and gas measurement and onshore royalty rate regulations, among other actions. To address its human capital challenges, Interior needs to consider how it will address staffing shortfalls over time in view of continuing hiring and retention challenges. Action Plan. To address its revenue collection challenges, Interior needs to continue meeting its time frames for updating regulations related to oil and gas measurement and onshore royalty rates, among other actions. To address its human capital challenges, Interior needs to implement its plans to hire additional staff with expertise in inspections and engineering. Monitoring. To address its revenue collection challenges, Interior needs to provide reasonable assurance that oil and gas produced from federal leases is accurately measured and that the federal government is getting an appropriate share of oil and gas revenues. To address its human capital challenges and to reduce hiring times, Interior needs to ensure that it collects and maintains complete and accurate data on hiring times--such as the time required to prepare a job description, announce the vacancy, create a list of qualified candidates, conduct interviews, and perform background and security checks--to effectively implement changes to expedite its hiring process. Demonstrated Progress. To address its revenue collection challenges, Interior needs to continue to effectively implement our related recommendations as outlined in the areas above. To address its human capital challenges, Interior must continue to show progress in hiring, retaining, and training inspectors and engineers. GAO Contact: For additional information about this high-risk area, contact Frank Rusco at (202) 512-3841 or ruscof@gao.gov. Related GAO Products: Oil and Gas: Updated Guidance, Increased Coordination, and Comprehensive Data Could Improve BLM's Management and Oversight. [hyperlink, http://www.gao.gov/products/GAO-14-238]. Washington, D.C.: May 5, 2014. Oil and Gas Management: Continued Attention to Interior's Human Capital Challenges Is Needed. [hyperlink, http://www.gao.gov/products/GAO-14-394T]. Washington, D.C.: February 27, 2014. Oil and Gas: Interior Has Begun to Address Hiring and Retention Challenges but Needs to Do More. [hyperlink, http://www.gao.gov/products/GAO-14-205]. Washington, D.C.: January 31, 2014. Oil and Gas Resources: Actions Needed for Interior to Better Ensure a Fair Return. [hyperlink, http://www.gao.gov/products/GAO-14-50]. Washington, D.C.: December 6, 2013. Oil and Gas Management: Interior's Reorganization Complete, but Challenges Remain in Implementing New Requirements. [hyperlink, http://www.gao.gov/products/GAO-12-423]. Washington, D.C.: July 30, 2012. [End of section] Modernizing the U.S. Financial Regulatory System and the Federal Role in Housing Finance: Why Area Is High Risk: The United States continues to recover in the aftermath of the worst financial crisis in more than 75 years. To stabilize the financial system, unprecedented federal support was provided to many firms, including Fannie Mae and Freddie Mac, two large, housing-related government-sponsored enterprises (the enterprises). Many households suffered as a result of falling asset prices, tightening credit, and increasing unemployment. These events clearly demonstrated that the U.S. financial regulatory system was in need of significant reform. As a result, we designated reform of the financial regulatory system as a high-risk area in 2009.[Footnote 122] Also, in the years since the crisis began, the federal government has directly or indirectly supported over three-quarters of the value of new mortgage originations in the single-family housing market. Mortgages with federal support include those backed by the enterprises, which were placed under government conservatorship in 2008, and whose future role has yet to be determined. The federal government also supports mortgages through the insurance programs of the Federal Housing Administration (FHA), which has experienced substantial growth in its insurance portfolio and significant financial difficulties. Until decisions are made as to what role the federal government will play in housing finance, housing and mortgage markets may continue to pose increased risks to taxpayers and the U.S. financial system. In light of developments concerning the enterprises and FHA, we added this issue to the scope of this high-risk area in 2013. What GAO Found: Figure: Modernizing the U.S. Financial Regulatory System and the Federal Role in Housing Finance: [Refer to PDF for image: star illustration] Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Congress and financial regulators have made progress in meeting the criteria for removal from our High Risk List regarding reforming the U.S. financial regulatory system. However, definitive steps have yet to be taken to address the federal government's role in housing finance. Demonstrating leadership commitment and capacity, Congress enacted sweeping reforms in 2010 through the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) and regulators have worked to implement the act's numerous reforms. Continued leadership commitment will be needed to fully implement the reforms. Moreover, additional work is needed to complete action plans, monitor progress, and demonstrate the effectiveness of new rulemakings and regulatory bodies. Policymakers have made proposals to overhaul the federal government's role in the housing finance system, but additional leadership commitment will be needed to reach consensus and enact changes to the system. The ongoing federal conservatorship of the enterprises and FHA's financial challenges underscore the need for reconsideration of the federal role. Federal agencies have taken some steps to develop plans, build capacity, and provide monitoring mechanisms that could help build a more robust housing finance system. However, progress toward resolution of the federal government's role within that system will be difficult to achieve without an overall blueprint for change. In the decades leading up to the recent crisis, the U.S. financial regulatory system failed to adapt to significant changes. First, although the U.S. financial system had increasingly become dominated by large, interconnected financial conglomerates, no single regulator was tasked with monitoring and assessing the risks that these firms' activities posed across the entire financial system. Second, various entities--such as nonbank mortgage lenders, hedge funds, and credit rating agencies--that had come to play critical roles in the financial markets were not subject to sufficiently comprehensive regulation and oversight. Third, the regulatory system was not effectively providing key information and protections for new and more complex financial products for consumers and investors. Taking steps to better position regulators to oversee firms and products that pose risks to the financial system and consumers and to adapt to new products and participants as they arise could reduce the likelihood that the financial markets will experience another financial crisis similar to the one in 2007-2009. Losses from risky mortgage products also resulted in the enterprises being placed into government conservatorship in 2008, creating an explicit fiscal exposure for the federal government. The enterprises received more than $187 billion in financial assistance from Treasury through purchases of senior preferred stock, but have paid more than $200 billion in dividends to Treasury under the stock purchase agreements. Distressed housing and mortgage markets also expanded FHA's role in the mortgage market, while leading to deterioration in the agency's financial condition. Actions Taken to Implement and Ensure the Effective Functioning of Regulations and New Financial Regulatory Bodies: Figure: Modernizing the U.S. Financial Regulatory System and the Federal Role in Housing Finance: [Refer to PDF for image: star illustration] Implementation and effective functioning of regulations and new financial regulatory bodies: Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Leadership commitment: Policymakers and regulators have partially met the leadership criterion for removal from the high-risk list. Since the crisis, policymakers and regulators have shown leadership commitment by enacting and implementing the Dodd-Frank Act, which included a range of reforms intended to better position the financial regulatory system to address many of the risks that we identified. For example, a new Financial Stability Oversight Council (FSOC) that includes various financial regulators was created to, among other things, monitor the stability of the U.S. financial system and take actions to mitigate risks that might destabilize the system. In addition, the act consolidated responsibility for consumer financial protection laws into a new bureau known as the Consumer Financial Protection Bureau (CFPB). However, reforms in various areas, including rules addressing some mortgage disclosures or over-the-counter derivatives reforms, have yet to be fully implemented. Capacity: Regulators have partially met the capacity criterion for removal from the High Risk List. Regulators have made considerable progress in finalizing the rulemakings necessary to implement the regulatory reforms. As of November 2014, regulators had issued final rules for 146 (62 percent) of the 236 provisions of the act that we identified as requiring regulators to issue rulemakings. In the last 2 years, financial regulators have made progress in completing rulemakings in various areas. For example, the Commodity Futures Trading Commission has finalized 90 percent of the rules relating to the trading of swaps and other derivatives that were required by the act. CFPB also issued a key rule--which became effective in January 2014--requiring mortgage lenders to consider consumers' ability to repay home loans before extending them credit. Additionally, in October 2014, several agencies completed a joint rulemaking that identifies the types of mortgages for which the entities that pool mortgage loans and issue securities based on the loans' cash flows will be required to retain a portion of the loans' credit risk. We have also reported that delays in completing rules sometimes arose because the large volume of required rules strained regulators' capacities or because of the need to coordinate complicated rulemakings across multiple regulators or with international counterparts. Action plans and monitoring: Regulators have made some progress in developing action plans for completing reforms and for monitoring implementation progress--both criteria for removal from the high-risk list. Regulators have described developing priorities for more important rules and for completing rules necessary to be in place to accommodate later rulemakings. In 2010, FSOC published an integrated implementation road map that included a list of the rules regulators were required to promulgate and a time line for the agencies involved in rulemakings. It also developed a consultation framework that established time frames for coordination activities among agencies where interagency consultation was required by the Dodd-Frank Act. However, we reported previously that these documents have limited usefulness to facilitate coordination among agencies. In the absence of a strategic plan, FSOC's annual reports serve as the council's key accountability document, as each report discusses the progress regulators have made in implementing reforms, identifies threats that are newly emerging and includes recommended actions to address them. However, we have identified the need for FSOC to improve its processes for identifying and prioritizing potential emerging threats to financial stability in its reports. In addition, the financial regulators are required (under various statutes) to conduct retrospective analyses of the impact of their rules, but have yet to include the rules completed under the Dodd-Frank Act in these planned analyses. Finally, regulators have shown diligence in reviewing resolution plans, otherwise known as "living wills," and in conveying continued shortcomings and concerns with the initial plans submitted. Accordingly, large banking institutions are instructed to further develop and refine contingency plans for their orderly resolution by July 2015 to better protect the U.S. financial system stability against serious adverse effects from a potential failure. Demonstrated Progress: Regulators have partially met the demonstrated progress criterion for removal from the high-risk list. For example, since the financial crisis, the newly-created regulatory bodies have been taking actions to carry out their missions. FSOC has held numerous meetings and has issued various congressionally-mandated studies and multiple annual reports addressing market and regulatory developments across the financial system. FSOC has also developed some mechanisms for monitoring threats to the U.S. financial system. As of September 2014, it had also designated various financial market utilities (which perform key functions in the financial system) and four nonbank financial companies for enhanced prudential standards and supervision by the Board of Governors of the Federal Reserve (Federal Reserve). To date, OFR has provided analyses to FSOC, has issued reports, and has assisted with an effort to develop a global legal entity identifier standard--which will provide unique identifying numbers to parties to financial transactions and should assist in resolving troubled firms and provide other benefits. Since commencing operations in 2011, CFPB has issued a number of rules, including those relating to mortgages and international money transfers. This agency has also been conducting examinations of the entities it oversees, including large banks and credit reporting agencies. In addition, it has taken enforcement actions against numerous institutions, obtaining a total of over $2.2 billion of redress for consumers and penalties from various financial institutions since 2012. Progress has also been made to reduce the potential systemic implications of certain concentrations of credit risks that were not addressed by the Dodd-Frank Act. Regulators have been working to reduce the potential for serious problems arising from the failure of one of the two clearing banks that provide credit to facilitate transactions in the tri-party repurchase (repo) market that provides short-term funding to many financial institutions. FSOC's 2014 annual report noted that an influx of customer deposits has reduced banks' dependence on such short-term funding, but some securities broker- dealers continue to primarily fund themselves in these markets. The Federal Reserve has worked with the two clearing banks to reduce their problematic credit exposures. Actions Taken to Resolve the Federal Role in Housing Finance: Figure: Modernizing the U.S. Financial Regulatory System and the Federal Role in Housing Finance: [Refer to PDF for image: star illustration] Resolution of the role of the federal government in housing finance: : Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Leadership Commitment: Policymakers have shown some leadership commitment in resolving the federal role in housing finance. For example, in 2013 and 2014, several legislative proposals were introduced to change the housing finance system. These proposals ranged from a major overhaul of both the primary and secondary mortgage markets to more specific measures aimed at improving FHA's financial condition. In addition, these proposals varied in their views on the appropriate role for the federal government in a new housing finance system. As of December 2014, none of the proposals had passed either the House of Representatives or the Senate. For their part, FHA and FHFA have also demonstrated commitment to strengthen the financial condition of FHA and the housing enterprises. Further, FHFA has undertaken efforts to harmonize enterprise securitization and to put in place a common securitization platform that might be used under a reformed housing finance system. Finally, financial regulators have finalized rules defining qualified mortgages and qualified residential mortgages, which will be important in clarifying mortgage safeguards. Capacity: While it is too early to know what capacity the federal government will require in a future housing finance system, FHA has made some progress in strengthening its financial capacity. As we have previously reported, FHA's Mutual Mortgage Insurance (MMI) Fund has been out of compliance with its statutory 2-percent capital requirement since fiscal year 2009. Additionally, a weakening in the projected performance of FHA-insured mortgages led to FHA receiving $1.68 billion from the Treasury at the end of fiscal year 2013, to ensure that the MMI Fund had sufficient funds to pay for all expected future losses on existing insurance obligations. FHA has taken a number of steps to restore its financial health. For example, FHA has adjusted its insurance premiums multiple times since 2009, and in 2013 it began requiring new borrowers to continue paying annual insurance premiums regardless of their loan balance. In 2010, FHA also increased down-payment requirements for borrowers with lower credit scores. Further, FHA has taken steps to mitigate losses by revising guidelines on home retention options for struggling borrowers and by implementing cost-effective alternatives for disposing of nonperforming loans and foreclosed properties. While FHA's capital ratio is still below the required level, in November 2014, FHA reported that its capital ratio was positive (0.41 percent) for the first time since 2011. Further, we have made recommendations to FHA, including actions designed to increase returns on foreclosed properties, which could help strengthen FHA's financial position. FHA has begun to address a number of these recommendations. Action Plans: Although fundamental changes to the housing finance system have yet to be enacted, federal agencies have taken some planning steps to help resolve the federal role in housing finance. Some of these actions have addressed the role of the two housing enterprises, which have continued to support more than half the total value of new single-family mortgage loans while operating under federal conservatorship. Specifically, * in February 2011, the Treasury and the Department of Housing and Urban Development issued a plan that outlines a vision for the government's role in housing finance, including reducing the activities of the two enterprises over time, until they are eventually wound down completely. * in 2012 and 2014, the Federal Housing Finance Agency (FHFA), which oversees the enterprises' operations, issued plans that identified strategic goals for the next phase of conservatorship for Fannie Mae and Freddie Mac. The goals in the 2014 plan are maintaining credit availability and foreclosure prevention activities in the housing finance market in a safe and sound manner, reducing taxpayer risk through increasing the role of private capital in the mortgage market, and building a new infrastructure for the secondary mortgage market. * to help build a new infrastructure for the secondary mortgage market, FHFA directed the enterprises in 2012 to develop a new mortgage securitization platform that would replace the enterprises' proprietary systems and that could be used by multiple securities issuers to process payments and perform other functions. The enterprises have made progress on several aspects of the securitization platform, including the development of software, but development and implementation challenges remain. * in June 2014, Treasury invited public comment on the role of the private-label market for mortgage-backed securities in the current and future housing finance system as a way to help resolve issues impeding the revival of that market. Monitoring: Federal agencies have also taken initial steps to provide the types of monitoring that will be needed to assess the impact of changes to the housing finance system when they occur. For example, CFPB and FHFA have strategic plans that call for monitoring different aspects of the mortgage market, such as emerging risks and consumer access. In addition, FHFA has jointly funded an initiative with CFPB to build a national mortgage database that would contain data fields that could be useful for examining the effect of mortgage market reforms. Demonstrated Progress: Overall progress on resolving the federal role in housing finance will be difficult to achieve until Congress provides further direction by enacting changes to the housing finance system. Federal agencies have begun taking some planning, capacity building, and monitoring steps. Among these are actions mentioned above to strengthen the financial condition of FHA and the housing enterprises. FHFA and FHA have also taken steps to monitor their progress in these efforts by reporting on their financial condition and activities. Further, Treasury and HUD have combined to report routinely on the condition of the housing market through their housing market scorecard. Nonetheless, because an overall blueprint for the future of the federal role in housing finance and the specific roles to be played by these institutions has not been determined, assessing progress against any specific goal is not yet possible. What Remains to Be Done: While progress has been made on different aspects of modernizing the financial regulatory system and the federal role in housing finance, additional work is needed. Actions Needed to Complete and Ensure the Effective Functioning of Reforms to the U.S. Financial Regulatory System: Continued leadership commitment is needed to ensure that the financial regulators complete the implementation of the Dodd-Frank rulemaking. Although regulators have finalized 62 percent of the 236 rules the Dodd-Frank Act required, some rules have effective dates such that the affected financial institutions may not have to begin complying with these provisions until sometime in 2015 or later. Furthermore, 66 rules--28 percent of the total required--have only been issued in proposed form and have yet to be finalized. Finally, regulators have not yet issued any rulemakings for the remaining 24 actions (10 percent) required under the act. Moreover, even after being finalized, some Dodd-Frank rules, or parts of certain rules, are yet to go into effect. For example, the Dodd- Frank Act prohibits insured depository institutions and any company affiliated with an insured depository institution from engaging in proprietary trading and from acquiring or retaining ownership interests in, sponsoring, or having certain relationships with a hedge fund or private equity fund. The regulators issued a final rule adopting this prohibition in January 2014. However, in December 2014, the Federal Reserve announced that banking entities would have until July 21, 2016, to conform investments in and relationships with covered funds and foreign funds that were in place prior to December 31, 2013 ("legacy covered funds").[Footnote 123] Similarly, although the regulators adopted higher capital requirements for banks in October 2013, some provisions are not fully effective until January 2019. Leadership commitment to completing and implementing Dodd-Frank Act rules will be required, given competing demands on the regulators, pressure from some market participants to delay or forgo certain reforms, and the inertia of maintaining the status quo as we move farther from the period of the financial crisis. FSOC may need to become involved if individual regulators experience problems or unnecessary delays in finalizing the remaining rules. Regulators must also demonstrate additional leadership and capacity to make progress in ensuring the effectiveness of the financial reforms being implemented. Importantly, the recent financial crisis highlighted the lack of an agency or mechanism responsible for monitoring and addressing risks across the financial system, as well as a shortage of timely information to facilitate that oversight. FSOC was charged with (among other things) systemic risk monitoring. However, it continues to lack a comprehensive approach for identifying and addressing threats to financial stability. As we reported in 2012 and 2014, the current mechanisms may facilitate analysis of risks through interagency discussions and responses, but may not help to identify new risks or threats that FSOC member agencies have not already identified on their own. We have also recommended that FSOC and OFR clarify responsibility for monitoring threats to financial stability between their two agencies, including addressing the role of FSOC member agencies, to better ensure that the monitoring and analysis of the financial system are comprehensive and not unnecessarily duplicative. OFR continues to work to develop indicator- driven tools to assess risks to the financial system, but until such tools are finalized and used, FSOC cannot be assured that it is fully informed about critical vulnerabilities in the financial system. Demonstrated progress is also needed to ensure the effectiveness of reforms addressing the resolution of troubled firms. Although the unprecedented support provided to financial institutions to stabilize financial markets during the financial crisis helped to avert a more severe crisis, these actions raised questions about the appropriate scope of government safety nets for financial institutions. We had recommended that the Federal Reserve take steps to ensure timely completion of the development of procedures related to its emergency lending. In January 2014, the Federal Reserve published proposed rules on these procedures, but as of November 2014, it had yet to issue them in final form. Furthermore, although regulators have issued the rules that require financial institutions to develop resolution plans or "living wills" for a rapid and orderly resolution in the event the institution's solvency is threatened, in the summer of 2014, banking regulators instructed firms to improve their resolution plans so that they more realistically reflect the likely financial circumstances that could be faced when a firm fails. Because the global legal entity identifiers will provide important information in resolving a large financial firm failure, OFR should encourage U.S. financial regulators to embed the use of these identifiers into rules and reporting requirements. Additional progress is required to address other risks. Although the Federal Reserve has worked with the two clearing banks for the repo market to reduce their problematic credit exposures, FSOC has acknowledged that policymakers must continue to examine ways to minimize risks from this activity. Similarly, regulators must finalize rules that will implement heightened governance requirements for derivatives clearinghouses. The regulators must also take actions to monitor the effectiveness of their reform efforts. Regulators are required to conduct retrospective reviews of their rules, which provide opportunities to assess the impact of their rulemaking. However, we found in 2011 that some regulators have not yet developed plans to review their Dodd-Frank rules. We noted that the regulators would be better prepared to undertake reviews if they had identified the needed data before beginning a review and, even better, before promulgating the rule. If regulators fail to plan for how they will measure the performance of their rules and how they will obtain the data they need to do so, they may be limited in their ability to accurately measure the progress or true effect of the rules. More recently, FSOC told us that it planned to assess the impact of its rules in a recurring requirement under the Dodd-Frank Act to study the economic impacts of regulatory limitations, which is next due no later than January 2016. FSOC said this study could be the appropriate mechanism to study the impact of its designations of nonbank financial companies for enhanced prudential supervision by the Federal Reserve. Given that the designations will likely have important benefits and costs for the designated firms--which will become subject to a number of other rules from multiple regulators--and potentially the nation's economy, we recommended in 2012 that FSOC study the impact of its designation process. FSOC has not started planning for this study. In 2014, we examined the process FSOC is using to determine which nonbank entities are sufficiently systemically important to subject them to enhanced supervision by the Board of Governors of the Federal Reserve System. We recommended that FSOC take several steps to enhance the accountability and transparency of its determination process, such as tracking key evaluation information, including additional details in public documentation about the rationale for determination decisions, and establishing procedures to evaluate companies under the different statutory determination standards. Finally, FSOC's annual reports could be used to demonstrate progress in implementing reforms and to provide action plans for moving forward. However, we reported in 2012 that these reports do not explicitly prioritize the recommendations the council has made to address emerging threats. As a result, determining which of the already-recognized threats are most likely to have severe outcomes and how decision makers should best act to address them is more difficult. Improving the detail about these threats and expected actions to address them would also better allow Congress to monitor FSOC's accountability addressing these risks. Actions Needed to Resolve the Federal Role in Housing Finance: Resolving the role of the federal government in housing finance will require continued leadership commitment by Congress and the administration. Due to the interconnected nature of the housing finance system and the central role homeownership plays in the U.S. economy, changes will need to be carefully designed and implemented. In October 2014, we issued a framework consisting of nine elements that Congress and others can use as they consider changes to the housing finance system. The elements are as follows: * clearly defined and prioritized housing finance system goals; * policies and mechanisms that are aligned with goals and other economic policies; * adherence to an appropriate financial regulatory framework; * government entities that have capacity to manage risks; * mortgage borrowers are protected and barriers to mortgage market access are addressed; * protection for mortgage securities investors; * consideration of the cyclical nature of housing finance and impact of housing finance on financial stability; * recognition and control of fiscal exposure and mitigation of moral hazard; and: * emphasis on implications of the transition. Each element in the framework is critically important in establishing the most effective and efficient housing finance system. Applying the elements of this framework would help policymakers identify the relative strengths and weaknesses of any proposals they are considering. Similarly, the framework can be used to craft proposals or to identify changes to existing proposals to make them more effective and appropriate for addressing any limitations of the current system. However, any viable proposal for change will involve choices that recognize that sometimes tradeoffs will exist among and within the nine elements. If Congress enacts changes to the housing finance system, relevant federal agencies will need to develop the capacity and action plans necessary to effectively implement the changes and to monitor progress against their plans. Maintaining FHA's long-term financial health and defining its future role will be a critical part of any overhaul of the housing finance system. We previously recommended that Congress or FHA specify the economic conditions that the MMI Fund would be expected to withstand without drawing on the Treasury. As evidenced by the $1.68 billion FHA received in 2013, the 2-percent capital requirement for FHA's MMI Fund may not always be adequate to avoid the need for Treasury support under severe stress scenarios. Implementing our recommendation would be an important step not only in addressing FHA's long-term financial viability, but also in clarifying FHA's role. GAO Contact: For additional information about this high-risk area, contact A. Nicole Clowers at (202) 512-8678 or clowersa@gao.gov or Mathew Scire at (202) 512-8678 or sciremj@gao.gov. Related GAO Products: Financial Stability Oversight Council: Further Actions Could Improve the Nonbank Designation Process. [hyperlink, http://www.gao.gov/products/GAO-15-51]. Washington, D.C.: November 20, 2014. Housing Finance System: A Framework for Assessing Potential Changes. [hyperlink, http://www.gao.gov/products/GAO-15-131]. Washington, D.C.: October 7, 2014. Financial Stability Oversight Council: Status of Efforts to Improve Transparency, Accountability, and Collaboration. [hyperlink, http://www.gao.gov/products/GAO-14-873T]. Washington, D.C.: September 17, 2014. International Financial Reforms: U.S. and Other Jurisdictions' Efforts to Develop and Implement Reforms. [hyperlink, http://www.gao.gov/products/GAO-14-261]. Washington, D.C.: April 3, 2014. Government Support for Bank Holding Companies: Statutory Changes to Limit Future Support Are Not Yet Fully Implemented. [hyperlink, http://www.gao.gov/products/GAO-14-174T]. Washington, D.C.: January 8, 2014. Dodd-Frank Regulations: Agencies Conducted Regulatory Analyses and Coordinated but Could Benefit from Additional Guidance on Major Rules. [hyperlink, http://www.gao.gov/products/GAO-14-67]. Washington, D.C.: December 11, 2013. FHA Mortgage Insurance: Applicability of Industry Requirements Is Limited, but Certain Features Could Enhance Oversight. [hyperlink, http://www.gao.gov/products/GAO-13-722]. Washington, D.C.: September 9, 2013. Federal Housing Administration: Improving Disposition and Oversight Practices May Increase Returns on Foreclosed Property Sales. [hyperlink, http://www.gao.gov/products/GAO-13-542]. Washington, D.C.: June 20, 2013. Overview of GAO's Past Work on FHA's Single-Family Mortgage Insurance Programs. [hyperlink, http://www.gao.gov/products/GAO-13-400R]. Washington, D.C.: March 7, 2013. Financial Regulatory Reform: Regulators Have Faced Challenges Finalizing Key Reforms and Unaddressed Areas Pose Potential Risks. [hyperlink, http://www.gao.gov/products/GAO-13-195]. Washington, D.C.: January 23, 2013. Financial Regulatory Reform: Financial Crisis Losses and Potential Impacts of the Dodd-Frank Act. [hyperlink, http://www.gao.gov/products/GAO-13-180]. Washington, D.C.: January 16, 2013. Financial Institutions: Causes and Consequences of Recent Bank Failures. [hyperlink, http://www.gao.gov/products/GAO-13-71]. Washington, D.C.: January 3, 2013. [End of section] Restructuring the U.S. Postal Service to Achieve Sustainable Financial Viability: Why Area Is High Risk: Amid challenging economic conditions, a changing business environment, and declining mail volumes, the U.S. Postal Service (USPS) continues to be in a serious financial crisis, with insufficient revenues to cover its expenses and financial obligations. Mail volume has declined by 27 percent from its peak--213 billion pieces--in fiscal year 2006 to about 155 billion pieces in fiscal year 2014. Further, volume for First-Class Mail, USPS's most profitable product, has declined by 35 percent since 2006 and is expected to continue declining. This volume trend exposes weaknesses in USPS's business model, which has relied on mail volume growth to help cover USPS expenses. Even though USPS has reduced its costs by $8 billion over the past 2 years and revenue has increased for other products, such as shipping and package services, it ended fiscal years 2013 and 2014 with net losses of $5 billion and $5.5 billion, respectively. USPS actions to improve its financial condition have been limited in part by legal requirements, such as those related to changing the frequency of mail delivery and closing unneeded facilities. In July 2009, we added USPS's financial condition to the list of high-risk areas needing attention by Congress and the executive branch to achieve broad-based restructuring. What GAO Found: Figure: Restructuring the U.S. Postal Service to Achieve Sustainable Financial Viability: [Refer to PDF for image: star illustration] Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] USPS has partially met all five of the criteria for removal from the High Risk List. USPS has demonstrated leadership commitment, updated its 5-year business plan, monitored and reported on its progress in taking actions to reduce its costs, the size of its workforce, and its mail processing infrastructure, as well as improve productivity and increase revenues from package shipments. However, even though the decline in mail volume and revenue has slowed, USPS continues to face great uncertainty and risk related to its financial condition. Mail volume is highly sensitive to economic changes and the profit margin on packages is much lower as compared to First-Class Mail. Further, USPS is limited in its ability to resolve all of its financial difficulties, in part, due to statutory limitations, such as a provision in USPS's annual appropriations that prevents it from reducing mail delivery service from 6 to 5 days per week. USPS's business plan also identified specific legislative changes needed for USPS to return to long-term financial health. But, the 113th Congress did not pass proposed comprehensive postal reform legislation. USPS has improved its financial condition. However, it is not on a sustainable path. USPS has suffered 8 consecutive years of net losses and has been unable to cover the costs of its financial obligations. USPS did not make its legally-required retiree health benefit prefunding payments totaling $22.4 billion for the last 4 years. At the end of fiscal year 2014, USPS had about $102 billion in unfunded liabilities: $87 billion in unfunded liabilities for benefits, including retiree health, pension, and workers' compensation liabilities, and $15 billion in outstanding debt to the U.S. Department of the Treasury--the statutory debt limit. These unfunded liabilities are a large and growing financial burden, increasing from 83 percent of USPS revenues in fiscal year 2007 to 150 percent of revenues in fiscal year 2014. Unfunded benefit liabilities represent estimated future benefit payments to current and retired employees for which USPS has not set aside sufficient money to pay. Further, of USPS's $67.8 billion in total revenue in fiscal year 2014, about $1.4 billion was due to USPS's first time use of pricing authority granted in 2006. The Postal Accountability and Enhancement Act established an inflation-based price-cap system, which authorized an additional surcharge under certain extraordinary or exceptional circumstances. To compensate for recession-driven losses, USPS added a 4.3 percent surcharge to a 1.7 percent inflation-based price increase implemented in January 2014. Mailers have raised concerns about the use of, duration, and uncertainty associated with this pricing surcharge. Litigation regarding the surcharge is ongoing. USPS urgently needs to restructure to reflect changes in its customers' use of the mail, align its costs with revenues, generate sufficient funding for capital investment, and manage its debt (see table 6). Table 6: USPS Financial Results, Fiscal Years 2006 through 2014: Fiscal year 2006: Net income: $0.9 billion; Year-end debt: $2.1 billion; Total mail volume: 213 billion. Fiscal year 2007: Net income: ($5.1 billion); Year-end debt: $4.2 billion; Total mail volume: 212 billion. Fiscal year 2008: Net income: ($2.8 billion); Year-end debt: $7.2 billion; Total mail volume: 203 billion. Fiscal year 2009: Net income: ($3.8 billion); Year-end debt: $10.2 billion; Total mail volume: 177 billion. Fiscal year 2010: Net income: ($8.5 billion); Year-end debt: $12.0 billion; Total mail volume: 171 billion. Fiscal year 2011: Net income: ($5.1 billion); Year-end debt: $13.0 billion; Total mail volume: 168 billion. Fiscal year 2012; Net income: ($15.9 billion); Year-end debt: $15.0 billion; Total mail volume: 160 billion. Fiscal year 2013: Net income: ($5.0 billion); Year-end debt: $15.0 billion; Total mail volume: 158 billion. Fiscal year 2014: Net income: ($5.5 billion); Year-end debt: $15.0 billion; Total mail volume: 155 billion. Source: USPS. GAO-15-290. Note: Congress reduced USPS's retiree health benefit prefunding payment by $4 billion in fiscal year 2009, and delayed its $5.5 billion prefunding payment for fiscal year 2011 until August 2012. USPS did not make the prefunding payments totaling $22.4 billion for fiscal years 2011 through 2014. Also, USPS has reached its $15 billion statutory debt limit. [End of table] We have issued a number of reports that included strategies and options for USPS to generate revenue, reduce costs, increase the efficiency of its delivery operations, and restructure the funding of USPS pension and retiree health benefits. USPS has already acted on many of these strategies and options. It updated its 5-year business plan in April 2013 with specific actions to close a projected $20 billion gap between its costs and revenues by 2017. Also, USPS monitored and reported on the actions it took in fiscal years 2013 and 2014 to implement parts of the plan that did not require congressional action. These actions included reducing its career workforce by about 40,000 employees and closing 99 mail processing facilities as a result of consolidating its mail processing network. We have also reported that USPS's actions alone under its existing authority will be insufficient to achieve sustainable financial viability and that comprehensive legislation is urgently needed. USPS has asked Congress to restructure the funding of its pension and retiree health benefit obligations and allow it to reduce the frequency of mail delivery from 6 to 5 days per week. Both the House of Representatives and Senate oversight committees passed postal reform legislation in the 113th Congress. But, the full Congress did not pass either bill. The President's fiscal year 2013 and 2014 budget requests also proposed postal reforms, including restructuring USPS pension and retiree health benefit funding and giving USPS the authority to reduce mail delivery frequency from 6 to 5 days. What Remains to Be Done: Congress and USPS need to reach agreement on a comprehensive package of actions that Congress can pass to improve USPS's financial viability, including (1) modifying USPS's retiree health benefit payments in a fiscally responsible manner; (2) facilitating USPS's ability to better align costs with revenues; and (3) requiring any binding arbitration in the negotiation process for USPS labor contracts to take USPS's financial condition into account. USPS also needs to continue taking action to reduce costs related to its operations, workforce, and facilities, as well as increase revenues so that it can eliminate its net losses, repay its debt, and generate capital for investments, such as replacing its aging vehicle fleet. GAO Contact: For additional information about this high-risk area, contact Lori Rectanus at (202) 512-2834 or rectanusl@gao.gov. Related GAO Products: U.S. Postal Service: Status of Workforce Reductions and Related Planning Efforts. [hyperlink, http://www.gao.gov/products/GAO-15-43]. Washington, D.C.: November 13, 2014. U.S. Postal Service: Delivery Mode Conversions Could Yield Large Savings, but More Current Data Are Needed. [hyperlink, http://www.gao.gov/products/GAO-14-444]. Washington, D.C.: May 12, 2014. U.S. Postal Service: Action Needed to Address Unfunded Benefit Liabilities. [hyperlink, http://www.gao.gov/products/GAO-14-398T]. Washington, D.C.: March 13, 2014. U.S. Postal Service: Actions Needed to Strengthen the Capital Investment Process. [hyperlink, http://www.gao.gov/products/GAO-14-155]. Washington, D.C.: January 7, 2014. U.S. Postal Service: Health and Pension Benefits Proposals Involve Trade-offs. [hyperlink, http://www.gao.gov/products/GAO-13-872T]. Washington, D.C.: September 26, 2013. U.S. Postal Service: Proposed Health Plan Could Improve Financial Condition, but Impact on Medicare and Other Issues Should Be Weighed before Approval. [hyperlink, http://www.gao.gov/products/GAO-13-658]. Washington, D.C.: July 18, 2013. U.S. Postal Service: Opportunities to Increase Revenue Exist with Competitive Products; Reviewing Long-Term Results Could Better Inform Promotions Decisions. [hyperlink, http://www.gao.gov/products/GAO-13-578]. Washington, D.C.: June 25, 2013. U.S. Postal Service: Urgent Action Needed to Achieve Financial Sustainability. [hyperlink, http://www.gao.gov/products/GAO-13-347T]. Washington, D.C.: February 13, 2013. U.S. Postal Service: Overview of Initiatives to Increase Revenue and Introduce Nonpostal Services and Experimental Postal Products. [hyperlink, http://www.gao.gov/products/GAO-13-216]. Washington, D.C.: January 15, 2013. U.S. Postal Service: Strategies and Options to Facilitate Progress toward Financial Viability. [hyperlink, http://www.gao.gov/products/GAO-10-455]. Washington, D.C.: April 12, 2010. [End of section] Funding the Nation's Surface Transportation System: Why Area Is High Risk: The nation's surface transportation system--including highways, transit, and rail systems that move both people and freight--is critical to the economy and affects the daily lives of most Americans. However, the system is under growing strain, and the cost to repair and upgrade the system to meet current and future demands is estimated in the hundreds of billions of dollars. At the same time, traditional funding sources are eroding, and funding is further complicated by the federal government's financial condition and fiscal outlook. What GAO Found: There is no rating for this high-risk area because addressing it primarily involves congressional action and the high-risk criteria and subsequent ratings were developed to reflect the status of agencies' actions and the additional steps they need to take. Motor fuel and other truck-related taxes that support the Highway Trust Fund--the major source of federal surface transportation funding--are eroding. Federal motor fuel tax rates have not increased since 1993, and drivers of passenger vehicles with average fuel efficiency currently pay about $96 per year in federal gasoline taxes. Because of inflation, the 18.4 cent-per-gallon tax on gasoline enacted in 1993 is worth about 11.5 cents today. This trend will likely continue as demand for gasoline decreases with the introduction and adoption of more fuel-efficient and alternative fuel vehicles. To maintain spending levels of about $45-50 billion a year for highway and transit programs and to cover revenue shortfalls, Congress transferred a total of about $63 billion in general revenues to the Highway Trust Fund on six occasions between 2008 and 2014. This approach has effectively ended the long-standing principle of "users pay" in highway finance, breaking the link between the taxes paid and the benefits received by highway users. In August 2014, the Congressional Budget Office estimated that $157 billion in additional revenues would be required to maintain current spending levels plus inflation between 2015 and 2024, as shown in figure 5. Figure 5: Projected Highway Trust Fund Balance, Fiscal Years 2015 to 2024: [Refer to PDF for image: vertical bar graph] Year: 2015: -$2 billion. Year: 2016: -$17 billion. Year: 2017: -$32 billion. Year: 2018: -$47 billion. Year: 2019: -$64 billion. Year: 2020: -$80 billion. Year: 2021: -$98 billion. Year: 2022: -$117 billion. Year: 2023: -$136 billion. Year: 2024: -$157 billion. Source: GAO analysis of CBO data. GAO-15-290. Note: This projection assumes no further augmentation of highway- related taxes to the Highway Trust Fund after 2014 from general revenues or other sources. By law, the Highway Trust Fund cannot incur negative balances. [End of figure] The challenge of funding the Nation's surface transportation system is magnified by the fact that spending for surface transportation programs has not commensurately improved system performance. Many programs have not effectively addressed key challenges--such as increasing congestion and freight demand--because federal goals and roles have been unclear, programs have lacked links to performance, and programs have not used the best tools and approaches to ensure effective investment decisions. As a result, we have recommended that Congress consider a fundamental reexamination of these programs to clarify federal goals and roles, establish performance links, and improve investment decision-making. In July 2012, the President signed into law the Moving Ahead for Progress in the 21st Century Act (MAP- 21). This legislation included provisions to move toward a more performance-based highway and transit program and established a framework to address key challenges in the area of freight movement. Among other things, MAP-21 established national performance goals in areas such as pavement and bridge conditions, traffic injuries and fatalities, and traffic congestion; it also outlined a 3-stage process in which (1) the Department of Transportation (DOT) establishes performance measures for these national goals, (2) states and other grantees set annual targets based on these performance measures and report their progress, and (3) DOT evaluates whether grantees have met their targets and reports to Congress. In addition, the Act established national goals and directed the Secretary of Transportation to establish a national freight network, develop a strategic plan, and provide the tools necessary to support a performance-based approach for evaluating and selecting new freight projects. DOT is developing nine rules that will implement the MAP-21 performance-based approach; however, only five of the nine rules have been released for public comment and none have been finalized. DOT's efforts have been affected by a number of factors, including the varying experiences implementing a performance-based approach within DOT. DOT has also begun establishing a national freight network, including establishing a National Freight Advisory Committee and developing data and tools for planning and evaluating freight projects; however, the national freight network has yet to be finalized and DOT's freight strategic plan is still in development. What Remains to Be Done: Congress and the administration need to agree on a long-term plan for funding surface transportation. Continuing to augment the Highway Trust Fund with general revenues may not be sustainable, given competing demands and the federal government's fiscal challenges. A sustainable solution would balance revenues to and spending from the Highway Trust Fund. New revenues from users can come only from taxes and fees; ultimately, major changes in transportation spending, in revenues, or in both, will be needed to bring the two into balance. A long term sustainable plan for funding surface transportation requires congressional action and remains the pivotal action that will determine whether the funding of surface transportation remains on, or is removed from, our High Risk List. DOT will also need to continue implementing the performance-based approach to surface transportation mandated in MAP-21. It will become increasingly important to improve the effectiveness of surface transportation programs by establishing links to performance and by measuring progress toward clear national goals. GAO Contact: For additional information about this high-risk area, contact Susan Fleming at (202) 512-2834 or FlemingS@gao.gov. Related GAO Products: Surface Transportation: DOT Is Progressing Toward a Performance-Based Approach, but States and Grantees Report Potential Implementation Challenges. [hyperlink, http://www.gao.gov/products/GAO-15-217]. Washington, D.C.: January 16, 2015. Surface Transportation: Department of Transportation Should Measure the Overall Performance and Outcomes of the TIGER Discretionary Grant Program. [hyperlink, http://www.gao.gov/products/GAO-14-766]. Washington, D.C.: September 23, 2014. Freight Transportation: Developing National Strategy Would Benefit from Added Focus on Community Congestion Impacts. [hyperlink, http://www.gao.gov/products/GAO-14-740]. Washington, D.C.: September 19, 2014. Highway Trust Fund: Pilot Program Could Help Determine the Viability of Mileage Fees for Certain Vehicles. [hyperlink, http://www.gao.gov/products/GAO-13-77]. Washington, D.C.: December 13, 2012. Surface Transportation: Financing Program Could Benefit from Increased Performance Focus and Better Communication. [hyperlink, http://www.gao.gov/products/GAO-12-641]. Washington, D.C.: June 21, 2012. Highway Infrastructure: Federal-State Partnership Produces Benefits and Poses Oversight Risks. [hyperlink, http://www.gao.gov/products/GAO-12-474]. Washington, D.C.: April 26, 2012. Transportation: Key Issues and Management Challenges. [hyperlink, http://www.gao.gov/products/GAO-12-581T]. Washington, D.C.: March 29, 2012. Surface Transportation: Restructured Federal Approach Needed for More Focused, Performance-Based, and Sustainable Programs. [hyperlink, http://www.gao.gov/products/GAO-08-400]. Washington, D.C.: March 6, 2008. Freight Transportation: National Policy and Strategies Can Help Improve Freight Mobility. [hyperlink, http://www.gao.gov/products/GAO-08-287]. Washington, D.C.: January 7, 2008. [End of section] Strategic Human Capital Management: Why Area Is High Risk: Mission-critical skills gaps in such occupations as cybersecurity and acquisition pose a high-risk to the nation: whether within specific federal agencies or across the federal workforce, they impede federal agencies from cost-effectively serving the public and achieving results. Addressing complex challenges such as disaster response, national and homeland security, and rapidly evolving technology and privacy security issues, requires a high-quality federal workforce able to work seamlessly with other agencies, levels of government, and across sectors. However, current budget and long-term fiscal pressures, declining levels of federal employee satisfaction, the changing nature of federal work, and a potential wave of employee retirements that could produce gaps in leadership and institutional knowledge, threaten the government's capacity to effectively address these and many other evolving, national issues. In February 2011, we reported that closing current and emerging critical skills gaps would require the Office of Personnel Management (OPM), agencies, and the Chief Human Capital Officers (CHCO) Council to address critical skills gaps that cut across several agencies. This issue requires continued attention because while OPM and agencies have taken steps that show promise for identifying and addressing mission- critical skills gaps, additional efforts are needed to coordinate and sustain these efforts going forward, as well as to make better use of workforce analytics which can be used to predict newly emerging skills gaps. What GAO Found: Figure: Strategic Human Capital Management: [Refer to PDF for image: star illustration] Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Over the last few years, OPM and individual agencies have taken important steps that will better position the government to close current and emerging critical skills gaps which are undermining agencies' abilities to meet their vital missions. OPM and agencies have partially met four of the five high-risk criteria by demonstrating a leadership commitment to address the issue, developing capacity and action plans outlining appropriate strategies, as well as taking the initial steps to monitor their progress. However, OPM, the CHCO Council, and agencies will need to implement specific strategies and evaluate their results to demonstrate progress on addressing critical skills gaps. Leadership Commitment: OPM and agencies have partially met the leadership criterion for removal from the High Risk List. OPM and the administration have launched several initiatives to address this issue at the government-wide level; however, OPM needs to address additional skills gaps having programmatic impacts, and needs to sustain senior leadership's focus on this issue. In February 2011, we reported that closing on-going and emerging critical skills gaps would require agencies to continue to address their specific human capital needs, as well as work with OPM and through the CHCO Council to address critical skills gaps that cut across several agencies. In particular, we reported that actions were needed in three broad areas: * Planning. Identifying the causes of, and solutions for, skills gaps and the steps to implement those solutions. * Implementation. Defining and implementing corrective actions to narrow skills gaps through talent management and other strategies. * Measurement and evaluation. Assessing the effects and evaluating the performance of initiatives to close skills gaps. To address this issue at the government-wide level, OPM and agencies launched several initiatives. For example, in September 2011, OPM and the CHCO Council created the Chief Human Capital Officers Council Working Group (Working Group) to identify and address critical skills gaps. The Working Group was established as part of ongoing discussions between OPM, OMB, and GAO regarding the steps needed to address the federal government's human capital challenges. Between 2011 and 2012, the Working Group identified skills gaps in six government-wide areas: (1) cybersecurity, (2) auditor, (3) human resources specialist, (4) contract specialist, (5) economist, and (6) the science, technology, engineering, and mathematics (STEM) functional community. In addition to the efforts of the Working Group, the President's Fiscal Year 2013 budget--released in February 2012--designated closing skills gaps as an interim, two-year Cross-Agency Priority (CAP) goal, specifically, to close skills gaps by 50 percent in three-to-five mission-critical occupations by September 30, 2013.[Footnote 124] As the designated CAP goal leader, the Director of OPM held quarterly meetings to review progress on achieving this goal. These initiatives were important steps forward. However, since the Working Group began its efforts, our work has identified nearly two dozen mission-critical skills gaps across the government. While some of these skills gaps were consistent with those identified by the Working Group--such as the need for cybersecurity skills--our work has identified additional skills gaps, both government-wide and agency- specific, having a significant programmatic impact, such as: * Staffing Shortages at Federal Prisons. In August 2014, we found that staffing shortages affected the Department of Justice's Bureau of Prisons (BOP) ability to activate new institutions in a timely manner, which could affect how quickly BOP can reduce crowding. Although BOP does review system-wide staffing data, it does not monitor or analyze staffing data by individual institutions or track how long it takes individual institutions to hire staff. The Department of Justice agreed with our recommendation that BOP analyze institutional-level staffing data and develop strategies, such as using recruitment incentives, when hiring challenges occur at particular institutions.[Footnote 125] The Department of Justice noted that reports on the results of these analyses would be prepared on a quarterly basis. * Telecommunications Specialists. In December 2013, we found that a decline in telecommunication expertise across multiple agencies compounded the General Services Administration's (GSA) challenges in transitioning those agencies to a new network of telecommunications services, contributing to delays and cost overruns of 44 percent. [Footnote 126] Moreover, according to GSA, customer agencies are concerned that the shortage of telecommunications specialists will get worse because there are not enough to replace experienced workers nearing retirement. GSA has yet to fully study the issue of addressing mission-critical skills gaps and agreed that understanding expertise shortfalls would be useful for future transition planning purposes. Officials from GSA and OPM agreed with our recommendation on the need to better examine potential government-wide telecommunications expertise shortfalls and have agreed to coordinate on efforts to do so. While this recommendation was still open as of January 2015, GSA's Office of Human Resources Management plans to take several actions such as identifying and validating technical competencies, developing competency models, and performing a workforce assessment against the models. Moreover, as discussed elsewhere in this report, skills gaps are contributing factors behind many other GAO high-risk areas,[Footnote 127] including the following: * Cybersecurity. Although steps have been taken to close critical skills gaps in the cybersecurity area, it remains an ongoing problem and additional efforts are needed to address this issue government- wide. As one example, recognizing the need to enhance the cybersecurity workforce at the Department of Homeland Security (DHS), two laws were enacted in December 2014. One requires DHS, among other actions, to work with OPM to identify areas of critical need in DHS's cybersecurity workforce, while the second law requires DHS to assess its cybersecurity workforce, and develop a strategy to enhance the readiness, capacity, training, recruitment, and retention of this workforce.[Footnote 128] These issues are not new. Previously, we have reported that officials at several agencies, including DHS, identified concerns with the availability of candidates for certain highly technical positions, such as network security engineers.[Footnote 129] We recommended that OPM provide guidance to agencies on how to track the use and effectiveness of incentives for hard-to-fill positions, including cybersecurity positions. In August 2013, OPM issued final regulations requiring agencies to review retention incentives and group recruitment incentives targeted at difficult to fill positions at least annually. Although this effort is an important step forward, it has been recently implemented and its effectiveness remains to be seen. We will continue to monitor OPM and agencies' efforts to strengthen the cybersecurity workforce going forward. * Acquisition Management. Agencies such as the Department of Energy (DOE), Department of Defense (DOD), National Aeronautics and Space Administration (NASA), and DHS need to determine workforce needs and address shortages of acquisition personnel to oversee and manage contracts that have become more expensive and increasingly complex. For example, in a July 2013 DOE review, officials concluded that the agency had an extremely low number of contract specialists when benchmarked against other agencies. At the time, DOE's acquisition workforce comprised less than 5 percent of DOE's federal workforce, but was responsible for administering contract and other obligations representing over 90 percent of the agency's annual budget. In response, in March 2014, the Secretary of Energy approved the implementation of the DOE Acquisition Fellows program, which is designed to recruit, acquire, develop, and retain contract specialists. * Inspectors of Oil and Gas Facilities. In January 2014, we found that hiring and retention challenges at the Department of Interior (Interior) have resulted in fewer inspections of oil and gas facilities, which according to officials results in an increased risk to human health and safety due to a spill or accident.[Footnote 130] In 2012, Interior's Bureau of Land Management had an attrition rate among petroleum engineers that, according to OPM data, is more than double the average federal attrition rate. Although Congress has provided Interior with authority to establish higher rates of basic pay for key inspection occupations, we reported that it was uncertain how Interior would address staffing shortfalls over time.[Footnote 131] Interior generally agreed with our recommendation that they systematically collect data on hiring times for key oil and gas positions, ensure the accuracy of the data, analyze the data to identify the causes of delays, and expedite the hiring process. In response to our recommendation, Interior stated that their bureaus have begun a more systematic collection and analysis of hiring data to identify the causes of delays and help expedite the hiring process. * DHS Management Functions. While DHS has continued to strengthen its human capital management functions, additional efforts are needed in the areas of competency gap assessment, assessing training programs, and acquisition management.[Footnote 132] For example, we found that as of December 2014, DHS had completed competency gap assessments to identify potential skills gaps for 8 of 86 occupations that it identifies as critical to its mission. DHS intends to assess efforts to address existing competency gaps through September 2015 and will then assess gaps for additional occupations in 2016; therefore, it is too early to assess the effectiveness of these efforts. * DOD Financial Management. In July 2014, we found that while DOD's Financial Management workforce plan partially addressed statutory requirements to assess its current and future critical skills needs, additional efforts are needed.[Footnote 133] Among other things, we found that the plan did not provide an assessment of the overall financial management workforce's competencies. DOD will need to fulfill the mandated critical-skill requirements for its financial management workforce to ensure that it has the capacity to make lasting improvements in its financial management. In February 2013, we reported that removing skills gaps as a high-risk issue across the government will depend in part on the extent to which OPM and agencies continue to involve top management and include plans to monitor and evaluate progress toward closing skills gaps. The interim, two-year CAP goal for closing skills gaps expired as planned at the end of fiscal year 2013, and was replaced in March 2014 by a four-year CAP goal focusing on people and culture, including (1) creating a culture of excellence and engagement, (2) building a world- class federal management team starting with the Senior Executive Service, and (3) enabling agencies to hire the best talent from all segments of society. While these CAP goal elements contain workforce planning strategies and metrics relevant to closing skills gaps, there are no overall performance targets for closing skills gaps, and addressing skills gaps is no longer an explicit goal. The interim CAP goal to address skills gaps gave the entire effort government-wide focus and visibility, and provided OPM a mechanism to hold agencies accountable for results. Despite the expiration of the interim CAP goal, OPM officials have told us that they intend to continue holding meetings to track progress on closing government-wide skills gaps, as was done under the interim CAP goal. Capacity: OPM and agencies have partially met this criterion. On the one hand, OPM has dedicated resources toward closing skills gaps; on the other hand, additional efforts will be needed to collect competency data on the federal workforce. By designating the Working Group's efforts to close critical skills gaps as an interim CAP goal in the administration's fiscal year 2013 federal budget, the Director of OPM--as CAP goal leader--developed capacity by identifying key, senior federal officials from each of the six government-wide mission- critical occupations to serve as "sub-goal leaders." For example, at the time of our review, the sub-goal co-leaders for the cybersecurity workforce were from the White House Office of Science and Technology Policy and the Department of Commerce's National Institute of Standards and Technology. Likewise, the sub-goal leader for the economist workforce was the Assistant Secretary for Economic Policy and Chief Economist at the U.S. Department of the Treasury. Going forward, addressing government-wide skills gaps will require collecting data on the competencies of the federal workforce. According to OPM officials, federal agencies' abilities to assess workforce competencies varies, which makes collection of government- wide data on competency gaps difficult. It will be important for OPM to work with agency CHCOs to bolster agencies' capacity to assess workforce competencies and to ensure that such information can be stored and used for government-wide workforce analysis. Action Plan: The six sub-goal groups developed planning documents aimed at addressing skills gaps. However, these planning documents only partially met this criterion because the plans did not incorporate all the key practices for project planning, such as identifying root causes and using outcome-oriented performance metrics. For instance, only the STEM and Auditor sub-goal groups' plans discussed the root causes of their skills gaps and the purpose for their actions. Additionally, only three of the six sub-goal groups tracked outcome-oriented performance metrics in their plans. For example, the STEM sub-goal group's plan tracked such items as the number of STEM hiring reforms that had been approved by OPM. While gaining OPM approval of hiring policy changes can be an important step in the process of attracting more qualified workforce candidates, the STEM sub-goal group's plan did not track outcomes that might result from approving such policy changes, such as the number and quality of applicants and hires for STEM positions. Monitoring: Because they did not always use outcome-oriented performance metrics, the sub-goal groups partially met this criterion. For example, the Human Resources sub-goal group tracked the percentage of federal human resources personnel who registered for and completed a single course on HR University--a centralized online suite of courses and curricula managed by OPM that agencies can use for training purposes. While we agree that ensuring that human resources professionals receive proper training is vital, relying on a metric of how many people register for and complete a single online course is not the most effective way to assess progress toward the outcome of closing skills gaps within the human resources occupation. To monitor government-wide skills gaps, OPM and agencies face additional challenges going forward, including the following: * While individual agencies are collecting metrics under an OPM initiative known as HRstat, those metrics vary across agencies. Although it is important for agencies to develop their own metrics that are relevant to them, a core set of metrics that are consistent for all agencies is also necessary so that OPM and agency leaders can have a clear view of progress in addressing government-wide mission critical skills gaps. * OPM's plan to use a database to capture staffing data from agencies for select occupations is still under development. However, OPM officials stated that no timeframe exists for modifying this database, although they intend to continue collecting agencies' staffing data until OPM makes the necessary investments to modify its database. * Developing a predictive capacity to identify newly emerging skills gaps beyond those areas already identified, and managing the risks associated with them is especially important now because (as shown in figure 6 below) agencies are facing a wave of potential retirements. Using the most recent available data, government-wide, about 30 percent of federal employees on board by the end of fiscal year 2013 will be eligible to retire by 2018. Some agencies, such as the Department of Housing and Urban Development and the Small Business Administration, will have particularly high eligibility rates by 2018. Figure 6: Percentage of Career Permanent Employees on Board Eligible to Retire by 2018 by Agency (as of September 30, 2013): [Refer to PDF for image: vertical bar graph] Government-wide retirement eligibility rate: 30.1%. Agencies: Agriculture: 35%; Commerce: 29%; Defense: 28%; Education: 32%; Energy: 35%; Health and Human Services: 30%; Homeland Security: 22%; Homeland Security: 44%; Housing and Urban Development: 31%; Justice: 33%; Labor: 29%; State: 37%; Interior: 37%; Treasury: 39%; Transportation: 31%; General Services Administration: 35%; National Aeronautics and Space Administration: 35%; National Science Foundation: 38%; Nuclear Regulatory Commission: 35%; Office of Personnel Management: 28%; Small Business Administration: 41%; Social Security Administration: 31%; United States Agency for International Development: 30%; Environmental Protection Agency: 39%; Non-CFO Act agencies: 32%. Source: GAO analysis of data from the OPM Enterprise Human Resources Integration Statistical Data Mart. GAO-15-290. [End of figure] Various factors affect when individuals actually retire, and some amount of retirement and other forms of attrition can be beneficial because it creates opportunities to bring fresh skills on board and allows organizations to restructure themselves to better meet program goals and fiscal realities. But if turnover is not strategically monitored and managed, gaps can develop in an organization's institutional knowledge and leadership. Demonstrated Progress: OPM and agencies have not met this criterion. Although the interim CAP goal's target was to close skills gaps by 50 percent by the end of fiscal year 2013 in three-to-five of the six sub- goal groups, according to sub-goal leaders, the target was vague and difficult to measure. For example, the Cybersecurity sub-goal group did not have an effective baseline from which to measure 50 percent progress because they had not fully determined the nature of their skills gap. By June 2015 OPM officials expect to identify a new set of government-wide skills gaps that are to be addressed over a four-year period, and more time is needed to assess the impact of that initiative as well as other, ongoing efforts. Congressional Action: To date, Congress has provided agencies--individually and across the federal government--with various authorities and flexibilities to manage the federal workforce and make the federal government a more attractive employer. Further, hearings held by the House and Senate that have focused on federal human capital management challenges have been important for ensuring that OPM and agencies continue to make progress in acquiring, developing, and retaining employees with the skills needed to carry out the government's vital work. Continued congressional attention to improving the government's human capital policies and procedures will be essential going forward. What Remains to Be Done: Our work has made several recommendations that cut across the five criteria for removal from the High Risk List. Most recently, in January 2015, we reported that OPM and the CHCO Council should incorporate lessons learned from their initial efforts to close skills gaps to strengthen future approaches.[Footnote 134] We recommended that OPM, among other actions, take the following steps: * Develop goals for closing skills gaps with targets that are both clear and measurable. * Design outcome-oriented performance metrics that align with overall targets for closing skills gaps. * Follow key practices for project planning when developing action plans designed to close skills gaps. * Identify a core set of metrics that all agencies should use as part of their HRstat data-driven reviews. OPM generally concurred with these recommendations, and we will monitor OPM's progress in implementing them going forward. Moreover, in May 2014, we reported on human capital strategies which will help agencies meet their mission in an era of constrained resources. We made several recommendations that collectively will strengthen agencies' leadership commitment and capacity to address skills gaps.[Footnote 135] OPM agreed with these recommendations, which include the following: * Strengthening OPM's coordination and leadership of government-wide human capital issues, in part by developing a government-wide human capital strategic plan that would establish priorities, time frames, responsibilities, and metrics to better align the efforts of members of the federal human capital community. * Exploring the feasibility of expanded use of enterprise or "whole of government" solutions to address shared human capital issues--such as workforce planning tools and lessons learned that would help build the capacity of agencies to address skills gaps. * Reviewing the extent to which new capabilities are needed to promote agile talent management--including developing or sharing tools and resources to help identify skills gaps and mechanisms for increasing staff mobility within and across agencies. In response, OPM is considering a multi-phase human capital strategy designed to, among other things, institutionalize processes for identifying and addressing government-wide and agency skills gaps and emphasize the use of workforce data and analytic tools. Furthermore, individual agencies must take the lead in addressing their own mission critical skills gaps. For example, our December 2013 report found that the Department of Transportation's Federal Railroad Administration (FRA) lacked a plan to have a sufficient number of safety inspectors to carry out oversight of such initiatives as positive train control--a communications system designed to prevent events like train-to-train collisions. FRA officials agreed to consider our recommendation that FRA develop a strategic human capital plan that includes specific approaches for how it will recruit, train, and retain both its current inspectors as well as its new workforce of safety risk management specialists.[Footnote 136] We will continue to monitor FRA's progress on developing their strategic human capital plan. GAO Contact: For additional information about this high-risk area, contact Robert Goldenkoff at (202) 512-2757 or goldenkoffr@gao.gov, or Yvonne D. Jones at (202) 512-2717 or jonesy@gao.gov. Related GAO Products: Federal Workforce: OPM and Agencies Need to Strengthen Efforts to Identify and Close Mission-Critical Skills Gaps. [hyperlink, http://www.gao.gov/products/GAO-15-223]. Washington, D.C.: January 30, 2015. Bureau of Prisons: Management of New Prison Activities Can Be Improved. [hyperlink, http://www.gao.gov/products/GAO-14-709]. Washington, D.C.: August 22, 2014. Human Capital: DOD Should Fully Develop Its Civilian Strategic Workforce Plan to Aid Decision Makers. [hyperlink, http://www.gao.gov/products/GAO-14-565]. Washington, D.C.: July 9, 2014. Department of Homeland Security: Progress Made; Significant Work Remains in Addressing High-Risk Areas. [hyperlink, http://www.gao.gov/products/GAO-14-532T]. Washington, D.C.: May 7, 2014. Human Capital: Strategies to Help Agencies Meet Their Missions in an Era of Highly Constrained Resources. [hyperlink, http://www.gao.gov/products/GAO-14-168]. Washington, D.C.: May 7, 2014. Interior Has Begun to Address Hiring and Retention Challenges but Needs to Do More. [hyperlink, http://www.gao.gov/products/GAO-14-205]. Washington, D.C.: January 31, 2014. Rail Safety: Improved Human Capital Planning Could Address Emerging Safety Oversight Challenges. [hyperlink, http://www.gao.gov/products/GAO-14-85]. Washington, D.C.: December 9, 2013. Telecommunications: GSA Needs to Share and Prioritize Lessons Learned to Avoid Future Transition Delays. [hyperlink, http://www.gao.gov/products/GAO-14-63]. Washington, D.C.: December 5, 2013. Managing for Results: Data-Driven Performance Reviews Show Promise But Agencies Should Explore How to Involve Other Relevant Agencies. [hyperlink, http://www.gao.gov/products/GAO-13-228]. Washington, D.C.: February 27, 2013. Weapons Acquisition Reform: Reform Act Is Helping DOD Acquisition Programs Reduce Risk, but Implementation Challenges Remain. [hyperlink, http://www.gao.gov/products/GAO-13-103]. Washington, D.C.: December 14, 2012. Human Capital Management: Effectively Implementing Reforms and Closing Critical Skills Gaps Are Key to Addressing Federal Workforce Challenges. [hyperlink, http://www.gao.gov/products/GAO-12-1023T]. Washington, D.C.: September 19, 2012. Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination. [hyperlink, http://www.gao.gov/products/GAO-12-8]. Washington, D.C.: November 29, 2011. [End of section] Managing Federal Real Property: Why Area Is High Risk: The federal government's real property holdings are vast and diverse-- comprising hundreds of thousands of buildings and permanent structures across the country, and costing billions of dollars annually to operate and maintain. Since federal real property management was placed on the High Risk List in 2003, the government has given high- level attention to this issue and has made strides in real property management, but continues to face long-standing challenges in managing its real property. For example, the federal government continues to maintain too much excess and underutilized property. It also relies too heavily on leasing in situations where ownership would be more cost efficient in the long run. In addition, the federal government faces ongoing challenges in protecting its facilities. Finally, effective real property management and reform are undermined by unreliable real property data. Specifically, despite a high level of leadership commitment to improve real property data, the federal government continues to face challenges with the accuracy and consistency of the Federal Real Property Profile (FRPP), causing the federal government to report inaccurate inventory and outcome information. What GAO Found: Figure: Managing Federal Real Property: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Not Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] The federal government has met the high-risk criterion for demonstrating leadership commitment to improving the management of real property by pursuing numerous reform efforts over multiple administrations. For example, the 2012 Freeze the Footprint policy is an example of the administration's leadership commitment to improving the management of federal real property. The federal government has also made partial progress toward increasing its capacity, developing an action plan, and monitoring its progress toward improving real property management. For example, staff of the Office of Management and Budget (OMB) said that OMB is drafting a national real property strategy that could help implement our recommendation that the federal government take a more strategic approach toward excess property and high value leases. However, significant challenges in demonstrating progress in achieving tangible results remain. For example, we found that the results OMB reported from the first year of the administration's Freeze the Footprint policy overstated the reductions for the four agencies we reviewed to the point where some of the reported decreases do not represent any decrease at all. Excess and Underutilized Property: Figure: Managing Federal Real Property: [Refer to PDF for image: star illustration] Excess and underutilized property: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Not Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] OMB and the real property-holding agencies have met the criterion for demonstrating leadership commitment toward reducing the amount of excess and underutilized federal real property, through more than a decade of management attention, beginning in 2004 with Executive Order 13327 and, more recently, by establishing the Freeze the Footprint policy in 2012 and by beginning to draft a national real property strategy. The federal government has partially met the criteria for capacity, action planning, and monitoring excess and underutilized real property. It has not met the criteria for demonstrating progress in reducing excess and underutilized real property. In July 2014, the Administration released the first year results of the Freeze the Footprint policy, indicating that it reduced the federal government's office and warehouse space by about 10.2 million square feet between fiscal years 2012 and 2013--exceeding its expectations. To assess the extent to which these results were reliable, we examined data from four of the six agencies that made the largest reductions in the first year of Freeze the Footprint reporting and found the data were not reliable--the actual space reductions at the four agencies we reviewed were overstated. For example, at least one of the two largest reported reductions for each of the 4 selected agencies were either overstated or did not represent a reduction at all. We found that many reported reductions in square footage were due to factors other than actual space reduction, such as coincidence of when the reporting baseline was set, the re-categorization of space to another use or data errors, or the transfer of properties to the General Services Administration (GSA). Specifically, some agency officials explained that some of their largest reported square footage reductions in fiscal year 2013 were due simply to the timing of the fiscal year 2012 baseline. For example, the Department of Commerce (Commerce) opened an approximately 268,000 square foot building in 2012 into which it consolidated several other facilities totaling about 160,000 square feet. However, when the Freeze the Footprint baseline was set on September 30, 2012, Commerce was still transitioning into the new space and did not dispose of the previous facilities until later in fiscal year 2013, making an approximately 108,000 square foot increase appear to be a decrease of about 160,000 square feet. OMB officials told us that, while the timing of the 2012 baseline inaccurately made some agencies appear to have cut space, other agencies experienced the opposite effect. OMB provided us with examples which indicate that some agencies' apparent space increases may have, in fact, represented steps of ongoing property relocation or consolidation efforts which were not finalized prior to the end of fiscal year 2013. However, in these cases, the net impact of these relocations or consolidations should become clear in the Freeze the Footprint reporting for fiscal year 2014. In addition, weaknesses in FRPP data caused OMB to overstate some reductions. All four selected agencies confirmed that several square footage reductions reported for fiscal year 2013 were due to data errors or the re-measurement of space to comply with GSA standards. Further, many properties removed from agencies' real property portfolios were simply returned to GSA and remain part of the existing federal footprint. For example, in fiscal year 2013, the Department of the Interior was credited with disposing of more than 41,000 square feet of office space in Lakewood, Colorado. However, GSA officials confirmed that this space was returned to GSA and remains vacant as GSA and Interior work to backfill the space as part of a larger plan to evaluate consolidation and cost saving opportunities in the area. Agency officials also said that some of the incremental space reductions they did achieve in the first year of the Freeze the Footprint policy were the result of efforts underway before the policy began. For example, officials from the Department of the Interior explained that it consolidated several locations in Reston, Virginia, which reduced its overall square footage. While the actual consolidation occurred during the first year of the Freeze the Footprint policy, officials said that the consolidation had been in the planning process for 3 years, well before the policy came into effect. Although not directly attributable to the Freeze the Footprint policy, reductions like this do represent some progress in reducing excess and underutilized space. Officials at all four agencies did say that the policy is an incentive to reduce office and warehouse space going forward. In addition, the federal government has partially met the criterion for having an action plan for addressing the excess and underutilized real property by beginning the process of developing a national real property strategy. However, OMB officials said that the strategy will not be completed until sometime in 2015. We will assess it against the high risk criteria at that time. Costly Leasing: Figure: Managing Federal Real Property: [Refer to PDF for image: star illustration] Costly Leasing: Leadership Commitment: Met; Capacity: Not Met; Action Plan: Not Met; Monitoring: Not Met; Demonstrated Progress: Not Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] The Federal government continues to rely heavily on leasing of properties where it would be more cost efficient for the federal government to own. The federal government has met the criterion for showing leadership commitment to addressing the problem by focusing on limiting the federal real property footprint, trying to consolidate high-value leases and smaller leases as they expire, moving some high- value leases into government-owned space, and helping agencies increase space efficiency. However, GSA lacks an action plan, the capacity in terms of transparent data, and the monitoring tools necessary to demonstrate success in reducing its reliance on leasing. Specifically, GSA has not developed or applied criteria to rank and prioritize the potential long-term ownership solutions to current high- value leases among other capital investments. For example, in 2013 we found that high-value leases account for over one-third of GSA's annual rent paid to private sector landlords and more than a quarter of the total lease square feet while representing just 3 percent of GSA leases. GSA, however, has not determined which of those leases would be the best candidates for ownership investments. Physical Security: Figure: Managing Federal Real Property: [Refer to PDF for image: star illustration] Physical Security: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Not Met; Monitoring: Not Met; Demonstrated Progress: Not Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] The Federal Protective Service (FPS) has met the criterion for showing leadership commitment to improve the physical security of federal facilities by issuing its Strategic Human Capital Plan in 2014 and reducing turnover in the director position. FPS also made progress in building capacity for better protecting federal facilities by assessing the vulnerabilities of federal facilities as we reported in 2013, but its methodology is not fully compliant with federal risk assessment standards. Moreover, FPS still faces challenges in developing an action plan and in monitoring and demonstrating progress. For example, while FPS has identified some measures that would help monitor progress in protecting federal facilities, FPS has not developed or implemented standards for measuring its performance in assessing risk at its facilities or obtaining feedback from its tenant agencies on the quality of security services provided. Data Reliability: Figure: Managing Federal Real Property: [Refer to PDF for image: star illustration] Data Reliability: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Not Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] The federal government has met the criterion for demonstrating leadership commitment to improving real property data to support decision making, and has made some progress in increasing its capacity to improve the reliability of the data, but lacks an action plan and an ability to effectively monitor or demonstrate progress. Related to leadership commitment and capacity, GSA took steps to improve the reliability of FRPP data, including changing how some variables are defined and eliminating some optional variables, but these changes have not yet sufficiently improved the overall reliability of the data and the federal government continues to lack an action plan for making additional improvements. For example, we found that the federal government's real property data remains unreliable in the following areas, undermining its ability to monitor or demonstrate progress: * As discussed above, the FRPP data that the OMB used as evidence that the federal government has made progress in reducing its overall amount of office and warehouse space were not reliable. Our analysis showed that weaknesses in the data overstated the reductions reported by the four agencies we reviewed. * Agencies use FRPP data related to the utilization of federal warehouses consistently. For example, GSA lists vacant warehouses as fully utilized as a matter of policy because part of its mission is to have warehouse space available if agencies need it. * FRPP data related to the federal government's 480,000 structures are not reliable on a government-wide basis, due to the different approaches agencies take in defining and inventorying structures. For example, agencies use different approaches to counting structures-- undermining any cross-agency comparisons. * We found that the $3.8 billion which agencies reported in 2012 as cost savings from real property disposal, space management, sustainability, and innovation activities were not reliable. Our analysis show that these cost savings included different assumptions, methodologies, and timelines that reduced the reliability of the data. Congressional Action: Several real property reform bills were introduced in the 113th session of Congress that could have reduced barriers to further reducing excess and underutilized real property, but none of the bills were enacted. While Congress could take actions to reform real property and encourage agencies to implement our outstanding recommendations, we have not made any related matters for congressional consideration. What Remains to Be Done: In order to improve the management of its real property, OMB, GSA, and FPS should implement our open recommendations including those to develop a national strategy and improve data reliability. For example, OMB, in conjunction with land-holding agencies, could improve its capacity and action plan by implementing our recommendation to develop a strategic plan for managing excess and underutilized real property. OMB officials said they are implementing the recommendation by drafting a national real property strategy--scheduled for completion sometime in 2015. To develop an action plan for reducing the federal government's overreliance on costly leasing, GSA should implement our recommendation to develop and apply criteria which rank and prioritizes potential long-term ownership solutions to current high- value leases, among other capital investments. GSA should also increase its capacity for reducing the government's reliance on leasing by implementing our recommendation to enhance transparency in the information it provides to Congress when seeking authorization for new high value leases by including (1) estimates of the length of time that agencies are likely to need the space, (2) needed investments in the property, and (3) appropriate cost-to-lease comparisons with ownership options. Also, in conjunction with OMB, GSA should improve its ability to monitor and track progress by implementing our recommendation to set long-term, cross-agency goals for investments in ownership. To further build capacity and to improve the federal government's monitoring and demonstrating of progress in improving the security of federal facilities, FPS should implement our 2014 recommendation to develop and implement risk assessment methodologies at federal facilities that meet Interagency Security Committee standards. FPS should also improve its capacity by implementing our recommendation to determine which guards have not had screener or active-shooter scenario training and provide it to them. It could also develop an action plan with a schedule for implementing these GAO recommendations, which could further help FPS demonstrate progress in better protecting federal facilities. GSA can assist in monitoring progress reducing excess and underutilized real property by implementing our recommendation to improve the reliability of FRPP by ensuring that its data are sufficiently complete, accurate, and consistent. In turn, this improvement would improve reliability in demonstrating progress in, for example, the federal government's space reduction and cost savings statistics. GAO Contact: For additional information about this high-risk area, contact the following people. On real property management, contact Dave Wise at 202-512-2834 or wised@gao.gov. On issues related to physical security of federal facilities, contact Lori Rectanus at (202) 512-2834 or rectanusl@gao.gov. Related GAO Products: Federal Real Property: Strategic Focus Needed to Help Manage Vast and Diverse Warehouse Portfolio. [hyperlink, http://www.gao.gov/products/GAO-15-41]. Washington, D.C.: November 12, 2014. Federal Real Property: More Useful Information to Providers Could Improve the Homeless Assistance Program. [hyperlink, http://www.gao.gov/products/GAO-14-739]. Washington, D.C.: September 30, 2014. Federal Real Property: GSA Should Better Target Its Use of Swap- Construct Exchanges. [hyperlink, http://www.gao.gov/products/GAO-14-586]. Washington, D.C.: July 24, 2014. Capital Financing: Alternative Approaches to Budgeting for Federal Real Property. [hyperlink, http://www.gao.gov/products/GAO-14-239]. Washington, D.C.: March 12, 2014. Federal Facility Security: Additional Actions Needed to Help Agencies Comply with Risk Assessment Methodology Standards. [hyperlink, http://www.gao.gov/products/GAO-14-86]. Washington, D.C.: March 5, 2014. Federal Real Property: Improved Transparency Could Help Efforts to Manage Agencies' Maintenance and Repair Backlogs. [hyperlink, http://www.gao.gov/products/GAO-14-188]. Washington, D.C.: January 23, 2014. Federal Real Property: Actions Needed to Improve How Agencies Manage Structures. [hyperlink, http://www.gao.gov/products/GAO-14-87]. Washington, D.C.: January 6, 2014. Federal Real Property: Improved Standards Needed to Ensure That Agencies' Reported Cost Savings Are Reliable and Transparent. [hyperlink, http://www.gao.gov/products/GAO-14-12]. Washington, D.C.: October 29, 2013. Federal Protective Service: Challenges with Oversight of Contract Guard Program Exist, and Additional Management Controls are Needed. [hyperlink, http://www.gao.gov/products/GAO-13-694]. Washington, D.C.: September 17, 2013. Federal Real Property: Greater Transparency and Strategic Focus Needed for High-Value GSA Leases. [hyperlink, http://www.gao.gov/products/GAO-13-744]. Washington, D.C.: September 19, 2013. Federal Real Property: National Strategy and Better Data Needed to Improve Management of Excess and Underutilized Property. [hyperlink, http://www.gao.gov/products/GAO-12-645]. Washington, D.C.: June 20, 2012. [End of section] DOD Approach to Business Transformation: Why Area is High Risk: The Department of Defense (DOD) spends billions of dollars each year to maintain key business operations intended to support the warfighter, including systems and processes related to the management of contracts, finances, the supply chain, support infrastructure, and weapons systems acquisition. Weaknesses in these areas adversely affect DOD's efficiency and effectiveness, and hinder its ability to free up resources for higher priority needs. As a result, we designated many of DOD's key business areas as high risk due to their vulnerability to waste, fraud, abuse, and mismanagement. These areas, and DOD's overall approach to business transformation, are inextricably linked to DOD's ability to perform its overall mission, directly affecting the readiness and capabilities of U.S. military forces. We define the scope of DOD's approach to the business transformation high-risk area as encompassing the activities of the Chief Management Officer (CMO) and Deputy Chief Management Officer (DCMO) in engaging with responsible leaders to influence and provide oversight of business transformation across DOD's business functions to achieve progress.[Footnote 137] We added DOD's overall approach to managing business transformation as a high-risk area in 2005 because DOD had not taken the necessary steps to achieve and sustain business reform on a broad, strategic, department-wide, and integrated basis. Further, DOD's historical approach to business transformation has not proven effective in achieving meaningful and sustainable progress in a timely manner. For example, DOD had not established clear and specific management responsibility, accountability, and control over business transformation-related efforts and applicable resources across business functions. Also, DOD did not have an integrated plan for business transformation with specific goals, measures, and accountability mechanisms to monitor progress and achieve improvements. We have reported in our high-risk updates that DOD has taken some actions towards improving its business transformation efforts. For example, DOD developed and issued its first Strategic Management Plan in 2008 and has since updated the plan three times for its business functions. However, given the magnitude of the funds devoted to DOD's business functions--billions of dollars each year--the impact any failures of these functions can have on national security and on the ability of DOD to meet its missions, and given the long-standing issues we have identified that impact these business functions, we determined during subsequent updates that this area remains high risk. What GAO Found: Figure: DOD Approach to Business Transformation: [Refer to PDF for image: star illustration] Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] DOD has demonstrated some leadership commitment and improved capacity toward addressing its business transformation efforts, such as clarifying responsibilities for the CMO and DCMO, and developing the capacity to focus its oversight on such efforts, but more progress is needed. For example, DOD lacks a corrective action plan to help address weaknesses within its business functions, a comprehensive set of performance measures needed to monitor its business transformation efforts, and an ongoing demonstration of progress in achieving results. Until the DCMO works across the department to address these actions and outcomes, DOD will not make the progress needed to transform into a less costly and more efficient department. Leadership Commitment. DOD has taken steps to demonstrate its leadership commitment for business transformation, but turnover and the ongoing reorganization within the Office of the DCMO presents challenges for DOD to demonstrate effective leadership for this high- risk issue. In February 2013, we found that DOD had issued directives broadly outlining the responsibilities of the CMO and DCMO. Also, the Secretary of Defense issued a December 2013 memorandum to significantly reorganize the Office of the DCMO by consolidating management activities from the Office of the Director of Administration and Management into the Office of the DCMO, and by reassigning responsibility for the oversight of business systems to DOD's Chief Information Officer. In December 2013, the Secretary of Defense also issued accompanying memorandums outlining broad implementation steps for this reorganization that also acknowledged the need for improved oversight of DOD's business functions. Office of the DCMO officials finalized its reorganization in December 2014. However, any impact the reorganization will have on DOD's business transformation efforts is dependent upon future actions the Office of the DCMO undertakes to address long-standing weaknesses. Several key leadership positions with responsibilities for business transformation efforts have experienced turnover since November 2013. The positions include the CMO, the DCMO, and the DCMO's Director of the Planning Performance and Assessment Directorate.[Footnote 138] DOD has had two CMOs since November 2013. In addition, DOD currently has an Acting DCMO, but there is no time frame for submitting potential candidates for the DCMO position to Congress for confirmation. Until DOD demonstrates consistent leadership towards business transformation efforts, DOD may continue experiencing challenges achieving business transformation goals. To further enhance DOD in its oversight of business transformation efforts, Congress passed legislation in the Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015 to convert the Deputy Chief Management Officer position to an Under Secretary of Defense for Business Management and Information. This new position, to begin in 2017, is expected to provide greater management authority to oversee management of business operations and can help DOD further demonstrate its commitment to addressing business transformation efforts. Capacity. In February 2013, we reported that the Office of the DCMO has increased its capacity to oversee DOD's business transformation efforts. Further, as of October 2014, the Office of the DCMO has conducted a high-level assessment of its personnel to determine whom to place where after the ongoing reorganization is complete. The Office solicited preferences from its personnel about the directorates to which they would like to be reassigned. However, the Office of the DCMO has not fully assessed whether there are critical gaps in its capacity to monitor DOD's business transformation efforts, specifically personnel with the skills needed to collect and analyze performance information. For example, many of the personnel in this office have expertise in business systems and information technology, but few have expertise in strategic planning and performance management. Until DOD fully assesses the skills of its personnel, specifically their ability to collect and analyze performance information, the Office of the DCMO will not have reasonable assurance that it has the capacity to effectively monitor its business transformation efforts. Action Plan. DOD has not developed a corrective action plan to address business transformation weaknesses and associated root causes. In July 2014, the Office of the DCMO began developing an agency strategic plan that would replace the existing Strategic Management Plan for the business functions. This plan would include a corrective action plan for business transformation. The Office of the DCMO expects to issue the agency strategic plan in February 2015 to align with DOD's budget. Without a process of accountability for achieving results in their business transformation efforts or a corrective action plan to address related weaknesses, the CMO and DCMO will not be able to effectively hold DOD's business functions accountable for achieving their goals. Monitoring. DOD has not established a process to monitor progress toward achieving business transformation efforts across all business functions and does not have a clear or comprehensive set of performance measures to assess progress. In addition, DOD does not measure performance across all business functions. For example, business function officials said that they did not receive feedback on the performance information submitted to the Office of the DCMO. Thus, they were unclear regarding the extent to which their performance information was reviewed or used. In addition, Office of the DCMO officials stated that its performance measures are ineffective in assessing progress. These officials also noted that the information provided by the business functions is unclear and not consistently collected across all business functions. For example, while some of the acquisition performance measures can only be calculated annually, information is requested quarterly. Current measures are also not well aligned with the strategic goals in DOD's Quadrennial Defense Review, DOD's most recent overarching defense strategy. As such, these measures will not enable DOD to determine the extent to which the business functions are helping to achieve their missions. In June 2014, the Office of the DCMO initiated a series of business process and systems reviews of DOD's business functions, defense agencies, and the Office of the Secretary of Defense to determine the extent to which cost savings and efficiencies can be achieved within these organizations. As part of these reviews, the Office of the DCMO is also working with DOD's business functions to develop new performance measures. However, there is no timeline for completing this effort across all of DOD's business functions. As of October 2014, the Office of the DCMO had not provided guidance to business function leaders regarding the development of these new measures, although Office of the DCMO officials mentioned that they may have a draft agency strategic plan prepared by February 2015 that provides new performance measures. Further, the Office of the DCMO is participating in a pilot with OMB to develop a standardized federal data collection system with dashboard capabilities to monitor performance and progress. This system is intended to provide the CMO and DCMO with tools to implement an effective performance management system. However, similar to the business process and systems reviews, no completion date had been set for when this system will become operational. To effectively monitor progress, DOD needs to refine its existing performance measures. Additionally, DOD should conduct data- driven performance reviews frequently and regularly, and use existing governance structures, such as the Defense Business Council, to monitor performance. Until the Office of the DCMO implements a program to better monitor performance, and develops performance measures that will allow it to assess progress and address systemic challenges in its business functions--this office will lack the tools necessary to effectively oversee its business transformation efforts areas. Demonstrated Progress. While the CMO and the Office of the DCMO are working to improve DOD's approach towards business transformation, their efforts are in the early stages and the impact on the department is unclear. Specifically, the Office of the DCMO has developed a portfolio-based investment management process for its business systems, known as the Integrated Business Framework. This framework is intended to align business system investments with the guiding principles established by DOD and to enable the department to strengthen efforts to better consider cost. DOD is also required to certify business system programs with a total cost over $1 million. The Office of the DCMO has used this framework to review and certify more than 1,000 DOD business systems to date. However, this framework has neither been aligned with DOD's budget process nor has it been used to help DOD make better investment decisions across all of its business functions. Moving forward, the Office of the DCMO plans to work with the Defense Business Council to further develop this framework, focus more broadly on other business functions and their cost, and identify needed corrective actions across all business functions. The Office of the DCMO plans to use the Integrated Business Framework to help automate data collection from DOD's strategies and to help them achieve better alignment across the business functions. Once DOD fully implements its Integrated Business Framework, it will be better positioned to demonstrate progress across DOD's business functions. The actions taken by the CMO and the DCMO thus far have not resulted in measurable and sustained positive outcomes, such as cost savings and increased efficiencies across DOD's business functions. The Office of the DCMO is developing an agency strategic plan expected to be finalized in February 2015, and according to Office of the DCMO officials, it will lay out a strategy for addressing business transformation weaknesses and for identifying cost savings and efficiencies across DOD. The Office of the DCMO expects the agency strategic plan to include corrective actions needed to address business transformation weaknesses which will enable the department to better report on any progress made. Until the Office of the DCMO demonstrates sustained progress by implementing a corrective action plan and a program for implementing corrective measures for all of its business functions, this office will be unable to demonstrate its role in contributing to more effective and efficient business functions at DOD. What Remains to Be Done: In August 2014, we provided DOD with 13 actions and outcomes that we believe it should take to address long-standing weaknesses in its business transformation efforts. Going forward, DOD needs to show measurable and sustained positive outcomes in its efforts. In doing so, it will be important for DOD to make continued progress in addressing the 13 actions and outcomes we provided and also listed below. Leadership Commitment: * Fill key leadership positions, such as the Director of the Planning and Performance Management Directorate, and demonstrate how these positions directly support efforts to strengthen business functions and implement change and accountability across these functions. * Implement mechanisms to demonstrate oversight across business functions, to include having business function leaders provide written objectives that contain explicit goals with linkages to department- wide goals. * Establish expectations and mechanisms to hold business function leaders accountable for diagnosing performance problems and identifying strategies for improvement. * Lead regular DOD performance reviews regarding transformation efforts and associated metrics and ensure that business function leaders attend these reviews to facilitate problem solving. Capacity: * Complete the ongoing human capital gap analysis and take action to address any identified gaps to ensure that DCMO staff have the knowledge, skills, and abilities to analyze and clearly communicate complex data for decision making. * Ensure that the Office of the DCMO has capacity to collect accurate, useful, and timely performance data. Corrective Action Plan: Complete the development of a corrective action plan that: * Identifies roles and responsibilities for implementing corrective actions across DOD's business functions. * Establishes implementation goals and time lines to monitor progress in implementing corrective actions. * Identifies initiatives to address root causes, including critical links that must be present among the initiatives, and the processes, systems, personnel, and other resources needed for their implementation. * Identifies tradeoffs, priorities, and any sequencing needed to implement the initiatives, and help leaders plan for and provide the resources needed to make the corrective actions identified. Monitoring: * Refine existing performance measures and update as needed to ensure that the measures assess progress in achieving all key business transformation initiatives, and hold owners of DOD's business functions accountable for providing input into performance targets. * Conduct frequent and regular data-driven performance reviews using established performance measures that ensure linkage between DOD goals, program activities, and resources, and use existing governance structures, such as the Defense Business Council, to monitor performance. Demonstrated Progress: * Make substantial progress in implementing a corrective action plan that includes measures addressing the root causes of weaknesses in business functions and details how corrective actions designed to improve DOD business functions will be implemented. * Complete business process systems reviews across key areas of the business enterprise to identify areas for cost savings and increased efficiencies and effectiveness. * Implement initiatives that result in measurable and sustained positive outcomes, including cost savings and increased efficiencies, thus promoting the cost culture envisioned by the Secretary of Defense, as noted in DOD's 2014 Congressional Report on Defense Business Operations. * Document and report on progress in implementing corrective actions across business functions to Congress and other key stakeholders to strengthen accountability. Progress could be reported in the annual report to Congress on DOD Business Operations or through other means. GAO Contact: For additional information about this high-risk area, contact Zina D. Merritt at (202) 512-5257 or merrittz@gao.gov. Related GAO Products: Defense Business Transformation: DOD Has Taken Some Steps to Address Weaknesses But Additional Actions Are Needed. [hyperlink, http://www.gao.gov/products/GAO-15-213. Washington, D.C.: February 11, 2015. Defense Business Systems: Further Refinements Needed to Guide the Investment Management Process. [hyperlink, http://www.gao.gov/products/GAO-14-486]. Washington, D.C.: May 12, 2014. DOD Financial Management: Actions Under Way Need to Be Successfully Completed to Address Long-standing Funds Control Weaknesses. [hyperlink, http://www.gao.gov/products/GAO-14-94]. Washington, D.C.: April 29, 2014. DOD Financial Management: Ineffective Risk Management Could Impair Progress toward Audit-Ready Financial Statements. [hyperlink, http://www.gao.gov/products/GAO-13-123]. Washington, D.C.: August 2, 2013. DOD Business Systems Modernization: Further Actions Needed to Address Challenges and Improve Accountability. [hyperlink, http://www.gao.gov/products/GAO-13-557]. Washington D.C.: May 17, 2013. Defense Business Transformation: Improvements Made but Additional Steps Needed to Strengthen Strategic Planning and Assess Progress. [hyperlink, http://www.gao.gov/products/GAO-13-267]. Washington, D.C.: February 12, 2013. DOD Joint Bases: Management Improvements Needed to Achieve Greater Efficiencies. [hyperlink, http://www.gao.gov/products/GAO-13-134]. Washington, D.C.: November 15, 2012. [End of section] DOD Business Systems Modernization: Why Area Is High Risk: The Department of Defense (DOD) spends billions of dollars each year to acquire modern systems that are fundamental to achieving its business transformation goals, including systems that address key areas such as personnel, financial management, healthcare, and logistics. While DOD's capacity relative to business systems modernization continues to improve, significant challenges remain. These challenges include fully defining and establishing management controls for business systems modernization. Such controls are vital to ensuring that DOD can effectively and efficiently manage an undertaking with the size, complexity, and significance of its business systems modernization and minimize the associated risks. What GAO Found: Figure: DOD Business Systems Modernization: [Refer to PDF for image: star illustration] Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Not Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] DOD has demonstrated elements of leadership commitment by taking important steps to more effectively and efficiently manage its effort to modernize its business systems. For example, the department has begun to implement an improved investment management framework and processes. The department has also established the capacity to use its federated architecture to identify potentially duplicative investments.[Footnote 139] However, more needs to be done to leverage DOD's capacity to identify potentially duplicative investments and to ensure that, among other things, systems receive appropriate levels of review as part of DOD's improved investment management framework. In addition, the department's business systems continue to fall short of cost, schedule, and performance expectations. Moreover, the department has not established an action plan highlighting how it plans to improve the use of its business architecture, take important steps to improve its business system investment management process, and improve its business system acquisition outcomes. Furthermore, the department's efforts may be constrained during the transition of business system investment responsibilities from the Office of the Deputy Chief Management Officer to the new Under Secretary of Defense for Business Management and Information/Chief Information Officer, and the implementation of provisions in the Carl Levin and Howard P. "Buck" McKeon National Defense Authorization Act for Fiscal Year 2015 that impact these positions. DOD's business systems environment includes about 2,200 investments, which cost billions of dollars each year. Since we first designated this area as high risk in 1995, we made 284 recommendations aimed at strengthening DOD's institutional approach to modernization and reducing the risks associated with acquiring and managing key investments. DOD has implemented 167 of these recommendations as of December 2014. For example, since 2001, we made a series of recommendations relative to developing and using a business enterprise architecture--a modernization blueprint that is intended to provide a clear and comprehensive picture of the department--and to establishing effective investment management controls to guide and constrain DOD's multibillion-dollar business systems and services investments. Since 2002, Congress has included provisions consistent with our recommendations in DOD annual authorizing legislation. Between 2005 and 2008, we reported that DOD had made progress toward implementing key institutional modernization management controls in response to statutory provisions and our recommendations. For example, DOD continued to update its architecture, which addressed important legislative requirements and practices that we identified as missing. Notwithstanding this progress, in May 2009 we reported that DOD's efforts to modernize its management controls had slowed compared with previous years, leaving much to be accomplished. Since that time, DOD has continued to take steps to comply with statutory provisions and to satisfy relevant system modernization management guidance. While DOD has initiated numerous management activities aimed at modernizing its business systems environment, it has demonstrated limited results. In this regard, our work has highlighted challenges that DOD has continued to face in leveraging the architecture to avoid investments that provide duplicative functionality in support of common activities. Our work has also highlighted DOD's challenges with institutionalizing the business systems investment process and with ensuring that effective system acquisition management controls are implemented for each business system investment. DOD's Federated Business Enterprise Architecture: Figure: DOD Business Systems Modernization: [Refer to PDF for image: star illustration] DOD's Federated Business Enterprise Architecture: Leadership Commitment: Partially Met; Capacity: Met; Action Plan: Not Met; Monitoring: Not Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] DOD has demonstrated progress by establishing the capacity to leverage its federated Business Enterprise Architecture to identify potentially duplicative investments; however, the department has yet to leverage this capacity to eliminate duplicative systems. In 2014, the department completed efforts to automate its business architecture compliance review process. According to officials, this automation was expected to improve the department's efforts to identify potentially duplicative systems. In addition, the department's Deputy Chief Management Officer demonstrated leadership commitment by requiring all business systems to be entered into the architecture compliance tool before they could be certified and approved to obligate fiscal year 2014 funds. The information produced by this requirement helps to support decision makers' efforts to identify potentially duplicative programs. For example, as we reported in May 2014,[Footnote 140] DOD officials provided data from the department's business architecture compliance tool showing that 120 systems performed activities associated with maintaining asset information and 110 systems were associated with managing military health services. However, DOD leadership does not require program managers or other DOD officials to use its Business Enterprise Architecture to identify and address potential duplication. Moreover, DOD leadership has not defined action plans describing how DOD will ensure that the department is using its business architecture to identify and address potentially duplicative investments. As a result, DOD is not monitoring progress demonstrated against such plans. DOD's Business System Investment Management Process: Figure: DOD Business Systems Modernization: [Refer to PDF for image: star illustration] DOD's Business System Investment Management Process: Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Not Met; Monitoring: Not Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] DOD has made progress in demonstrating leadership commitment and making improvements to its business system investment management process by taking steps to define and implement important policies and procedures for managing portfolio-level investments consistent with our IT Investment Management framework and the statutory investment management and business system modernization provisions. For example, in 2014[Footnote 141] we reported that DOD was continuing its efforts to further define and implement its defense business system governance framework--called the Integrated Business Framework. According to DOD, the framework is intended to align the department's strategic objectives with its defense business system investments. The department uses this framework, which includes six portfolios that align to eight functional areas,[Footnote 142] to manage business operations and investments. In addition, DOD has generally concurred with our recommendations to address improvements to its management of business systems. DOD needs to show continued leadership commitment and progress in addressing our associated recommendations as it takes steps to improve its business system investment management process. These recommendations are aimed at aligning the department's investment management process with its budgeting process, thus ensuring that investments are certified and approved before funds are allocated, as well as ensuring that business systems receive the appropriate level of review using a tiered investment review board approach. Furthermore, DOD has not established action plans for addressing gaps in its business system investment management approach and therefore is not monitoring progress demonstrated against such plans. DOD's Business System Acquisition Management: Figure: DOD Business Systems Modernization: [Refer to PDF for image: star illustration] DOD's Business System Acquisition Management: Leadership Commitment: Partially Met; Capacity: Met; Action Plan: Not Met; Monitoring: Not Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] DOD has taken steps to improve the department's business systems acquisition management outcomes. For example, in March 2014 we noted that the department had made mixed progress in addressing key acquisition practices, such as risk management, requirements management, and project monitoring and control, on selected major IT acquisitions, including DOD business systems. We continue to identify examples of business systems that do not meet expectations and experience key system acquisition issues, including significant cost overruns, schedule slippages, and performance issues. For example, in March 2014[Footnote 143] we reported the following: * The Defense Health Agency experienced significant cost increases and schedule delays in its development of a system to support warfighters and health care providers with patient, medical logistics, and medical command and control data. Specifically, the latest life cycle estimate for this system had increased approximately 2,233 percent--from $67.7 million in November 2002 to $1.58 billion as of December 2013. In addition, the system's full deployment date slipped by more than 6 years--from May 2009 to the first quarter of fiscal year 2016. Moreover, the agency did not have clearly defined capabilities for the system and there was not complete traceability between all of the system's requirements and work products. * A Navy system intended to support logistics planners and operators worldwide to manage combat logistics also had significant cost increases and schedule delays. Specifically, the latest life-cycle cost estimate for this system had increased approximately 302 percent-- from $461.4 million in June 2007 to $1.86 billion in December 2013. In addition, the system's full deployment date slipped by 6 years and is currently scheduled for the fourth quarter of 2015. Finally, this program had not always taken corrective actions to address issues in a timely manner. For example, as early as December 2008 the Navy was aware of technical complexities related to specific capabilities of the system. However, Navy officials did not decide to remove the capabilities until after it had spent about $48.4 million and 4.5 years developing them. DOD has also begun to demonstrate leadership commitment to improve its business system acquisition outcomes by recognizing that it needs to take steps to more effectively implement key Office of Management and Budget IT reform initiatives. If implemented effectively, the department's efforts to respond to these initiatives could help improve acquisition outcomes. However, in October 2012,[Footnote 144] we reported that DOD did not rate any of its investments as high risk on the Federal IT Dashboard--a website that allows the public to monitor the performance of major IT investments[Footnote 145]--despite significant cost, schedule, and performance issues that we and others reported. Therefore, we recommended that DOD ensure that its risk ratings reflect available investment performance assessments so that the department could better demonstrate progress made in improving investment performance. The department concurred; nonetheless, as of August 2014, the dashboard showed that for DOD's 118 major investments, 107 were low or moderately low risk, 11 were medium risk, and zero were moderately high or high risk. Moreover, in May 2014,[Footnote 146] we reported on the importance of IT investments delivering capabilities in smaller increments over shorter periods of time, in contrast to the way that agencies such as DOD have typically approached system development activities. However, of the 37 DOD investments we reviewed, only 1 planned to deliver functionality every 6 months and only 11 planned to deliver functionality every 12 months. Accordingly, we recommended that DOD update its incremental development policies to ensure that it complies with Office of Management and Budget guidance for requiring more frequent delivery of system functionality. The department generally concurred with our recommendations. In addition, DOD has not established an action plan for addressing needed improvements to its business system acquisition management efforts and therefore is not monitoring progress against such plans. In the absence of such a plan and policies, DOD continues to run the risk of failing to deliver major investments in a cost-effective and efficient manner. In addition to these concerns, in May 2013 we reported that the office of the Deputy Chief Management Officer, which is responsible for annually reviewing and approving the expenditure of funds associated with DOD business systems, had not conducted human capital analyses and that no plans existed to analyze and address skill gaps, thus limiting the department's capacity to lead improvement initiatives in each of these areas. In addition, in December 2013 the Secretary of Defense announced plans for transitioning the responsibility of business systems to DOD's Chief Information Officer and the National Defense Authorization Act for Fiscal Year 2015 includes provisions that transition business system modernization roles from the Deputy Chief Management Officer to a new Under Secretary of Defense for Business Management and Information who will also serve as the Department's Chief Information Officer. DOD has not yet fully defined how it intends to execute these transitions, and it remains to be seen how these changes will impact the use of DOD's Business Enterprise Architecture, its business system investment management approach, and business system acquisitions. Until DOD fully defines and consistently implements the full range of business systems modernization management controls, it may not be able to adequately ensure that its business system investments are the right solutions for addressing its business needs. Additionally, it will not be able to effectively demonstrate that its business system investments are being managed to streamline business processes, to produce expected capabilities efficiently and cost effectively, and to deliver planned benefits. We plan to continue to monitor DOD's efforts to address these areas. To this end, we have ongoing work focusing on (1) the effectiveness of DOD's Business Enterprise Architecture, (2) the status of DOD's response to our prior recommendations pertaining to business systems modernization, (3) DOD's ability to measure the impact of its modernization efforts and to demonstrate results, and (4) the extent to which selected major automated information systems are meeting planned cost and schedule milestones and performance measures. What Remains to Be Done: DOD must more fully demonstrate leadership commitment and progress in implementing critical IT modernization management controls. For example, the department needs to improve how it uses the federated business architecture, along with other related mechanisms, to identify and address potential duplication and overlap across its business systems environment. In addition, the department needs to take steps to address key portfolio management practices documented in our IT Investment Management Framework. These steps include improving the alignment of its business system certification and approval and budgeting processes and ensuring that systems receive the appropriate level of review. DOD also needs to ensure that its business system investments are managed with the kind of acquisition management rigor and discipline embodied in relevant guidance and best practices, so that each investment will deliver expected benefits and capabilities on time and within budget. In particular, the department should ensure that its cost, schedule, and performance information reported on the Office of Management and Budget's IT Dashboard is reliable and, over time, demonstrates improvement in achievement of cost, schedule, and performance expectations. The department should also demonstrate that it is taking steps to improve its guidance on incrementally developing IT systems to help ensure a timely delivery of needed capabilities. Furthermore, DOD should demonstrate that plans exist for addressing these various actions and associated recommendations and that the department is monitoring progress against these plans and demonstrating progress and related outcomes. The department also needs to ensure that it has the appropriate capacity in place by conducting needed human capital analyses and implementing the future business system related roles and responsibilities of the Under Secretary of Defense for Business Management and Information/Chief Information Officer. GAO Contact: For additional information about this high-risk area, contact Carol R. Cha at (202) 512-4456 or chac@gao.gov. Related GAO Products: Defense Business Systems: Further Refinements Needed to Guide the Investment Management Process. [hyperlink, http://www.gao.gov/products/GAO-14-486]. Washington, D.C.: May 12, 2014. Information Technology: Agencies Need to Establish and Implement Incremental Development Policies. [hyperlink, http://www.gao.gov/products/GAO-14-361]. Washington, D.C.: May 1, 2014. Information Technology: Leveraging Best Practices and Reform Initiatives Can Help Defense Manage Major Investments. [hyperlink, http://www.gao.gov/products/GAO-14-400T]. Washington, D.C.: Feb 26, 2014. DOD Business Systems Modernization: Further Actions Needed to Address Challenges and Improve Accountability. [hyperlink, http://www.gao.gov/products/GAO-13-557]. Washington, D.C.: May 17, 2013. Information Technology Dashboard: Opportunities Exist to Improve Transparency and Oversight of Investment Risk at Select Agencies. [hyperlink, http://www.gao.gov/products/GAO-13-98]. Washington, D.C: October 16, 2012. [End of section] DOD Support Infrastructure Management: Why Area Is High Risk: The Department of Defense (DOD) manages a global real property portfolio that consists of more than 562,000 facilities--including barracks, commissaries, data centers, office buildings, laboratories, and maintenance depots--located on more than 5,000 sites worldwide and covering more than 28 million acres. With a replacement value of about $850 billion, this infrastructure is critical to maintaining military readiness, and the cost to build and maintain it represents a significant financial commitment. Since designating this area as high risk in 1997, we have reported on long-term challenges DOD faces in managing its portfolio of facilities, such as reducing excess infrastructure, sustaining facilities, providing facilities needed to support several simultaneous force structure initiatives, and achieving cost savings and efficiencies in base support through its joint basing initiative. [Footnote 147] Because DOD has made significant progress in addressing issues regarding planning and funding to sustain facilities, we narrowed the defense infrastructure high-risk area in our 2011 high risk update to focus on two remaining areas: (1) reducing excess infrastructure and (2) achieving cost savings and efficiencies in base support through eliminating duplication of support services where bases are in close proximity to or adjacent to one another. In our 2013 high-risk update, we reported that DOD continued to have significant excess capacity relative to its planned force structure and had not made significant progress in realizing the anticipated cost savings and efficiencies envisioned to be gained through joint basing. Therefore, DOD needs to take additional actions to address these two areas, based on our criteria for removing areas from the High Risk List. What GAO Found: Figure: DOD Support Infrastructure Management: [Refer to PDF for image: star illustration] Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Since our 2013 high-risk update, DOD has made progress in addressing the reduction of excess infrastructure; however, it has shown limited improvement in achieving cost savings and efficiencies in base support. In reducing excess infrastructure, DOD has demonstrated leadership commitment and produced a number of action plans, but work remains to fully address the three remaining criteria of capacity, monitoring, and demonstrated progress for removal from the High Risk List. In achieving cost savings and efficiencies in base support, DOD has shown some improvements in capacity, monitoring, and demonstrated progress through the joint bases, but more needs to be done to fully address these criteria. Further, DOD needs to demonstrate leadership commitment by providing clear direction for the goals and priorities of joint basing and the impetus to achieve cost-saving measures at joint bases, and DOD needs an action plan with measurable goals linked to savings and efficiencies attributable to joint basing. Reducing Excess Infrastructure: Figure: DOD Support Infrastructure Management: [Refer to PDF for image: star illustration] Reducing Excess Infrastructure: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Leadership Commitment: With respect to reducing excess infrastructure, DOD demonstrated leadership commitment by requesting additional rounds of the Base Realignment and Closure process (BRAC), which is DOD's primary method for reducing excess infrastructure. In 2013 and 2014 DOD requested additional rounds of BRAC for 2015 and 2017, respectively. In addition, as we reported in September 2011, DOD has shown leadership commitment in reducing excess infrastructure by implementing its demolition program for fiscal years 2008 through 2013 and by directing the military services and certain defense organizations to determine targeted amounts of excess facilities to be disposed of. DOD's efforts to reduce excess infrastructure since fiscal year 2013 have included working with the military services to develop and implement more effective and efficient methods to reduce excess infrastructure, such as more proactively managing DOD's processes to meet historic preservation and environmental requirements, and working with host nations to avoid prolonged negotiations over the return of excess infrastructure in foreign countries. Continued leadership commitment by DOD will be important to sustain efforts to reduce excess infrastructure. Capacity: In past BRAC rounds, DOD demonstrated that it has the capacity to dispose of excess infrastructure; however, moving forward DOD needs to take action to manage the reduction of long-standing excess facilities and to improve the accuracy and completeness of its utilization data. DOD officials stated that they would have the resources to execute additional BRAC rounds. Also, in past BRAC rounds DOD was successful in disposing of excess infrastructure. Under the 2005 BRAC round DOD closed 24 major bases and under the 1995 BRAC round it closed 33 major bases, along with other major realignments. In September 2011, we projected that by the end of fiscal year 2013 DOD would exceed its overall target to reduce excess square footage through its demolition program. However, officials have stated that the department does not have sufficient resources to continue its rate of reducing excess infrastructure through demolition or consolidation of excess space. DOD decreased its funding for demolition based on its plans for significantly smaller amounts of demolition in fiscal years 2013 through 2015. Further, we reported in September 2011 that long-standing excess facilities--excess infrastructure identified prior to the start of the demolition program in fiscal year 2008--remain in DOD's inventory, and according to DOD officials, may be more costly to eliminate. Our analysis of DOD's real property inventory found that more than half of the excess facilities in fiscal year 2010 were long-standing excess, some of which date back to the 1960s. DOD officials stated that several external factors may delay or complicate future disposal, such as requirements for historic preservation, environmental restrictions, and contingent actions to dispose of facilities in international settings. DOD has been more proactively managing processes to meet historic preservation and environmental requirements and has been working with host nations to avoid prolonged negotiations over the return of excess infrastructure in foreign countries; however, the smaller amount of demolition that DOD anticipates to complete in future years is not consistent with its need to demolish long-standing excess facilities. In addition, we reported in September 2011 and September 2014 that DOD is limited in its ability to identify potentially excess facilities because it does not maintain complete and accurate data concerning the utilization of its facilities. Over the past 4 fiscal years, DOD has shown some improvement in collecting utilization data for its real property assets--increasing from 46 to 53 percent collected; however, even where utilization data are reported in certain military service databases, data entry anomalies raise questions about the reliability of the data. For example, the Army's records indicate 41 percent, or almost 119,000 facilities, were inspected for utilization rates in such years as 0012, 0013, 1012, 1776, and another 10 percent, or just over 10,000 facilities, were inspected between the years 2020 and 3013. Continuing to manage the reduction of long-standing excess facilities and to improve the accuracy and completeness of its utilization data may help improve DOD's capacity to reduce excess infrastructure. Action Plan: DOD developed a number of action plans to reduce infrastructure under various initiatives, which together provide for corrective measures and solutions to reduce excess infrastructure. We reported in March 2013 that to implement each of the BRAC 2005 recommendations DOD developed detailed business plans, which included required actions, time frames, resources needed to complete those actions, and a method for resolving disagreements among stakeholders. In addition, to address an Office of Management and Budget (OMB) memorandum for all federal agencies to maintain the amount of fiscal year 2012 infrastructure government-wide (i.e., the Freeze the Footprint policy), DOD directed the military services that any new construction to be considered must have an equivalent reduction of excess space. DOD identified specific time frames and methods to monitor and report results of the policy.[Footnote 148] Moreover, some services have plans for reducing excess infrastructure. These plans outline solutions and corrective measures to implement the goals of their initiatives. For example, the Air Force has a plan to reduce its infrastructure by 20 percent by fiscal year 2020, and the Army incorporated reducing its footprint and decreasing excess infrastructure into its Army Facility Strategy 2020. Monitoring: DOD has some procedures in place to monitor the reduction of excess infrastructure from the previous 2005 BRAC round, under the Freeze the Footprint policy, and under each service's efforts; however, more can be done to improve monitoring of costs and savings from a future BRAC and from service efforts to better identify excess infrastructure. DOD established a process to track the progress of implementing the 2005 BRAC round. In addition to the business plans noted above, DOD developed and used a quantitative model known as the Cost of Base Realignment Actions (COBRA), which we found in March 2013 to be a reasonable estimator for comparing potential costs and savings among candidate alternatives to estimate the costs and savings associated with BRAC 2005 recommendations. However, we also found that DOD's process for providing the BRAC Commission with cost and savings estimates was hindered in many cases by underestimating certain requirements that were entered into the COBRA model. We made a number of recommendations in March 2013 to improve monitoring of the BRAC process, such as ensuring that all anticipated costs for relocating personnel and equipment were included in the model and limiting the practice of bundling realignments and closures, with which DOD did not concur. DOD officials have stated that, should there be another BRAC round, they expect to establish similar procedures for monitoring the implementation of the BRAC recommendations and any resulting reduction of excess infrastructure. But unless DOD improves its monitoring of BRAC-related costs and savings, DOD will be limited in its ability to track its progress in implementing the goals of future BRAC rounds. In addition, each service has its own efforts and methods for identifying and reducing excess infrastructure. For example, the Air Force set a target date of fiscal year 2020 for meeting its 20 percent reduction goal and is in the process of updating facility information in its electronic database, called the S-File, which tracks space utilization. However, the Army has not set specific reduction goals and according to officials has not fully transitioned from a system of tracking entire facilities based on usage (e.g., administrative offices, warehouses) to a system that monitors detailed space utilization within facilities. Also, as stated previously, DOD is limited in monitoring its reduction of excess infrastructure because it does not maintain complete and accurate data concerning utilization of its facilities. Without continuing to monitor service-level efforts to reduce excess facilities and improving the utilization data in its facility database, DOD will continue to be limited in its ability to monitor its reduction of excess infrastructure. Demonstrated Progress: DOD has demonstrated some progress in reducing excess infrastructure but needs to improve its capacity and monitoring. If Congress authorizes future rounds of BRAC, based on past experience with the 1995 and 2005 BRAC rounds during which DOD closed a total of 57 major bases, we expect that DOD will continue to demonstrate progress in reducing infrastructure. The military services have also demonstrated some progress in reducing excess infrastructure. For example, the services have disposed of and demolished excess facilities through their individual efforts, and under the Freeze the Footprint policy DOD has limited construction of new facilities with an equivalent reduction of square footage. Further, for fiscal year 2013, DOD reported a net reduction of 7.7 million square feet, which is about 75 percent of the total reduction across the federal government under this policy. However, officials stated that they are restricted in some consolidation of space by decreased funding for military construction. Also, DOD's progress in reducing excess infrastructure is limited by challenges with long- standing excess facilities and incomplete and inaccurate data related to utilization of facilities. Until DOD improves its capacity and monitoring in its efforts to reduce long-standing excess facilities and to improve the reliability of its data related to the use of facilities, the department cannot fully demonstrate progress in reducing excess facilities. Achieving Cost Savings and Efficiencies in Base Support: Figure: DOD Support Infrastructure Management: [Refer to PDF for image: star illustration] Achieving Cost Savings and Efficiencies in Base Support: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Leadership Commitment: In November 2012 we reported that DOD had not demonstrated sufficient leadership commitment through its joint basing initiative because it had not developed guidance for the joint bases to achieve the initiative's goal of cost savings or efficiencies. We further reported in September 2014 that DOD had not conducted a mid- program review of the purpose and goals of the joint basing initiative and that DOD's lack of direction had hindered the joint bases' progress in achieving goals. As a result, we recommended that DOD evaluate the purpose of the program and determine whether its current goals, as stated in the 2005 BRAC Commission recommendation, are still appropriate, or whether the goals should be revised; communicate these goals to the military services and joint bases and adjust program activities accordingly; provide direction to the joint bases on requirements for meeting program goals, including determining reporting requirements and milestones; and determine any next steps for joint basing, including whether to expand it to other installations. DOD did not concur with the recommendations, stating that the goal of the joint basing program remains to increase the efficiency of delivering installation support and that the program has generated savings. However, as we also reported in November 2012 and September 2014, DOD's estimates for savings stemming from the implementation of the joint bases cannot be distinguished from savings derived from military service-wide budget cuts. Further, in our September 2014 report joint base officials stated that they were unclear to what extent achieving greater efficiencies and costs savings were still appropriate for joint basing in an environment where priority is placed on getting the mission complete, and not on investing resources to assess the feasibility of cutting redundancies and gaining efficiencies. Given the continued confusion at the joint bases over the goals of the program, as well as DOD's inability to isolate cost savings resulting from consolidation versus service-wide budget cuts, there is a continuing need to review the goals of the program and provide direction to the services and joint bases. Thus, we suggested that Congress consider directing the Deputy Under Secretary of Defense (Installations and Environment), in collaboration with the military services and joint bases, to evaluate the purpose and goals of the program and provide guidance to the services and the joint bases on requirements for meeting the goals. Without evaluating the purpose and goals and providing associated direction to the services and joint bases, DOD will risk losing focus or priority on enhancing efficiencies and reducing redundancies. Capacity: DOD has shown some capacity to consolidate installation services at the joint bases, but may not have all of the resources it needs to fully achieve the goals of the joint basing program. When the joint bases were consolidated in fiscal year 2010, DOD directed that funding for operating the joint bases was not subject to department- wide cuts, and resources were provided at full authority. However, beginning in fiscal year 2014 DOD removed this stipulation and joint basing funds became subject to budget cuts like any other base. While such cuts in funding at the joint bases may reflect lower obligations, they represent cost reductions not attributable to joint basing. In addition, we reported in November 2012 that the joint base common standards required the services to fund installation support at higher- than-previous levels. We found that some supported components and tenants experienced changed expectations and increased costs under the joint base structure because the supporting service had a different interpretation of the work provided. The difference in how the military services conduct snow removal is one example of how the joint base common standards changed expectations and increased costs. A supported service expects the base to remove snow and ice on roads, parking lots, sidewalks, and building paths because its service's bases previously provided that level of work. However, the supporting service clears only roads and parking lots on its service's bases, so it provides the lower level of work at its joint bases. The supported service personnel were surprised when they had to clear snow and ice from sidewalks surrounding their buildings. Thus, because the base did not expect to provide snow removal on sidewalks and building paths, officials needed to spend additional money to contract for snow removal on sidewalks or use other personnel to remove snow. We recommended that DOD review and prioritize the common standards in all functional areas to ensure a shared framework of management and planning of base support services. DOD partially concurred, stating that it already had a process for review of the standards; however, we found that officials at the joint bases still needed clarification of what was being measured in the standards and the prioritization of the standards. Despite cuts in funding and increased costs, DOD has shown some capacity to consolidate installation services at the joint bases. We found in November 2012 that the joint bases reported meeting common standards more than 70 percent of the time in fiscal years 2010 and 2011. Also, in September 2014, we found that the joint bases reported partially consolidating 80 percent of their installation functions. However, with a better understanding of the standards and its priorities, DOD would have insight into its capacity requirements for further consolidation of base support services at the joint bases and for potentially expanding the program to other military bases. Action Plan: DOD has not established an action plan for achieving cost savings and efficiencies through joint basing that provides for corrective measures or a timeline to show progress. As a result, joint base commanders are responsible for determining to what extent they will pursue initiatives to reduce redundancy and achieve potential cost savings or efficiencies, and the extent to which such initiatives have been pursued varies by joint base. Further, DOD cannot demonstrate that the savings the department is attributing to the joint bases were achieved through consolidation of support services and not through unrelated actions such as hiring freezes and sequestration-driven budget cuts. We recommended in November 2012 that DOD develop and implement a plan that provides measurable goals linked to achieving savings and efficiencies at the joint bases and provide guidance to the joint bases that directs them to identify opportunities for cost savings and efficiencies. DOD did not concur with the recommendation, stating that such targets would restrict the authority of joint base commanders and burden them with implementing new organizational structures which would risk negative impacts to support services and operational effectiveness. In November 2012 and September 2014, we concluded that DOD's justification for joint basing--realizing savings and reducing duplication of services--could be better managed and monitored by developing a plan including guidance and encouraging appropriate practices, goals, and timeframes. Without such an action plan, the joint bases lack direction and DOD is limited in its ability to demonstrate that the joint bases have shown progress toward meeting goals for achieving savings and reducing duplication of services. Monitoring: DOD is able to monitor some of the joint bases' performance in consolidating support functions, but needs to improve cost reporting that isolates savings from the efforts of the joint bases to implement efficiencies. In November 2012, we reported that DOD is not effectively monitoring the extent to which it is achieving cost savings or efficiencies derived from the consolidation of support services on the joint bases. Through DOD's data collection tool, called the Cost and Performance Visibility Framework, joint bases report installation support performance data, including annual reports on funds obligated to provide base support services. We recommended that DOD continue to develop and refine the framework in order to eliminate data reliability problems, facilitate comparisons of joint basing costs with the costs of operating separate bases, and isolate costs and savings from the joint basing initiative. DOD partially concurred with our recommendation, acknowledging that there were inconsistencies in the data, and stated that it was working to improve the data's reliability but found it impractical to isolate and distinguish joint basing cost savings from the savings that result from DOD-or service-wide actions using the data contained in its framework. DOD officials stated that with the improved data they planned to compare current obligations with prior years and perform a separate analysis to compare joint basing operating costs with the costs of operating the separate bases prior to the creation of the joint bases. DOD provided guidance to the joint bases to correct baseline data: as a result, the quality of the data improved for fiscal year 2012. In 2013, DOD performed an analysis comparing the improved operating cost data with the projected costs of operating separate installations. This analysis showed that the joint bases cost less to operate relative to the costs of operating the separate installations. Together, these actions partly met the intent of our recommendation and provided DOD with an improved picture of the cost of operating the joint bases. However, we found that the data reported include costs and savings which are not specific to joint basing. For instance, DOD officials stated that some of the savings were attributable to DOD's efforts to cap the number of civilian positions. Other savings were attributable to budget cuts that DOD stated stem from actions taken to implement the Budget Control Act and sequestration actions. Thus, while cost reporting improved, without a reliable method to collect information on net costs, estimated savings, or efficiencies specifically from joint basing, DOD cannot fully exclude other influences on the bases' budgets unrelated to joint basing. Nor can it monitor achievement of cost savings and efficiencies through joint basing. As previously stated, evaluating the joint basing program's goals and having better visibility over its capacity would better position DOD to determine whether to expand the program to other military bases to consolidate services. These actions would also help DOD achieve efficiencies and cost savings. Demonstrated Progress: Partly in response to our recommendations, DOD has demonstrated some progress in the consolidation of base support services through the joint bases; however, as stated above, DOD still needs to provide clear direction to the services and the joint bases on the steps to implement the goals of joint basing. DOD also needs to improve monitoring of the achievement of cost savings and efficiencies. DOD instituted mechanisms to facilitate routine communication between the joint bases and between the joint bases and the office of the Deputy Under Secretary of Defense to encourage joint resolution of common challenges and sharing of best practices and lessons learned. For example, beginning in February 2013 DOD held annual meetings for joint base commanders to discuss issues at the joint bases and potential ways to address identified issues. Further, according to a DOD official, DOD is developing guidance to ensure that the joint bases provide training materials to incoming personnel on how installation services are provided on joint bases. However, as previously discussed, DOD has not yet fully demonstrated that the joint basing program has resulted in reduction of duplication of efforts that would generate cost savings and increase efficiencies. We reported in September 2014 that joint base officials, in response to survey questions and interviews, did not report significant achievements in reaching these goals. For example, 12 percent of respondents stated that they were able to reduce redundant funded positions, 25 percent were able to reduce redundant contracts or to increase contract efficiencies, and 24 percent were able to consolidate redundant procedures related to joint basing. DOD has data that indicate that joint bases are obligating less funding than they would have as stand-alone bases, but it is not clear to what extent the savings are attributable to the consolidation of installation support services because DOD does not have a method to collect cost savings information specific to the joint base program. Without providing clear direction to the services and joint bases on the actions to achieve consolidation goals and better monitoring of the achievement of cost savings and efficiencies, DOD is limited in demonstrating progress through the consolidation of base support services. What Remains to Be Done: Reducing Excess Infrastructure: DOD needs to take a number of actions to satisfy the three high-risk criteria (capacity, monitoring, and demonstrating progress) that have been partially met. Specifically, DOD needs to: * establish a plan, including goals and timelines, to update utilization data to maintain its currency; * continue to manage the reduction of long-standing excess facilities; * if Congress authorizes a future BRAC round, improve the fidelity of initial cost estimates by working with military services and other appropriate stakeholders to fully identify requirements, such as the cost of military construction, information technology, and relocating personnel and equipment; * continue to periodically track service-level efforts to reduce excess infrastructure; and: * improve capacity and monitoring through the actions described above to fully demonstrate progress in reducing excess infrastructure. Achieving Cost Savings and Efficiencies in Base Support: DOD needs to take a number of actions to satisfy the two high-risk criteria (leadership commitment and action plan) that have not been met, and the three criteria (capacity, monitoring, and demonstrated progress) that have been partially met. Specifically, DOD should: * evaluate the purpose of the program and determine whether DOD's current goals are still appropriate or should be revised; * provide clear direction to the joint bases about the goals, time frames, and measures in consolidating base support services; * work with the military services to determine what reporting requirements and milestones should be in place to increase support and commitment for the program's goals; * review and prioritize the common standards in all functional areas to ensure a shared framework of management and planning of base support services; * establish an action plan with measurable goals to track progress toward meeting the cost savings and efficiency goals; and: * continue to develop an approach to identify and isolate costs and savings resulting from actions and initiatives from consolidating support services at joint bases, excluding DOD-or service-wide actions and initiatives which may lead to reduced expenditures but could have been achieved without the initial investment and are consequently unrelated to joint basing. GAO Contact: For additional information about this high-risk area, contact Brian J. Lepore at (202) 512-4523 or leporeb@gao.gov. Related GAO Products: DOD Joint Bases: Implementation Challenges Demonstrate Need to Reevaluate the Program. [hyperlink, http://www.gao.gov/products/GAO-14-577]. Washington, D.C.: September 19, 2014. Defense Infrastructure: DOD Needs to Improve Its Efforts to Identify Unutilized and Underutilized Facilities. [hyperlink, http://www.gao.gov/products/GAO-14-538]. Washington, D.C.: September 9, 2014. Military Bases: DOD Has Processes to Comply with Statutory Requirements for Closing or Realigning Installations. [hyperlink, http://www.gao.gov/products/GAO-13-645]. Washington, D.C.: June 27, 2013. Defense Infrastructure: DOD's Excess Capacity Estimating Methods Have Limitations. [hyperlink, http://www.gao.gov/products/GAO-13-535]. Washington, D.C.: June 20, 2013. Military Bases: Opportunities Exist to Improve Future Base Realignment and Closure Rounds. [hyperlink, http://www.gao.gov/products/GAO-13-149]. Washington, D.C.: March 7, 2013. DOD Joint Bases: Management Improvements Needed to Achieve Greater Efficiencies. [hyperlink, http://www.gao.gov/products/GAO-13-134]. Washington, D.C.: November 15, 2012. Military Base Realignments and Closures: Updated Costs and Savings Estimates from BRAC 2005. [hyperlink, http://www.gao.gov/products/GAO-12-709R]. Washington, D.C.: June 29, 2012. Excess Facilities: DOD Needs More Complete Information and a Strategy to Guide Its Future Disposal Efforts. [hyperlink, http://www.gao.gov/products/GAO-11-814]. Washington, D.C.: September 19, 2011. [End of section] DOD Financial Management: Why Area Is High Risk: The Department of Defense (DOD) is responsible for more than half of the federal government's discretionary spending. Significant financial and related business management systems and control weaknesses have adversely affected DOD's ability to control costs; ensure basic accountability; anticipate future costs and claims on the budget; measure performance; maintain funds control; prevent and detect fraud, waste, and abuse; address pressing management issues; and prepare auditable financial statements. Without accurate, timely, and useful financial information, DOD is severely hampered in making sound decisions affecting the department's operations. Further, to the extent that current budget constraints and fiscal pressures continue, the reliability of DOD's financial information and ability to maintain effective accountability for its resources will be increasingly important to the federal government's ability to make sound resource allocation decisions. Effective financial management is also fundamental to achieving DOD's broader business transformation goals. Successful transformation of DOD's financial management processes and operations will allow DOD to routinely generate timely, complete, and reliable financial and other information for day-to-day decision making, including the information needed to effectively (1) manage assets, (2) assess program performance and make budget decisions, (3) make cost-effective operational choices, and (4) provide accountability over the use of public funds. What GAO Found: Figure: DOD Financial Management: [Refer to PDF for image: star illustration] Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Not Met; Demonstrated Progress: Not Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Since 2013, DOD's progress in improving its financial management processes and operations has been mixed. DOD has made partial progress toward demonstrating leadership commitment and developing capacity and action plans. For example, DOD's senior-level leadership continues its efforts to address its financial management challenges through (1) implementation of the Financial Improvement and Audit Readiness (FIAR) Plan and the accompanying FIAR Guidance, which provides the standard methodology for DOD's components to implement the FIAR Plan, (2) implementation of certain of its planned enterprise resource planning (ERP) systems to establish modern business information systems, and (3) development of training programs to build a skilled workforce. However, DOD continues to face challenges in monitoring corrective actions and demonstrating progress. It needs to address such key challenges as identifying and mitigating risks to achieving the goals of DOD's FIAR effort, and successfully implementing the FIAR Guidance at the DOD component level. Specifically, risk management policies associated with preparing auditable financial statements through the FIAR Plan are not in accordance with widely recognized guiding principles for effective risk management. Although DOD has identified several risks that could hinder its efforts to achieve financial statement auditability, it has not identified or addressed additional key risks reported in external audit reports, such as (1) components' reliance on service providers for significant aspects of their financial operations--processing and recording financial transactions, and (2) lack of ability to maintain documentation to support transactions. Leadership Commitment. Since the last high-risk update in 2013, the commitment of DOD's senior leadership to improving the department's financial management has continued to be encouraging, with statements, testimony, and actions emphasizing the importance of effective financial management and audit readiness to DOD's stewardship over the substantial funding and other resources entrusted to the department. DOD's leadership directives have set out a strategy and methodology for improving DOD's financial management through the FIAR Plan Status Reports and FIAR Guidance, consistent with statutory requirements. The FIAR Guidance requires components to perform procedures to verify that corrective action plans have been implemented and that they have successfully remediated system, process, and internal control deficiencies. The FIAR Directorate meets regularly with us for a constructive exchange of information on the status of DOD and component actions and to help sustain progress toward the FIAR goals. However, as we have previously reported, DOD continued to identify the need for qualified and experienced personnel--not only at working levels, but also in senior leadership positions--as a risk to achieving its financial improvement and audit readiness goals. In its May 2014 FIAR Plan Status Report, DOD stated that budgetary pressures from recent years have severely impeded its progress in addressing its financial management deficiencies. Capacity. DOD is making efforts to increase its capacity in business information systems and workforce knowledge and skills. It has identified several, multifunctional ERP systems as critical to its financial management improvement efforts. DOD is in the process of implementing various ERP systems to establish an audit ready systems environment, but the components' plans for ERP deployment vary, and some projected deployment dates have either not been determined or extend into fiscal year 2017. As it relates to workforce knowledge and skills, DOD is addressing financial management workforce competencies and training through complementary efforts by (1) the Office of the Under Secretary of Defense for Personnel and Readiness (DOD Personnel and Readiness) to develop a strategic civilian workforce plan that includes financial management, pursuant to requirements in the National Defense Authorization Act (NDAA) for Fiscal Year 2010 [Footnote 149] and (2) the DOD Comptroller to develop and implement a training program for financial managers.[Footnote 150] DOD has established a training program for its financial management workforce known as the Financial Manager Certification Program, which will guide training and development for DOD's financial management workforce. We have reported that substantive results are not yet apparent from DOD's efforts in building its capacity. We and the DOD Office of Inspector General (DOD IG) have found deficiencies in the capability of the ERPs to perform essential business functions in areas such as data quality, data conversion, system interfaces, and compliance with laws and regulations. In September 2014, we found that the Army's Global Combat Support System (GCSS-Army) program had still not fully met best practices in developing schedule and cost estimates.[Footnote 151] By incorporating best practices for developing reliable schedule and cost estimates for the GCSS Army, DOD would increase the probability of GCSS-Army successfully achieving full deployment by the fourth quarter of fiscal year 2017 to provide needed functionality for financial improvement and audit readiness. We also reported on continuing delays in the deployment of other key ERP systems. In addition, the DOD IG has reported that four component ERP systems did not have the capability to record and track transaction data.[Footnote 152] This weakness impairs the reliability of DOD's budgetary and financial reports, including periodic reports to Congress. In addition, the DOD IG reported that transactions originating in feeder systems are not always supported, which will hinder DOD's audit readiness efforts. Further, the DOD IG stated that because of schedule delays and cost increases, DOD will continue using outdated legacy systems and ERP systems that have not been fully developed or implemented, increasing the risk that it will not meet its goal of full financial statement auditability by September 30, 2017. In DOD's fiscal year 2014 Agency Financial Report, the DOD IG reiterated this concern and noted that the department has not reengineered its business processes to the extent necessary, stating that instead it has often customized commercial ERPs to accommodate existing processes. Regarding DOD's financial management workforce, we have reported that DOD has not met statutory requirements for assessing the gap between existing and future critical-skill needs. DOD will need to fulfill the mandated critical-skill requirements for its financial management workforce to ensure that it has the capacity to make lasting improvements in its financial management. In addition, DOD will need to effectively implement its Financial Manager Certification Program to help ensure that the components have knowledgeable and skilled managers to implement the FIAR Guidance. Action Plan. DOD has set out a strategy for financial management reform efforts (through the FIAR Plan Status Reports) and a methodology for achieving such reform (through the FIAR Guidance). The FIAR Guidance provides the components with a standard methodology to use in implementing the FIAR Plan. It continues to focus on strengthening processes, controls, and systems to improve the accuracy, reliability, and reporting of (1) budgetary information and (2) management information that pertains to mission-critical assets. However, the guidance does not fully define the actions to be taken to resolve other long-standing financial management weaknesses. For example, DOD is not able to accurately account for its assets and continues to have significant funds control weaknesses that leave it at risk of overobligating and overexpending its appropriations. The efforts of DOD components to date to implement the FIAR Guidance have not resulted in a fundamental transformation of systems and operations necessary to resolve the department's long-standing financial management deficiencies. Resolution of these deficiencies will be crucial to DOD's efforts to meet the September 30, 2017, statutorily mandated target date for validating audit readiness of DOD's full financial statements. Monitoring. DOD has identified the key capabilities (e.g., sufficient, relevant, and accurate supporting documentation that is readily available) that its components must achieve to demonstrate audit readiness with respect to the budgetary information reported in its Statement of Budgetary Resources (SBR).[Footnote 153] It uses metrics (e.g., percentage of supporting documents deemed sufficient) to monitor the components' progress toward audit readiness. DOD's intent with respect to monitoring and oversight of the metrics is to demonstrate visible component-level progress in assessing and testing controls and remediation of control deficiencies. However, the lack of effective monitoring and oversight of the metrics used to assess controls and the remediation of control deficiencies has contributed to DOD's lack of progress in implementing the FIAR Guidance effectively. For example, we recently reported that DOD did not fully implement the FIAR Guidance in the areas of planning, testing, and corrective actions. Specifically, DOD did not adequately (1) perform certain planning activities associated with its processing of payments to contractors (contract pay), (2) perform required testing of its contract pay controls, processes, and balances, and (3) provide documentation to support the department's claim that it had remediated all of the identified control deficiencies with respect to contract pay. We also reported that, for the Army, DOD did not ensure that all significant budgetary processes, systems, and risks were adequately considered and identified deficiencies were resolved. DOD has not effectively monitored the risks in remediating its financial management challenges. As we noted in a recent report, DOD's risk management policies and procedures associated with preparing auditable financial statements through the FIAR Plan were not in accordance with widely recognized guiding principles for effective risk management. Without effective monitoring and management of risk at the department level, DOD is at increased risk of not fully resolving its financial management challenges. Demonstrated Progress. In response to component difficulties in preparing for a full SBR audit, DOD made a significant change to its FIAR Guidance that will limit the scope of the first year SBR audits for DOD components. As outlined in the November 2014 FIAR Plan Status Report and the November 2013 revised FIAR Guidance, the scope of initial SBR audits, beginning in fiscal year 2015, will be on current- year budget activity, to be reported on a Schedule of Budgetary Activity (SBA).[Footnote 154] This would be an interim step toward achieving an audit of multiple-year budget activity required for an SBR. In making this strategic change, DOD officials concluded--based on the difficulties encountered in obtaining documentation for prior- year transactions on the United States Marine Corps SBR audit--that the most effective path to a full SBR audit would be to start with reporting and auditing only current-year activity for fiscal year 2015 appropriations and expanding subsequent audits to include current-year appropriations and prior appropriations going back to fiscal year 2015. Although the NDAA for Fiscal Year 2010, as amended by the NDAA for Fiscal Year 2013, set September 30, 2014, as the target date for validating the audit readiness of the SBR,[Footnote 155] the most current FIAR Plan Status Report acknowledges that DOD has not met that date. DOD has continued its efforts towards an auditable SBA. The military departments and other defense organizations asserted that their documentation and internal controls are sufficient to support an audit of their SBA on September 30, 2014, and started first-year SBA audits during fiscal year 2015. DOD has also reported that six DOD organizations[Footnote 156] received unmodified audit opinions on their fiscal year 2013 financial statements, and one DOD organization [Footnote 157] has received a modified opinion. DOD components are in the process of implementing their financial improvement plans for the existence and completeness of mission-critical assets, such as ships, aircraft, and real property. In its May 2014 FIAR Plan Status Report, DOD stated that 69 percent of property and equipment and 26 percent of inventory have been asserted as audit ready. DOD has efforts under way to address its long-standing financial management weaknesses. Also, Congress has played a major role by establishing statutory goals and requirements that have helped lead to many of the corrective actions. Congressional oversight committees have continued to press for increased progress at DOD through legislation and hearings in 2013 and 2014. We will continue to support Congress in its oversight. Congressional Action: To encourage financial management reform, Congress passed the NDAA for Fiscal Year 2010 requiring that DOD develop and maintain the FIAR Plan, which includes the specific actions to be taken and costs associated with correcting the financial management deficiencies that impair its ability to prepare timely, reliable, and complete financial management information and ensuring that its financial statements are validated as ready for audit by September 30, 2017. The NDAA for Fiscal Year 2013 established certain requirements for the FIAR Plan, including actions taken to ensure audit readiness of DOD's SBR no later than September 30, 2014, and an assessment of readiness. The November 2014 FIAR Plan Status Report acknowledges that DOD did not achieve the above noted requirement for the SBR to be validated as ready for audit by September 30, 2014. Further, the NDAA for Fiscal Year 2014 mandates a full audit of DOD's fiscal year 2018 financial statements, and that those results be submitted to Congress by March 31, 2019.[Footnote 158] Congressional oversight committees have continued to press for increased progress at DOD through legislation and hearings in 2013 and 2014. We will continue to support Congress in its oversight. What Remains to Be Done: Leadership. DOD needs to assure the sustained involvement of leadership at all levels of the department in addressing financial management reform and business transformation. DOD leadership says it is committed to achieving effective funds controls to support financial accountability and reliable information for day-to-day management decision making and auditable financial statements. However, because some of the corrective actions on long-standing funds control weaknesses are not expected to be completed until 2017, these weaknesses, until fully resolved, will continue to adversely affect DOD's ability to achieve its goals for financial accountability. DOD leadership needs to ensure that DOD components adhere to the disciplined processes in the FIAR Plan and the accompanying FIAR Guidance to ensure that components have effective leadership, processes, systems, and controls in place for sustainable improvement of DOD's financial management operations and audit readiness. Sustained leadership commitment is critical to DOD's success in achieving financial accountability and in providing reliable information for day-to-day management decision making as well as financial audit readiness. Also, DOD will need to ensure key leadership positions are filled with qualified people. Capacity. DOD needs to meet statutory requirements for assessing the gap between existing and future critical-skill needs of the financial management workforce.[Footnote 159] Once DOD has identified critical skills and competencies, it can develop strategies to address gaps in the number of personnel, needed skills and competencies, and deployment of the workforce. In addition, DOD will also need to fully and effectively implement its Financial Manager Certification Program, which began phased implementation in June 2013. DOD also needs to continue to develop and deploy ERPs as a critical component of DOD's financial improvement and audit readiness strategy. DOD needs to adopt best practices in cost estimation and scheduling to address cost, schedule, and capability issues in the development and implementation of its ERPs. For example, we reported in February 2014 that the Air Force did not meet best practices in developing a schedule for the Defense Enterprise Accounting and Management System (DEAMS).[Footnote 160] As a result, this raises questions about the credibility of the deadline for acquiring and implementing DEAMS to provide needed functionality for financial improvement and audit readiness. The DOD IG has reported that DOD continues to have schedule delays in effectively implementing its ERPs. These delays in implementing ERP systems increase the risk that DOD will not meet its goal for readiness for a full financial statement audit by the end of fiscal year 2017. DOD also needs to ensure that four component ERP systems have the capability to record and track transaction data.[Footnote 161] Action Plan. DOD needs to continue to implement its FIAR Plan and FIAR Guidance to focus on strengthening processes, controls, and systems to improve the accuracy, reliability, and reporting for the SBA and the SBR, and to assess the existence and completeness of mission-critical assets. It also needs to fully define in the FIAR Guidance the actions that need to be taken to resolve the department and its components' long-standing financial management weaknesses and to address full financial statement auditability. While implementing the guidance, DOD should not lose sight of the ultimate goal of implementing lasting and sustainable financial management reform which provides useful, reliable, and timely information for decision making as a routine part of financial management operations. Auditable financial statements would be a natural byproduct of their success. Monitoring. In effectively monitoring its components' implementation of the FIAR Guidance and component-level progress in assessing and testing controls and in remediating control deficiencies, DOD needs to gain assurance that the components have implemented their financial improvement plans effectively prior to asserting audit readiness. For example, DOD should take such actions as the following: * require the Defense Finance and Accounting Service (DFAS) and Army to complete corrective actions in response to our recommendations for improving the implementation of their financial improvement plans (i.e., contract payments and budgetary execution) in accordance with the FIAR Guidance. Other DOD components also need to consider how these recommendations apply to their own efforts. * design and implement policies and procedures for FIAR Plan risk management that fully incorporate the five risk management guiding principles and consider the Navy's and Defense Logistics Agency's risk management practices.[Footnote 162] * follow best practices in cost and schedule management to allow better oversight for timely development, within cost, of ERP systems that deliver the intended capabilities. A useful guide for DOD in its efforts going forward to address financial management reform would be the effective implementation of the recommendations made by the House Armed Services Committee Panel on Defense Financial Management and Auditability Reform.[Footnote 163] Demonstrated Progress. Improving the department's financial management operations--and thereby providing DOD management and the Congress with more accurate and more reliable information on the results of its business operations--will not be an easy task. Key challenges remain, such as identifying and mitigating risks to achieving the goals of DOD's FIAR effort, successfully implementing the FIAR Guidance at the DOD component level, modernizing DOD's business information systems, and improving the financial management workforce. As DOD moves forward with asserting audit readiness, our work has shown that effective processes, systems, and controls are not yet in place to ensure that its components have adequately improved financial management information for day-to-day decision making. For example, we issued two reports to DOD in 2014 with recommendations to help DOD fully implement its FIAR Guidance with respect to DFAS contract pay and Army budget execution. In its approach to implementation of the FIAR Plan, DOD has emphasized asserting audit readiness by set dates over assuring that processes, systems, and controls are effective, reliable, and sustainable. In DOD's fiscal year 2014 Agency Financial Report, the DOD IG stated that DOD must continue to develop and implement a comprehensive plan that identifies the interim objectives and schedule of milestones to achieve audit readiness of the (1) full SBR, (2) existence and completeness of mission critical assets, and (3) full financial statements. While time frames are important for measuring progress, DOD should not lose sight of the ultimate goal of implementing lasting financial management reform to ensure that it can routinely generate reliable financial management and other information critical to decision making and effective operations. GAO Contact: For additional information about this high-risk area, contact Asif Khan at (202) 512-9869 or khana@gao.gov. Related GAO Products: DOD Business Systems Modernization: Additional Enhancements Are Needed for Army Business System Schedule and Cost Estimates to Fully Meet Best Practices. [hyperlink, http://www.gao.gov/products/GAO-14-470]. Washington, D.C.: September 30, 2014. DOD Financial Management: The Defense Finance and Accounting Service Needs to Fully Implement Financial Improvements for Contract Pay. [hyperlink, http://www.gao.gov/products/GAO-14-10]. Washington, D.C.: June 23, 2014. DOD Financial Management: Improvements Needed in Army's Efforts to Ensure the Reliability of Its Statement of Budgetary Resources. [hyperlink, http://www.gao.gov/products/GAO-14-60]. Washington, D.C.: May 30, 2014. DOD Financial Management: Effect of Continuing Weaknesses on Management and Operations and Status of Key Challenges. [hyperlink, http://www.gao.gov/products/GAO-14-576T]. Washington, D.C.: May 13, 2014. DOD Financial Management: Actions Under Way Need to Be Successfully Completed to Address Long-standing Funds Control Weaknesses. [hyperlink, http://www.gao.gov/products/GAO-14-94]. Washington, D.C.: April 29, 2014. DOD Business Systems Modernization: Air Force Business System Schedule and Cost Estimates. [hyperlink, http://www.gao.gov/products/GAO-14-152]. Washington, D.C.: February 7, 2014. DOD Financial Management: Ineffective Risk Management Could Impair Progress toward Audit-Ready Financial Statements. [hyperlink, http://www.gao.gov/products/GAO-13-123]. Washington, D.C.: August 2, 2013. DOD Financial Management: Significant Improvements Needed in Efforts to Address Improper Payment Requirements. [hyperlink, http://www.gao.gov/products/GAO-13-227]. Washington, D.C.: May 13, 2013. [End of section] DOD Supply Chain Management: Why Area Is High Risk: The Department of Defense (DOD) manages more than 5 million secondary inventory items, such as spare parts, with a reported value of approximately $98 billion, as of September 2013. Effective and efficient supply chain management is critical for supporting the readiness and capabilities of the force and for DOD to avoid spending resources on unneeded inventory that could be better applied to other defense and national priorities. However, DOD has experienced weaknesses in the management of its supply chain, particularly in the following areas: * Inventory management. DOD's inventory management practices and procedures have been ineffective and inefficient. DOD has had high levels of inventory that were excess to requirements and weaknesses in accurately forecasting the demand for inventory items. * Materiel distribution. DOD also has faced challenges in delivering supplies and equipment, including unmet delivery standards and time lines for cargo shipments as well as incomplete delivery data for many surface shipments. * Asset visibility. DOD has had weaknesses in maintaining visibility of supplies, such as problems with inadequate radio-frequency identification information to track all cargo movements. We added this area to the High Risk List in 1990. In our 2013 update, we reported that DOD had made moderate progress in addressing weaknesses in supply chain management, but had not resolved several long-standing problems. What GAO Found: Figure: DOD Supply Chain Management: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Since our last high-risk update, DOD has made progress in addressing all three dimensions of its supply chain management areas: inventory management, materiel distribution, and asset visibility. For inventory management, DOD has satisfied all of our high-risk criteria except for one: demonstrated progress. For materiel distribution, DOD has demonstrated leadership commitment and the capacity--personnel and resources--to make improvements, although work remains to fully address the remaining three criteria (corrective action plan, monitoring, and demonstrated progress). For asset visibility, DOD has demonstrated leadership commitment and has made considerable progress in addressing the remaining four criteria through actions like development of its January 2014 Strategy for Improving DOD Asset Visibility, which represents its corrective action plan. Inventory Management: Figure: DOD Supply Chain Management: [Refer to PDF for image: star illustration] Inventory Management: Leadership Commitment: Met; Capacity: Met; Action Plan: Met; Monitoring: Met; Demonstrated Progress: Partially Met. Four Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Leadership commitment: Senior officials have continued to demonstrate commitment and top leadership support for addressing the department's inventory management challenges. These leaders include the Assistant Secretary of Defense for Logistics and Materiel Readiness and officials from the military services and Defense Logistics Agency (DLA). They have taken actions to institutionalize this commitment to help ensure the long-term success of the department's efforts. In addition, senior DOD officials have met with us to discuss the department's plans and progress in addressing inventory management. While meeting, we provided feedback on the department's efforts. Capacity: DOD has demonstrated that it has the capacity--personnel and resources--to strengthen inventory management. For example, in May 2012 we reported that the department had established three workgroups-- forecasting and demand planning, inventory and retention, and supply chain metrics--that were responsible for implementing actions focused on the respective areas. Each workgroup included representatives from each of the military services and DLA. Furthermore, DOD has dedicated financial resources to evaluating aspects of inventory management, such as commissioning several studies designed to improve forecasting for spare parts. Corrective action plan: In 2010, DOD established and began implementing a corrective action plan that has actions and goals into fiscal year 2016. In the plan, DOD established overarching goals to reduce on-order excess inventory--items that have already been purchased but may be excess due to changes in requirements--and on- hand excess inventory--items that have been categorized for potential reuse or disposal. DOD developed actions with milestones to improve inventory management in nine key areas, including demand forecasting for spare parts. Additionally, according to DOD officials, the department has started to identify actions to be included in its follow-on corrective action plan, which is intended to guide the department's improvement efforts beyond fiscal year 2016. Monitoring: As we reported in May 2012, DOD established a performance management framework, including metrics and milestones, to track the implementation and effectiveness of its corrective action plan. The Deputy Assistant Secretary of Defense for Supply Chain Integration oversees implementation of the corrective action plan and monitors the associated metrics through progress review meetings with the military services and DLA. The meetings are held about every month. The deputy assistant secretary is advised by the Supply Chain Executive Steering Committee, which is composed of executive-level members from the military services and DLA, on matters related to supply chain management, including implementation of the corrective action plan. The steering committee is used as a forum to resolve issues encountered in implementation of the corrective action plan that cannot be resolved among the implementation workgroups. Lastly, the deputy assistant secretary reports performance against on-hand and on- order excess inventory goals to the DOD Deputy Chief Management Officer for inclusion in the department's annual performance plan, which is part of the President's budget request. Demonstrated progress: DOD has made considerable progress in reducing on-hand excess inventory and improving inventory management: * DOD reported that it reduced on-hand excess inventory from 9.4 percent at the end of fiscal year 2009 to 7.3 percent at the end of fiscal year 2013. DOD calculates the percentage by dividing the amount of on-hand excess inventory by the total amount of on-hand inventory. * DOD also reported that its percentage of on-order excess inventory dropped from 9.5 percent in fiscal year 2009 to 5.6 percent in fiscal year 2011, but then increased to 7.9 percent in fiscal year 2013. DOD calculates the percentage by dividing the amount of on-order excess inventory by the total amount of on-order inventory. DOD attributed the increase to several factors, including a mid-year reduction in Air Force flying hours caused by sequestration and issues associated with implementing the Navy's enterprise resource planning system. * DOD reviewed its on-order excess inventory management policies and processes in 2011 and 2012 and strengthened its guidance in 2014 on economic retention stock, those items that have been determined to be more economical to keep than to dispose of because the items are likely to be needed in the future. * DOD has made some progress in improving its demand forecasting, its ability to predict future customer demands so inventory managers can develop inventory requirements to satisfy demands. It completed a series of reviews of its demand forecasting methods between 2010 and 2014, implemented an approach for setting inventory levels for consumable items with low or highly-variable demand in 2013 that has improved availability and reduced backorders for these items, and reported department-wide forecast accuracy metrics in beginning 2013. Nevertheless, DOD faces challenges in reducing excess inventory, managing its economic retention stock, and continuing improvements in demand forecasting. For example, in June 2014 we found that DLA, which manages about one-fifth, or about $20.8 billion, of DOD's $98 billion in inventory, had several weaknesses in its management of on-order excess inventory. Specifically, DLA was not regularly monitoring progress in reducing on-order excess inventory, lacked performance data, and did not have goals for supply-chain-specific on-order excess inventory, which would help to guide improvement. In response to these weaknesses, as of November 2014, DLA had established goals and DLA's senior management had begun to regularly monitor performance against the goals. Further, we found in June 2014 that DLA had disposed of $855 million in economic retention stock in order to meet its end of fiscal year 2013 goal for on-hand inventory. As a result, DLA risks having to repurchase hundreds of millions of dollars in inventory to meet customer demand and support the readiness of the military services. Lastly, DOD has not yet established a baseline against which to measure any improvement in its demand forecast accuracy. Further, DOD has not implemented actions, as appropriate, to improve forecasting for items with less variable demand or finalized plans for improving the methodologies to set inventory levels for reparable items with low or highly variable demand. Moreover, in June 2014 we found that DLA's collaborative forecasting program--which developed forecasts for inventory valued at about $730 million--had not improved the aggregate forecasting accuracy for those items or used a comprehensive approach to manage the program. To address the weaknesses, DLA has begun to consider additional metrics to assess the performance of the effort, and senior management has begun to monitor demand forecasting accuracy across DLA. Materiel Distribution: Figure: DOD Supply Chain Management: [Refer to PDF for image: star illustration] Materiel Distribution: Leadership Commitment: Met; Capacity: Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Leadership commitment: Senior leaders have continued to demonstrate commitment and top leadership support for addressing the department's materiel distribution challenges. These leaders include the Assistant Secretary of Defense for Logistics and Materiel Readiness, the Commander of United States Transportation Command (TRANSCOM), DLA officials, commanders of the combatant commands, and officials from the military services. For example, DOD has established the Distribution Steering Group--a working level group co-chaired by TRANSCOM and DLA which is composed of representatives from TRANSCOM, the Office of the Secretary of Defense (OSD), DLA, the military services, and the combatant commands--which meets quarterly to discuss issues related to distribution performance. In addition, DOD established two other oversight groups, which are composed of representatives from the same organizations: a Distribution Oversight Council that meets twice a year, and a Distribution Process Owner Executive Board, that is chaired by TRANSCOM. Capacity: DOD demonstrated that it has the capacity--personnel and resources--to improve materiel distribution. DOD created a governance structure that includes staff, organizations, and working groups across the department to address issues related to materiel distribution execution. Additionally, DOD has undertaken several initiatives that have improved some segments of the distribution pipeline. For example, we found in August 2012 that by incorporating results-oriented management practices into the planning and development of improvement efforts, DOD was able to improve delivery times for some customers and increase the utilization of available assets. These efforts, according to DOD officials, resulted in $1 billion in cost avoidances through April 2013. Moreover, TRANSCOM has established the Distribution Performance Branch within its Strategy, Policy, Programs, and Logistics Directorate. The branch's responsibilities include assessing global distribution performance, leading the negotiation of distribution performance standards with stakeholders, and converting data into objective performance reports. Corrective action plan: DOD has implemented, or is in the process of implementing, some distribution-related initiatives that could serve as a basis for a corrective action plan. For example, DOD developed the DLA Distribution Effectiveness Initiative, formerly called Strategic Network Optimization, to improve logistics efficiencies in DOD's distribution network and to reduce transportation costs by storing materiel at strategically located DLA supply sites. This initiative has goals, objectives, time frames for implementation, draft performance measures, a governance structure that includes key organizations involved in the distribution enterprise (DLA, the Deputy Assistant Secretary of Defense for Supply Chain Integration, TRANSCOM, and the military services), and business plans for each phase of implementation. The DLA Distribution Effectiveness Initiative is in the second of its three implementation phases; therefore, it is too early to tell whether it will address the root causes of materiel distribution challenges. DOD officials told us that the DLA Distribution Effectiveness Initiative could form the basis for their corrective action plan for distribution, but DOD is also exploring developing a separate, more comprehensive corrective action plan to improve distribution effectiveness. Other DOD initiatives have identified and implemented cost avoidance measures. While these are all positive steps for laying the framework for the development of a corrective action plan, DOD does not currently have a comprehensive plan for distribution that provides a means to measure distribution performance across the entire distribution enterprise, identify gaps, define root causes, develop solutions, or provide for substantially completing corrective measures. Monitoring and demonstrated progress: DOD has established metrics and goals to monitor performance for certain segments of its distribution pipeline. For example, time definite delivery which is a measure of the probability that a customer will receive an order within an established time period, and customer wait time, the total elapsed time between issuance of a customer order and satisfaction of that order, are both used to monitor performance. TRANSCOM has established a metrics branch that periodically reviews the performance of combatant command distribution and that conducts annual workshops to review and revise distribution standards. However, performance is not meeting DOD's established targets for distribution and DOD has not assessed the reliability of the data included in its performance metrics that limit their usefulness for monitoring performance and demonstrating progress. As we found in October 2011 and in 2014, DOD's means for assessing performance of the global distribution pipeline are limited and not comprehensive. For example, no single entity within DOD maintains visibility and oversight of the entire DOD-wide global distribution pipeline. Instead, management and oversight, including oversight of the available performance metrics, are fragmented between TRANSCOM-- which focuses on the first three segments of distribution--and the combatant command--which focuses on the final segment at the tactical level. The first three segments cover shipments of items from warehouses, factories, or other points of origin to supply points in a military theater of operations, while the final segment refers to distribution that occurs from these supply points to forward operating bases and units. Moreover, for the first three segments of the pipeline that DOD has established performance metrics to measure, DOD has consistently not met established targets. Further, DOD does not have a means in place to comprehensively assess why these targets are not being met and to identify solutions to improve performance. DOD monitors some distribution initiatives and has completed efforts that have resulted in progress, including the DOD Distribution Process Owner Strategic Opportunities, an effort that began in 2008 to identify opportunities to significantly improve the performance of distribution processes DOD-wide. This effort, according to DOD officials, resulted in $1 billion in cost avoidances through April 2013 as previously discussed. However, without a corrective action plan that measures distribution performance across the entire distribution pipeline, identifies gaps and the root causes of these gaps, develops solutions, and includes reliable metrics to measure performance of the entire distribution pipeline, except for on a case- by-case basis DOD will be limited in its ability to comprehensively monitor and independently validate the effectiveness and sustainability of solutions to demonstrate progress. Once the corrective action plan is developed and implemented, DOD should use the plan to monitor performance and demonstrate progress. Asset Visibility: Figure: DOD Supply Chain Management: [Refer to PDF for image: star illustration] Asset Visibility: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Leadership commitment: Senior leaders at the department have continued to demonstrate strong commitment to addressing asset visibility challenges as evidenced by the issuance of DOD's January 2014 Strategy for Improving DOD Asset Visibility. Further, senior leaders are involved in the Supply Chain Executive Steering Committee, a senior- level body responsible for overseeing asset visibility improvement efforts. Capacity: We reported in February 2013 that a comprehensive strategic plan for asset visibility should include the costs to execute the plan and the sources and types of resources and investments--including skills, human capital, technology, information and other resources-- required to meet the goals and objectives in the plan. DOD has begun to identify the resources and investments that would be required to achieve the goals and objectives in its January 2014 Strategy. However, the estimates of cost developed by the Joint Staff, TRANSCOM, DLA, and the military services (referred to as the components) are generally at an aggregated level without details of the elements--such as human capital, information and contracts--they used to compute the estimates. As a result, cost information may lack transparency and the department may not have the information it needs to make well-informed decisions about asset visibility, including setting budget priorities. In December 2014, DOD shared with us actions it is making to address this weakness. Specifically, DOD plans to update its supporting execution plan format to instruct the components to break out their cost estimates to show elements such as manpower, materiel, and sustainment. DOD plans to include its updated supporting execution plan format in its 2015 update to the Strategy which, according to DOD, is expected to be issued in the third quarter of fiscal year 2015. Further, DOD is working to update all supporting execution plans to show the breakout of the cost estimates based on this common set of cost elements. Corrective action plan: In February 2013, we recommended that DOD develop a strategy and execution plans that contain all the elements of a comprehensive strategic plan. DOD has taken steps to implement this recommendation by issuing its Strategy. The Strategy, which represents DOD's corrective action plan for asset visibility, contains goals and objectives as well as supporting execution plans outlining specific initiatives intended to improve asset visibility. However, it is not clear how the initiatives link to the Strategy's goals and objectives. Therefore, DOD needs to ensure there is a clear linkage between the goals and objectives in the Strategy and the initiatives intended to implement the Strategy. We previously identified leading practices to promote successful performance reviews, including ensuring alignment between agency goals, program activities, and resources. Without alignment between the goals and objectives in the Strategy and the initiatives intended to implement the Strategy, DOD may be unable to assess progress toward realizing its goals and objectives. DOD also shared with us, in December 2014, actions it is making to address this weakness. Specifically, DOD provided us a set of matrix charts that makes apparent the linkage between the goals and objectives in its Strategy and the supporting execution plans which support each of those goals and objectives. DOD is planning to include these charts in its 2015 update to the Strategy. Monitoring: We reported in February 2013 that DOD lacked a formal, central mechanism to monitor the status of improvements or fully track the resources allocated to them. We also reported that, while DOD's draft strategy included overarching goals and objectives that address the overall results desired from implementation of the strategy, it only partially included, among other factors, performance measures which are necessary for monitoring progress. We recommended in February 2013 that when finalizing its strategy for asset visibility, DOD should ensure it includes, among other things, performance measures for gauging results. DOD's Strategy calls for organizations to identify at least one outcome or key performance indicator for assessing the successful implementation of each support execution plan. These key performance indicators are used to assess whether the initiatives are on target for implementation and achievement of performance expectations. However, it is not apparent what relation, if any, these performance indicators have to the overarching goals and objectives in the Strategy. Although the linkage is not apparent, DOD has established a structure for overseeing and coordinating efforts to improve asset visibility. This structure includes the Asset Visibility Working Group, which is responsible for monitoring the implementation of the initiatives identified by the components. The components are to report quarterly to the Asset Visibility Working Group on the status of their initiatives. However, these reports do not include information on how the initiatives contribute toward achievement of the department's asset visibility goals and objectives. Until DOD implements a process to monitor performance and progress toward achieving goals in the asset visibility area, it may lack the tools necessary to effectively assess the results of its initiatives. Demonstrated progress: DOD's Strategy and preliminary efforts to develop and implement initiatives intended to strengthen asset visibility represent a positive step; however, work remains to demonstrate that implementation of these initiatives will result in progress toward achieving the goals and objectives in the Strategy. DOD has made progress in implementing initiatives intended to improve asset visibility. For example, 6 of the 22 initiatives outlined in the supporting execution plans included in DOD's Strategy have been reported by DOD as fully implemented. One such initiative, intended to create an integrated data environment for asset visibility information in transportation and supply data systems, has been fully implemented and is being used to enhance asset visibility. However, it is too early to tell if these combined efforts will result in measurable outcomes and progress in realizing DOD's goals and objectives for improving asset visibility. Until DOD demonstrates that implementation of these initiatives will result in measurable outcomes and progress toward achieving the goals and objectives in the Strategy, it may be limited in its ability to demonstrate sustained progress in implementing corrective actions and resolving the high-risk area. Congressional Action: In the Fiscal Year 2014 National Defense Authorization Act, Congress mandated DOD to submit to the Congress, not later than 180 days after enactment of the act, a strategy and implementation plans for improving asset tracking and in-transit visibility. The act required that the strategy and implementation plans incorporate 11 elements, including goals and objectives, an estimate of the costs to execute the plan, a description of key external factors that could affect achievement of the goals, and steps to be taken to facilitate collaboration with industry to capture best practices. The act also mandated that we report to the Congress within one year after DOD's strategy is submitted on the extent to which the strategy and implementation plans include the required elements. We have work ongoing to respond to the mandate and assess whether DOD's January 2014 Strategy and an October 2014 report issued by DOD to respond to the mandate requirements, fully addresses all the elements required by the mandate. What Remains to Be Done: Inventory Management: In June 2014, to improve management and minimize the amount of on- order excess inventory, we recommended that DLA, among other things, track and regularly review performance data, such as the amount of on- order excess inventory reviewed, modified, or canceled, and the reasons for not modifying or canceling on-order excess inventory. To fully address these recommendations and satisfy our high-risk criteria for demonstrating progress, DOD needs to take the following actions: * Continue to demonstrate that progress made in reducing on-order and on-hand excess inventory is sustainable and take necessary actions to diagnose and address, as appropriate, the 2013 increase in the department-wide percentage of on-order excess inventory. For example, the military services' and DLA's senior management should be regularly monitoring on-order excess inventory and tracking and regularly reviewing performance data--such as the amount of on-order excess inventory reviewed, modified, or canceled, and the reasons for not modifying or canceling the orders--associated with DOD's on-order excess inventory management processes. * Enhance management and oversight of its economic retention stock to ensure that disposal decisions are analytically supported and consistent with guidance. * Establish a baseline for DOD's demand forecast accuracy metrics and identify and begin implementing corrective actions, as appropriate, to improve forecasting for the inventory items covered by these metrics, and implement methodologies to set inventory levels for non- forecastable reparable items. Further, DLA, in collaboration with the military services, needs to finalize the suite of metrics it plans on using to monitor the performance and value-added by the collaborative forecasting program and identify and begin implementing corrective actions to improve the results of collaborative forecasting across DOD. Materiel Distribution: DOD needs to take a number of actions to implement an adequate corrective action plan and a means to comprehensively monitor performance, including validating the effectiveness and sustainability of solutions, and demonstrate sustained progress in implementing solutions. Specifically, DOD needs to: * develop a corrective action plan that: (1) includes a way to comprehensively measure performance and identify gaps across the entire distribution pipeline, to include the movement of items in theater to the final customer, which may be located at smaller forward operating bases beyond major hubs across the distribution pipeline; (2) identifies the root causes for gaps in performance and provides a means for implementing solutions; and: (3) establishes implementation goals and timelines to monitor progress in implementing solutions; * make demonstrated and sustained progress in implementing a corrective action plan that includes actions to address root causes of not meeting distribution standards and details how solutions designed to improve distribution performance will be implemented; * develop measures to assess performance across the entire distribution pipeline, including from major hubs to smaller forward operating bases; and: * ensure performance metrics are based on reliable data to assess performance. Asset Visibility: DOD needs to take a number of actions to address the four high-risk criteria (capacity, corrective action plan, monitoring, and demonstrated progress) that have been partially met. Specifically, DOD needs to: * include information in the Strategy and accompanying supporting execution plans on the factors--such as, but not limited to, human capital, information, and contracts--used in developing cost estimates for resources and investments. As previously discussed, DOD is taking actions to address this weakness and we would expect to see the actions included in DOD's next update to its Strategy, which officials told us will be issued in the third quarter of fiscal year 2015. * clearly specify the linkage between the goals and objectives in the Strategy and the initiatives intended to implement the Strategy. The actions taken by DOD to develop a matrix showing the linkage between the goals and objectives in the Strategy and the initiatives that support them appears promising, and we expect this linkage to be addressed in DOD's next update to its Strategy. * assess, and refine as appropriate, existing performance measures to ensure the measures assess implementation of individual initiatives as well as progress toward achievement of the overarching goal(s) and objective(s) outlined in the Strategy. * continue the implementation of initiatives identified in the Strategy, refining them over time as appropriate. Additionally, DOD needs to demonstrate that implementation of these initiatives results in measurable outcomes and progress toward realizing the goals and objectives in the Strategy. GAO Contact: For additional information about this high-risk area, contact Zina Merritt at (202) 512-5257 or merrittz@gao.gov or Cary Russell at (202) 512-5431 or russellc@gao.gov. Related GAO Products: GAO, Defense Logistics: DOD Has a Strategy and Has Taken Steps to Improve Its Asset Visibility, but Further Actions Are Needed, [hyperlink, http://www.gao.gov/products/GAO-15-148] (Washington, D.C.: Jan. 27, 2015): Defense Inventory: Actions Needed to Improve the Defense Logistics Agency's Inventory Management. [hyperlink, http://www.gao.gov/products/GAO-14-495]. Washington, D.C.: June 19, 2014. Defense Logistics: A Completed Comprehensive Strategy is Needed to Guide DOD's In-Transit Visibility Efforts. [hyperlink, http://www.gao.gov/products/GAO-13-201]. Washington, D.C.: February 28, 2013. High-Risk Series: An Update. [hyperlink, http://www.gao.gov/products/GAO-13-283]. Washington, D.C.: February 14, 2013. Defense Logistics: DOD Has Taken Actions to Improve Some Segments of the Materiel Distribution System. [hyperlink, http://www.gao.gov/products/GAO-12-883R]. Washington, D.C.: August 3, 2012. Defense Inventory: Actions Underway to Implement Improvement Plan, but Steps Needed to Enhance Efforts. [hyperlink, http://www.gao.gov/products/GAO-12-493]. Washington, D.C.: May 3, 2012. Defense Logistics: Improvements Needed to Enhance DOD's Management Approach and Implementation of Item Unique Identification Technology. [hyperlink, http://www.gao.gov/products/GAO-12-482]. Washington, D.C.: May 3, 2012. Warfighter Support: DOD Has Made Progress, but Supply and Distribution Challenges Remain in Afghanistan. [hyperlink, http://www.gao.gov/products/GAO-12-138]. Washington, D.C.: October 7, 2011. DOD's 2010 Comprehensive Inventory Management Improvement Plan Addressed Statutory Requirements, But Faces Implementation Challenges. [hyperlink, http://www.gao.gov/products/GAO-11-240R]. Washington, D.C.: January 7, 2011. [End of section] DOD Weapon Systems Acquisition: Why Area Is High Risk: Congress and the Department of Defense (DOD) have long sought to improve the acquisition of major weapon systems, yet many DOD programs are still falling short of cost, schedule, and performance expectations. The results are unanticipated cost overruns, reduced buying power, and in some cases a reduction in the capability ultimately delivered to the warfighter. In March 2014, we reported that DOD expects to invest $1.5 trillion (fiscal year 2014 dollars) on the development and procurement of its portfolio of 80 major defense acquisition programs. With the prospect of slowly growing or flat defense budgets for years to come, DOD must get better returns on its weapon system investments and find ways to deliver capability to the warfighter for less than it has in the past. What GAO Found: Figure: DOD Weapon Systems Acquisition: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Top leadership at DOD is committed to improving the acquisition of weapon systems. We added this area to our High Risk List in 1990. While DOD has made progress in addressing challenges, the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics has issued a series of memorandums on Better Buying Power initiatives since 2010 that outline steps DOD needs to take across its acquisition portfolio to achieve better results. While DOD has made strides in addressing challenges with the acquisition workforce, the department still lacks the capacity to fully implement reforms, particularly in the areas of cost estimating, program assessment, systems engineering, and developmental testing. Although there is no comprehensive action plan within the department for removing this area from the High Risk List, the Better Buying Power initiatives are a step in the right direction as DOD has prescribed a number of concrete changes. In 2014, DOD issued the second in an annual series of performance reports on the portfolio of major defense acquisition programs. Continuing and expanding this series of reports should help DOD measure its progress over time. DOD has made some progress in updating its policies to enable better weapon systems outcomes. However, even with this call for change we remain concerned about the full implementation of proposed reforms as DOD has, in the past, failed to convert policy into practice. In addition, although we reported in March 2014 on the progress many DOD programs are making in reducing their cost in the near term, individual weapon programs are still failing to conform to best practices for acquisition or to implement key acquisition reforms and initiatives that could prevent long-term cost and schedule growth. Our work continues to reveal significant cost and schedule growth in DOD's portfolio of major defense acquisition programs. In 2014, we reported that the total acquisition cost of DOD's fiscal year 2013 portfolio of 80 programs grew by almost $13 billion, or about 1 percent, from the previous year. The majority of the net cost growth can be attributed to a single program--the Evolved Expendable Launch Vehicle. Overall, the schedule to deliver initial capabilities to the warfighter grew an additional 2 months. While the overall cost of the 2013 portfolio did increase, 50 of the 80 programs within the portfolio actually reduced their costs. Our analysis also showed that the majority of programs actually improved their buying power, or the amount of goods procured for dollars spent, from 2012 to 2013. Despite these gains, DOD's major acquisition programs continue to fare poorly against the three cost-growth targets we use to measure DOD's progress in the weapon system acquisition high-risk area (see figure 7). [Footnote 164] Figure 7: Comparison of the Cost Performance of DOD's 2011, 2012, and 2013 Portfolios: [Refer to PDF for image: stacked vertical bar graph] 1-year comparison, less than 2% growth: Year: 2011; Percent of programs that meet metric: 60%; Percent of programs that do not meet metric: 40%; Year: 2012; Percent of programs that meet metric: 85%; Percent of programs that do not meet metric: 15%; Year: 2013; Percent of programs that meet metric: 76%; Percent of programs that do not meet metric: 24%. 5-year comparison, less than 10% growth: Year: 2011; Percent of programs that meet metric: 45%; Percent of programs that do not meet metric: 55%; Year: 2012; Percent of programs that meet metric: 56%; Percent of programs that do not meet metric: 44%; Year: 2013; Percent of programs that meet metric: 55%; Percent of programs that do not meet metric: 45%. First full estimate comparison, less than 15% growth: Year: 2011; Percent of programs that meet metric: 41%; Percent of programs that do not meet metric: 59%; Year: 2012; Percent of programs that meet metric: 48%; Percent of programs that do not meet metric: 52%; Year: 2013; Percent of programs that meet metric: 44%; Percent of programs that do not meet metric: 56%. Source: GAO analysis of DOD data. GAO-15-290. [End of figure] Across the portfolio, DOD has unevenly implemented knowledge-based acquisition practices that might prevent or mitigate cost growth. Our 2014 assessment of weapon programs found that while DOD continues to show progress in following a knowledge-based approach to reduce risk, it has significant room for improvement. While programs that have recently passed through major decision points have demonstrated best practices--such as constraining development times and achieving design stability--key practices like demonstrating technology maturity or controlling manufacturing processes are still not being fully implemented. Of the seven programs we assessed that had recently passed through one of three key decision points in the acquisition process, none had implemented all of the applicable knowledge-based practices. These programs will carry technology, design, and production risks, which increases cost and schedule risks, into subsequent phases of the acquisition process. DOD continues to demonstrate a strong commitment, at the highest levels, to improving the management of its weapon system acquisitions. Over the past 5 years the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics has released a series of memorandums on its Better Buying Power initiative that outline the steps DOD needs to take across its acquisition portfolio to achieve better results. These initiatives include measures such as setting and enforcing affordability constraints, instituting a long-term investment plan for portfolios of weapon systems, implementing "should cost" management to control contract costs, and eliminating redundancies within portfolios. The initiatives also emphasize the need to adequately grow and train the acquisition workforce. The release in January 2015 of an update to the department's acquisition instruction furthers this commitment as it incorporates many of the Better Buying Power initiatives as well as acquisition reforms from the Weapon Systems Acquisition Reform Act of 2009 and other legislation. These actions are consistent with our past findings and recommendations. If these initiatives are to have a lasting, positive effect, however, decision makers need to be held accountable for implementing them. Our recent work shows there is much ground yet to cover. In 2014, we reported that implementation of the Better Buying Power and acquisition reform initiatives varied across programs. While 82 percent of programs successfully implemented "should-cost" initiatives and reported significant cost savings, only 54 percent had established affordability constraints. Implementation of the direction to improve competition is also incomplete. Of the future programs we assessed in our 2014 report on selected weapon programs, many did not plan to conduct competitive prototyping before the start of development and many current programs did not have acquisition strategies that ensure competition through the end of production. Fifteen future and current programs reported they will not take actions to promote any competitive measures before or after development starts. DOD has made some progress in its efforts to assess the root causes of poor weapon system acquisition outcomes and monitors the effectiveness of its actions to improve its management of weapon systems acquisition. In 2014, DOD issued the second in what is promised to be an annual series of performance reports on its portfolio of major defense acquisition programs. The report examines a wide range of acquisition-related information, such as contract type, contractor incentives, and the effects of statutes and policies to determine if there is any statistical correlation between these factors and good or poor acquisition outcomes. The report is a good step, but DOD needs to continue to refine and enhance this reporting to further its monitoring of progress. What Remains to Be Done: At this point, there is a need to build on existing reforms--not necessarily by revisiting the process itself but by augmenting it by tackling incentives. Drawing on our extensive body of work in weapon systems acquisition, we see several areas of focus: * examining best practices to integrate critical requirements, resources, and acquisition decision-making processes; * attracting, training, and retaining acquisition staff and managers so that they are both empowered and accountable for program outcomes; * at the start of new programs, using funding decisions to reinforce desirable principles such as well-informed acquisition strategies; * identifying significant risks up front and resourcing them; * exploring ways to align budget decisions and program decisions more closely; and: * investigating tools, such as limits on system development time, to improve program outcomes. GAO Contact: For additional information about this high-risk area, contact Michael J. Sullivan at (202) 512-4841 or sullivanm@gao.gov. Related GAO Products: Littoral Combat Ship: Additional Testing and Improved Weight Management Needed Prior to Further Investments. [hyperlink, http://www.gao.gov/products/GAO-14-749]. Washington, D.C.: July 30, 2014. Defense Acquisitions: Addressing Incentives is Key to Further Reform Efforts. [hyperlink, http://www.gao.gov/products/GAO-14-563T]. Washington, D.C.: April 30, 2014. KC-46 Tanker Aircraft: Program Generally on Track, but Upcoming Schedule Remains Challenging. [hyperlink, http://www.gao.gov/products/GAO-14-190]. Washington, D.C.: April 10, 2014. Missile Defense: Mixed Progress in Achieving Acquisition Goals and Improving Accountability. [hyperlink, http://www.gao.gov/products/GAO-14-351]. Washington, D.C.: April 1, 2014. Defense Acquisitions: Assessments of Selected Weapon Programs. [hyperlink, http://www.gao.gov/products/GAO-14-340SP]. Washington, D.C.: March 31, 2014. F-35 Joint Strike Fighter: Problems Completing Software Testing May Hinder Delivery of Expected Warfighting Capabilities. [hyperlink, http://www.gao.gov/products/GAO-14-322]. Washington, D.C.: March 24, 2014. Defense Acquisitions: Where Should Reform Aim Next? [hyperlink, http://www.gao.gov/products/GAO-14-145T]. Washington, D.C.: October 29, 2013. Weapons Acquisition Reform: Reform Act Is Helping DOD Acquisition Programs Reduce Risk, but Implementation Challenges Remain. [hyperlink, http://www.gao.gov/products/GAO-13-103]. Washington, D.C.: December 14, 2012. Defense Management: Guidance and Progress Measures Are Needed to Realize Benefits from Changes in DOD's Joint Requirements Process. [hyperlink, http://www.gao.gov/products/GAO-12-339]. Washington, D.C.: February 24, 2012. [End of section] Mitigating Gaps in Weather Satellite Data: Why Area Is High Risk: The United States relies on two complementary types of satellite systems for weather observations and forecasts: (1) polar-orbiting satellites that provide a global perspective every morning and afternoon, and (2) geostationary satellites that maintain a fixed view of the United States. Both types of systems are critical to weather forecasters, climatologists, and the military, who map and monitor changes in weather, climate, the oceans, and the environment. Federal agencies are currently planning and executing major satellite acquisition programs to replace existing polar and geostationary satellite systems that are nearing the end of their expected life spans. However, these programs have troubled legacies of cost increases, missed milestones, technical problems, and management challenges that have resulted in reduced functionality and slips to planned launch dates. As a result, the continuity of satellite data is at risk. Officials from the Department of Commerce's National Oceanic and Atmospheric Administration (NOAA) acknowledge that there is a risk of a gap in polar satellite data in the afternoon orbit, between the time that the current polar satellite is expected to reach the end of its life and the time when the next satellite is expected to be in orbit and operational. This gap could span up to a year or more, depending on how long the current satellite lasts and whether there are any delays in launching or operating the new one.[Footnote 165] Similarly, while federal agencies do not anticipate gaps in geostationary satellite observations, such a gap could occur if satellites currently in orbit do not last as long as anticipated or if the major satellite acquisition currently underway encounters schedule delays. According to NOAA program officials, a satellite data gap would result in less accurate and timely weather forecasts and warnings of extreme events--such as hurricanes, storm surges and floods. Such degradation in forecasts and warnings would place lives, property, and our nation's critical infrastructures in danger. Given the criticality of satellite data to weather forecasts, the likelihood of significant gaps, and the potential impact of such gaps on the health and safety of the U.S. population and economy, we concluded that the potential gap in weather satellite data is a high-risk area and added it to the High Risk List in 2013. What GAO Found: Figure: Mitigating Gaps in Weather Satellite Data: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] NOAA has demonstrated leadership commitment in mitigating data gaps on its polar-orbiting and geostationary weather satellites by making decisions about how to mitigate potential gaps and by making progress in implementing multiple mitigation activities. However, capacity concerns--including computing resources needed for some polar satellite mitigation activities, and the limited time available for integration and testing prior to the scheduled launch of the next geostationary satellite--continue to present challenges. In addition, while both programs have updated their satellite contingency plans, work remains to implement and oversee efforts to ensure that mitigation plans will be viable if and when they are needed. Polar-orbiting Weather Satellites: Figure: Mitigating Gaps in Weather Satellite Data: [Refer to PDF for image: star illustration] Polar-orbiting Weather Satellites: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] NOAA has met the criterion of demonstrating a strong leadership commitment to mitigating gaps in polar-orbiting satellite data. NOAA management made decisions on the specific technical, programmatic, and management steps the agency would take to ensure that satellite mitigation options are viable, and, in February 2014, issued an updated satellite mitigation plan. Moreover, NOAA began implementing 21 mitigation projects, including the following efforts: improve high- performance computing capacity, assimilate data from new sources into weather models, and explore how manned and unmanned aircraft observations could increase the accuracy of numerical weather predictions for high impact weather events. These projects are supported primarily by the weather satellite data gap mitigation reserve fund from the Disaster Relief Appropriations Act, 2013. NOAA partially meets the criterion for having the capacity to address the risk of a satellite data gap. While the agency is moving forward on mitigation projects, more work remains to be done before these mitigation options are in place and it is unlikely that key options will be available in time to address a potential near-term gap. Specifically, NOAA has experienced setbacks in completing mitigation projects due to delays in obtaining sufficient computing resources. For example, the availability of high-performance computing capacity for research and development purposes fell short of users' needs by 256 percent in 2014, and the National Weather Service's (NWS) high- performance computing upgrades for operational systems are to be half of what was expected by February 2015. Since almost all of NOAA's gap mitigation projects require one or both types of computing capacity, the shortfalls have resulted in reduced scope or delayed work. In 2014, we recommended that the agency investigate ways to prioritize mitigation projects with the greatest potential benefit to weather forecasting. NOAA agreed and noted actions it is taking to address this recommendation. NOAA partially meets the criterion for having a plan to address the risk of a polar satellite data gap. In February 2014, NOAA issued an updated satellite mitigation plan, which includes several improvements over its prior plan. For example, NOAA expanded its plan to include additional mitigation alternatives. However, the agency has not yet addressed key shortfalls in its mitigation plan, including providing key information about the cost and impact of the mitigation options, and establishing when the testing of selected options would be completed. Until NOAA fully addresses the shortfalls in its contingency plan, it may not be sufficiently prepared to mitigate potential gaps in polar satellite coverage. In 2014, we made a recommendation to NOAA to address the shortfalls in its mitigation plans; NOAA agreed and noted actions it is taking to address this recommendation. NOAA partially meets the criterion for monitoring progress in addressing risks. While NOAA is providing some oversight of its many gap mitigation projects and activities, the agency's oversight efforts are not consistent or comprehensive. For example, only one of three NOAA organizations had briefed management on a monthly basis on the status of mitigation projects, as required in the agency's satellite mitigation plan. In addition, as of December 2014, NOAA had not yet reported progress on 9 mitigation activities outlined in its contingency plan. We recommended that NOAA ensure that the relevant entities provide monthly and quarterly progress updates on all mitigation projects and activities. NOAA agreed and noted actions it is taking to address this recommendation. NOAA partially meets the criterion for demonstrating progress in mitigating the risk of a gap in polar-orbiting satellite data. While NOAA has made progress in mitigation activities, certain gap mitigation projects have experienced delays. For example, while NWS was to upgrade its high-performance computing capacity for operational systems by December 2014, it now plans for an interim upgrade with about half of the planned capacity to be completed by February 2015. Data sources that require further development and further enhancements of model resolution will need to wait until the full upgrade is completed in July 2016. As another example, a project to conduct observing system experiments that provide quantitative information about the anticipated degradation to NOAA's numerical weather prediction models is to be delayed by 4 months--in part because the computing resources it received were 60 percent less than required. Until NOAA demonstrates that it is making swift and effective progress in mitigating potential near-term gaps in polar satellite data and that it is effectively overseeing these important efforts, there will be a growing risk that degraded forecasts and warnings will lead to negative impacts on the U.S. population and economy. As noted earlier, we recommended NOAA prioritize its mitigation projects with the greatest potential benefit to weather forecasting. NOAA agreed and noted actions it is taking to address this recommendation. Geostationary Weather Satellites: Figure: Mitigating Gaps in Weather Satellite Data: [Refer to PDF for image: star illustration] Geostationary Weather Satellites: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] NOAA has demonstrated leadership by revising and improving its geostationary satellite contingency plans, updating an assessment of the viability of the GOES-R program schedule, and taking steps to ensure that the launch date for the GOES-R satellite remains on schedule. NOAA has partially met the criterion for ensuring it has the capacity to address the risk of a gap in backup coverage. Over the past several years, the agency has demonstrated its ability to mitigate operational satellite outages by monitoring the health of the satellites and by moving a backup satellite into operation when needed. However, the GOES-R program is near capacity in terms of the time it has available to complete critical integration and testing activities before the anticipated launch date of March 2016. Any delay in the anticipated launch date would extend the time that NOAA might need to operate without a backup satellite. NOAA has partially met the criterion for having an action plan to address the risk of a geostationary satellite data gap. In February 2014, NOAA released a new satellite contingency plan that includes procedures for conducting regular satellite maneuvers to simulate contingency scenarios and for working with the user community to account for differences in product coverage under contingency scenarios. It also provides more details on contingency scenarios, roles and responsibilities for contingency operations, and detailed procedures for what is to occur during an event. However, the plan does not sufficiently address strategies for preventing a launch delay, timelines and triggers to prevent a launch delay, and whether any of its mitigation strategies will meet minimum performance levels. In 2014, we made recommendations to NOAA to address the shortfalls in its mitigation plans; NOAA agreed with these recommendations and noted actions it is taking to address them. NOAA has met the criterion for monitoring progress in addressing its risks. Officials responsible for satellite operations actively monitor the health of the satellite constellation and are prepared to implement contingency operations if they are warranted. In addition, GOES-R program officials actively monitor and analyze the program schedule, and have taken action to remove or defer functionality in order to keep the satellite launch date on track. Program officials also regularly report to senior managers on progress and risks. NOAA has partially met the criterion for demonstrating progress in mitigating risks. While NOAA had made significant progress in developing and testing the GOES-R satellite, in December 2014, we reported on concerns with recent delays in key program milestones and on NOAA's ability to complete critical testing and integration work in the time available before launch. If the launch of the GOES-R satellite is delayed and one of the two remaining operational satellites experiences a problem, NOAA could experience a gap in satellite data coverage. Until NOAA ensures that its contingency plan includes strategies for preventing or limiting a launch delay, there is an increased risk that the agency and satellite data users across the country will be poorly prepared for a near-term satellite data gap. In 2014, we made recommendations to NOAA to address the shortfalls in its mitigation plans, including plans for mitigating any launch delays. NOAA agreed with these recommendations and noted the actions it is taking to address them. What Remains to Be Done: In response to our prior recommendations, NOAA established plans to address potential gaps in satellite data for both its polar-orbiting and geostationary satellite systems. However, these plans are only the beginning. In order to fully address the risk of gaps in weather satellite data, NOAA should implement our recent recommendations (discussed above) to implement and oversee efforts to ensure that its mitigation plans will be viable if and when they are needed. For the polar-orbiting satellites, NOAA should address shortfalls in its satellite gap mitigation plan, including the following: providing an assessment of available mitigation alternatives based on their costs and potential impacts, establishing a schedule with meaningful timelines for mitigation activities, and defining completion dates for testing and validating viable alternatives. NOAA must also investigate ways to prioritize the mitigation projects with the greatest potential benefit to weather forecasting in the event of a gap, and ensure that the relevant entities provide management with regular updates on all gap mitigation projects. For the geostationary satellites, NOAA should add information to the GOES satellite contingency plan on steps planned or underway to mitigate potential launch delays, the potential impact of failure scenarios, and the minimum performance levels expected under such scenarios. GAO Contact: For additional information about this high-risk area, contact David A. Powner at (202) 512-9286 or pownerd@gao.gov. Related GAO Products: Geostationary Weather Satellites: Launch Date Nears, but Remaining Schedule Risks Need to be Addressed. [hyperlink, http://www.gao.gov/products/GAO-15-60]. Washington, D.C.: December 16, 2014. Polar Weather Satellites: NOAA Needs to Prepare for Near-term Data Gaps. [hyperlink, http://www.gao.gov/products/GAO-15-47]. Washington, D.C.: December 16, 2014. NASA: Assessments of Selected Large-Scale Projects. [hyperlink, http://www.gao.gov/products/GAO-14-338SP]. Washington, D.C.: April 15, 2014. Polar Weather Satellites: NOAA Identified Ways to Mitigate Data Gaps, but Contingency Plans and Schedules Require Further Attention. [hyperlink, http://www.gao.gov/products/GAO-13-676]. Washington, D.C.: September 11, 2013. Geostationary Weather Satellites: Progress Made, but Weaknesses in Scheduling, Contingency Planning, and Communicating with Users Need to Be Addressed. [hyperlink, http://www.gao.gov/products/GAO-13-597]. Washington, D.C.: September 9, 2013. NASA: Assessments of Selected Large-Scale Projects. [hyperlink, http://www.gao.gov/products/GAO-13-276SP]. Washington, D.C.: April 17, 2013. [End of section] Strengthening Department of Homeland Security Management Functions: Why Area Is High Risk: In 2003, we designated implementing and transforming the Department of Homeland Security (DHS) as high risk because DHS had to transform 22 agencies--several with major management challenges--into one department. Further, failure to effectively address DHS's management and mission risks could have serious consequences for U.S. national and economic security. Given the significant effort required to build and integrate a department as large and complex as DHS, our initial high-risk designation addressed the department's initial transformation and subsequent implementation efforts to include associated management and programmatic challenges. At that time, we reported that the creation of DHS was an enormous undertaking that would take time to achieve, and that the successful transformation of large organizations, even those undertaking less strenuous reorganizations, could take years to implement. Over the past 12 years, the focus of this high-risk area has evolved in tandem with DHS's maturation and evolution. The overriding tenet has consistently remained DHS's ability to build a single, cohesive, and effective department that is greater than the sum of its parts--a goal that requires effective collaboration and integration of its various components and management functions. In 2007, in reporting on DHS's progress since its creation, as well as in our 2009 high-risk update, we reported that DHS had made more progress in implementing its range of missions than its management functions--information technology (IT), acquisition, financial, and human capital--and that continued work was needed to address an array of programmatic and management challenges. As we reported in September 2011, DHS's initial focus on mission implementation was understandable given the critical homeland security needs facing the nation after the department's establishment, and the challenges posed by its creation, integration, and transformation. As DHS continued to mature, and as we reported in our assessment of DHS's progress and challenges in the 10 years following 9/11, we found that the department implemented key homeland security operations and achieved important goals in many areas to create and strengthen a foundation to reach its potential.[Footnote 166] For example, DHS developed strategic and operational plans to guide its efforts, such as the National Response Framework that outlines disaster response guiding principles; and successfully hired, trained, and deployed workforces, including the federal screening workforce to assume screening responsibilities at airports nationwide. However, we also identified that more work remained for DHS to address weaknesses in its operational and implementation efforts, and to strengthen the efficiency and effectiveness of those efforts. For example, we reported in 2011 that DHS had not yet determined how to implement a biometric exit capability, had taken action to address a small portion of the estimated overstay population in the United States, and needed to strengthen efforts to assess capabilities for all-hazards preparedness. We further reported that a key theme impacting the department's implementation efforts was the continuing weaknesses in DHS's management functions. Recognizing DHS's progress in transformation and mission implementation, our 2011 high-risk update focused on the continued need to strengthen DHS's management functions and integrate those functions within and across the department, as well as the impact of these challenges on the department's ability to effectively and efficiently carry out its missions. In our 2013 high-risk update, we found that DHS had made considerable progress in strengthening and integrating its management functions. However, the 2013 high-risk update also noted that challenges remained and progress was needed to mitigate the risks that management weaknesses posed to mission accomplishment and the efficient and effective use of the department's resources. Therefore, in 2013 we narrowed the scope of the high-risk area and changed the name from Implementing and Transforming DHS to Strengthening DHS Management Functions to reflect this focus. What GAO Found: Figure: Strengthening Department of Homeland Security Management Functions: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] DHS's efforts to strengthen and integrate its acquisition, IT, financial, and human capital management functions have resulted in progress addressing our criteria for removal from the high-risk list. In particular, DHS has met two criteria (leadership commitment and a corrective action plan) and partially met the remaining three criteria (capacity; a framework to monitor progress; and demonstrated, sustained progress). Leadership Commitment: The Secretary and Deputy Secretary of Homeland Security, the Under Secretary for Management at DHS, and other senior officials have continued to demonstrate commitment and top leadership support for addressing the department's management challenges. They have also taken actions to institutionalize this commitment to help ensure the long-term success of the department's efforts. For example, in May 2012, the Secretary of Homeland Security modified the delegations of authority between the Management Directorate and its counterparts at the component level to clarify and strengthen the authorities of the Under Secretary for Management across the department. In addition, in April 2014, the Secretary of Homeland Security issued a memorandum entitled, Strengthening Departmental Unity of Effort, committing to, among other things, improving DHS's planning, programming, budgeting, and execution processes through strengthened departmental structures and increased capability. This memorandum identified several initial areas of focus intended to build organizational capacity, such as DHS headquarters' strategy, planning, and analytical capability.[Footnote 167] Senior DHS officials have also routinely met with us over the past 6 years to discuss the department's plans and progress in addressing this high-risk area. During this time, we provided specific feedback on the department's efforts. According to these officials, and as demonstrated through their progress, the department is committed to demonstrating measurable, sustained progress in addressing this high-risk area. It will be important for DHS to maintain its current level of top leadership support and commitment to ensure continued progress in successfully executing its corrective actions through completion. Corrective Action Plan: DHS has established a plan for addressing this high-risk area. Specifically, in a September 2010 letter to DHS, we identified and DHS agreed to achieve 31 actions and outcomes that are critical to addressing the challenges within the department's management areas and in integrating those functions across the department. In March 2014, we updated the actions and outcomes in collaboration with DHS to reduce overlap and ensure their continued relevance and appropriateness. These updates resulted in a reduction from 31 to 30 total actions and outcomes. Toward achieving the actions and outcomes, DHS issued its initial Integrated Strategy for High Risk Management in January 2011 and has since provided updates to its strategy in seven later versions, most recently in October 2014. The integrated strategy includes key management initiatives and related corrective actions plans for addressing DHS's management challenges and the actions and outcomes we identified. DHS's strategy and approach to continuously refining actionable steps to implementing the outcomes, if implemented effectively and sustained, provides a path for DHS to be removed from our high-risk list. Capacity: In October 2014, DHS identified that it had resources needed to implement 7 of the 11 initiatives the department had under way to achieve the actions and outcomes, but did not identify sufficient resources for the 4 remaining initiatives. In addition, our prior work has identified specific capacity gaps that could undermine achievement of management outcomes. For example, in September 2012, we reported that 51 of 62 acquisition programs we surveyed reported that they faced workforce shortfalls in program management, cost estimating, engineering, and other areas. We concluded that this increased the likelihood that the programs will perform poorly in the future. Since that time, DHS has appointed component acquisition executives at the components and progressed in filling staff positions. In April 2014, however, we reported that DHS needed to increase its cost-estimating capacity and that the department had not approved baselines for 21 of 46 major acquisition programs. These baselines--which establish cost, schedule, and capability parameters--are necessary to accurately assess program performance. DHS needs to continue to identify resources for the remaining initiatives, work to mitigate shortfalls and prioritize initiatives, as needed, and communicate to senior leadership critical resource gaps. Framework to Monitor Progress: DHS established a framework for monitoring its progress in implementing the integrated strategy it identified for addressing the 30 actions and outcomes. In the June 2012 update to the Integrated Strategy for High Risk Management, DHS included, for the first time, performance measures to track its progress in implementing all of its key management initiatives. DHS continued to include performance measures in its October 2014 update. Additionally, in March 2014, the Deputy Secretary of Homeland Security began meeting monthly with the DHS management team to discuss DHS's progress in strengthening its management functions. According to senior DHS officials, as part of these meetings, attendees discuss a report that senior DHS officials update monthly which identifies corrective actions for each outcome, as well as projected and actual completion dates. However, the department can strengthen this framework. In particular, according to DHS officials, as of November 2014, they were establishing a monitoring program that will include assessing whether financial management systems modernization projects for key components that DHS plans to complete in 2019 are following industry best practices and meet users' needs. Effective implementation of these modernizations projects is important because, until they are complete, the department's current systems will not effectively support financial management operations. Moving forward, DHS will need to closely track and independently validate the effectiveness and sustainability of its corrective actions and make midcourse adjustments, as needed. Demonstrated, Sustained Progress: DHS has made important progress in strengthening its management functions, but needs to demonstrate sustainable, measurable progress in addressing key challenges that remain within and across these functions. DHS has implemented a number of actions demonstrating the department's progress in strengthening its management functions, with 14 actions and outcomes that are either fully or mostly addressed. For example, DHS has increased component- level acquisition capability by, among other things, initiating monthly Component Acquisition Executive staff forums to provide guidance and share best practices. DHS has also strengthened its enterprise architecture program (or blueprint) to guide and constrain IT acquisitions, and obtained a clean opinion on its financial statements for 2 consecutive years, fiscal years 2013 and 2014. Further, the Secretary of Homeland Security signed a human capital strategic plan in 2011 that DHS has since made sustained progress in implementing. However, DHS continues to face significant management challenges that hinder the department's ability to meet its missions. For example, DHS does not have the acquisition management tools in place to consistently demonstrate whether its major acquisition programs are on track to achieve their cost, schedule, and capability goals. In addition, DHS does not have modernized financial management systems. This affects its ability to have ready access to reliable information for informed decision making. Further, it is important that DHS can retain and attract the talent required to complete its work. But, the department continues to face significant employee morale challenges. Addressing these and other management challenges will be a significant undertaking that will likely require several years, but will be critical for the department to mitigate the risks that management weaknesses pose to mission accomplishment. Key to addressing the department's management challenges is DHS demonstrating the ability to achieve sustained progress across the 30 actions and outcomes we identified and DHS agreed were needed to address the high-risk area. Achieving sustained progress across the actions and outcomes, in turn, requires leadership commitment, effective corrective action planning, adequate capacity (that is, the people and other resources), and monitoring the effectiveness and sustainability of supporting initiatives. The 30 key actions and outcomes include, among others, validating required acquisition documents in accordance with a department-approved, knowledge-based acquisition process, and sustaining clean audit opinions for at least 2 consecutive years on department-wide financial statements and internal controls. DHS has made important progress across all of its management functions and significant progress in the area of management integration. In particular, DHS has made important progress in several areas to fully address nine actions and outcomes, five of which it has sustained as fully implemented for at least 2 years. For instance, DHS fully met one outcome for the first time by establishing sufficient component- level acquisition capability. It also sustained full implementation of another outcome by continuing to use performance measures to assess progress made in achieving department-wide management integration. DHS has also mostly addressed an additional five actions and outcomes, meaning that a small amount of work remains to fully address them. DHS's progress is further evident in the number of actions and outcomes with increased ratings since our 2013 high-risk update.[Footnote 168] Considerable work remains, however, in several areas for DHS to fully achieve the remaining actions and outcomes and thereby strengthen its management functions. Specifically, we determined that DHS has partially addressed 12 and initiated 4 of the actions and outcomes. As previously mentioned, addressing some of these actions and outcomes, such as those pertaining to improving employee morale and modernizing the department's financial management systems, are significant undertakings that will likely require multiyear efforts. Table 7 summarizes DHS's progress in addressing the 30 actions and outcomes and is followed by selected examples. Table 7: GAO Assessment of Department of Homeland Security Progress in Addressing Key Actions and Outcomes: Key Outcomes: Acquisition management; Fully Addressed[A]: 1; Mostly Addressed[B]: 0; Partially Addressed[C]: 3; Initiated[D]: 1; Total: 5. Key Outcomes: Information technology management; Fully Addressed[A]: 2; Mostly Addressed[B]: 3; Partially Addressed[C]: 1; Initiated[D]: 0; Total: 6. Key Outcomes: Financial management[E]; Fully Addressed[A]: 2; Mostly Addressed[B]: 0; Partially Addressed[C]: 3; Initiated[D]: 3; Total: 8. Key Outcomes: Human capital management; Fully Addressed[A]: 1; Mostly Addressed[B]: 2; Partially Addressed[C]: 4; Initiated[D]: 0; Total: 7. Key Outcomes: Management integration; Fully Addressed[A]: 3; Mostly Addressed[B]: 0; Partially Addressed[C]: 1; Initiated[D]: 0; Total: 4. Key Outcomes: Total; Fully Addressed[A]: 9; Mostly Addressed[B]: 5; Partially Addressed[C]: 12; Initiated[D]: 4; Total: 30. Source: GAO analysis of DHS documents, interviews, and prior GAO reports. GAO-15-290. [A] Fully addressed: outcome is fully addressed. [B] Mostly addressed: progress is significant and a small amount of work remains. [C] Partially addressed: progress is measurable, but significant work remains. [D] Initiated: activities have been initiated to address outcome, but it is too early to report progress. [E] Although March 2014 updates to most functional areas were minor, there were more significant revisions to the financial management actions and outcomes, with some outcomes revised or dropped and others added. These revisions prevent the financial management actions and outcomes from being comparable on a one-for-one basis to prior years. Accordingly, our ratings of DHS's progress in addressing financial management actions and outcomes are not an indication of a downgrade to the department's progress. [End of table] * Acquisition Management. DHS has fully addressed one of the five acquisition management outcomes, partially addressed three outcomes, and initiated actions to address the remaining outcome. For example, DHS has taken a number of recent actions to fully address establishing effective component-level acquisition capability. These actions include initiating (1) monthly Component Acquisition Executive staff forums in March 2014 to provide guidance and share best practices and (2) assessments of component policies and processes for managing acquisitions. In addition, DHS continues to assess and address whether appropriate numbers of trained acquisition personnel are in place at the department and component levels, an outcome it has partially addressed. Further, while DHS has initiated efforts to demonstrate that major acquisition programs are on track to achieve their cost, schedule, and capability goals, DHS officials have acknowledged it will be years before this outcome has been fully addressed. Much of the necessary program information is not yet consistently available or up to date. * IT Management. DHS has fully addressed two of the six IT management outcomes, mostly addressed another three, and partially addressed the remaining one. For example, DHS has finalized a directive to establish its tiered governance and portfolio management structure for overseeing and managing its IT investments, and annually reviews each of its portfolios and the associated investments to determine the most efficient allocation of resources within each of the portfolios. DHS has also implemented its IT Strategic Human Capital Plan at the enterprise level. This includes developing an IT specialist leadership competency gap workforce analysis and a DHS IT career path pilot. However, as DHS has not yet determined the extent to which the component chief information officers have implemented the enterprise human capital plan's objectives and goals, DHS's capacity to achieve this outcome is unclear. Additionally, DHS continues to take steps to enhance its information security program. However, while the Department obtained a clean opinion on its financial statements, in November 2014, the department's financial statement auditor reported that continued flaws in security controls such as those for access controls, configuration management, and segregation of duties were a material weakness for fiscal year 2014 financial reporting.[Footnote 169] Thus, the department needs to remediate the material weakness in information security controls reported by its financial statement auditor. * Financial Management. DHS has fully addressed two financial management outcomes, partially addressed three, and initiated three. [Footnote 170] Most notably, DHS received a clean audit opinion on its financial statements for 2 consecutive years, fiscal years 2013 and 2014, fully addressing two outcomes. As of November 2014, DHS was working toward addressing a third outcome--establishing effective internal control over financial reporting. We reported in September 2013 that DHS needs to eliminate all material weaknesses at the department level, including weaknesses related to financial management systems, before its financial auditor can affirm that controls are effective. However, DHS has yet to identify and commit the resources needed for remediating the remaining material weaknesses. DHS also needs to modernize key components' financial management systems and comply with financial management system requirements. The components' financial management system modernization efforts are at various stages due, in part, to a bid protest and the need to resolve critical stability issues with a legacy financial system before moving forward with system modernization efforts. Without sound controls and systems, DHS faces long-term challenges in obtaining and sustaining a clean audit opinion on internal control over financial reporting, and ensuring its financial management systems generate reliable, useful, and timely information for day-to-day decision making. * Human Capital Management. DHS has fully addressed one human capital management outcome, mostly addressed two, and partially addressed the remaining four. For example, the Secretary of Homeland Security signed a human capital strategic plan in 2011 that DHS has since made sustained progress in implementing, fully addressing this outcome. DHS also has actions underway to identify current and future human capital needs. However, DHS has considerable work ahead to improve employee morale. For example, the Office of Personnel Management's 2014 Federal Employee Viewpoint Survey data showed that DHS's scores continued to decrease in all four dimensions of the survey's index for human capital accountability and assessment--job satisfaction, talent management, leadership and knowledge management, and results-oriented performance culture. DHS has taken steps to identify where it has the most significant employee satisfaction problems and developed plans to address those problems. In September 2012, we recommended, among other things, that DHS improve its root-cause analysis efforts related to these plans. In December 2014, DHS reported actions underway to address our recommendations but had not fully implemented them. Given the sustained decrease in DHS employee morale indicated by Federal Employee Viewpoint Survey data, it is particularly important that DHS implement these recommendations and thereby help identify appropriate actions to take to improve morale within its components and department wide. * Management Integration. DHS has sustained its progress in fully addressing three of four outcomes we identified and agreed they are key to the department's management integration efforts. For example, in January 2011, DHS issued a comprehensive action plan to guide its management integration efforts--the Integrated Strategy for High Risk Management. Since then, DHS has generally made improvements to the strategy with each update based on feedback we provided. DHS has also shown important progress in addressing the last and most significant management integration outcome--to implement actions and outcomes in each management area to develop consistent or consolidated processes and systems within and across its management functional areas. But, considerable work remains. For example, the Secretary's April 2014 Strengthening Departmental Unity of Effort memorandum highlighted a number of initiatives designed to allow the department to operate in a more integrated fashion, such as the Integrated Investment Life Cycle Management initiative, to manage investments across the department's components and management functions. DHS completed its pilot for a portion of this initiative in March 2014 and, according to DHS's Executive Director for Management Integration, has begun expanding its application to new portfolios, such as border security and information sharing, among others. However, given that these main management integration initiatives are in the early stages of implementation and contingent upon DHS following through with its plans, it is too early to assess their impact. To achieve this outcome, DHS needs to continue to demonstrate sustainable progress integrating its management functions within and across the department and its components. What Remains to Be Done: In the coming years, DHS needs to continue implementing its Integrated Strategy for High Risk Management and show measurable, sustainable progress in implementing its key management initiatives and corrective actions and achieving outcomes. In doing so, it will be important for DHS to: * maintain its current level of top leadership support and sustained commitment to ensure continued progress in executing its corrective actions through completion; * continue to implement its plan for addressing this high-risk area and periodically report its progress to us and Congress; * identify and work to mitigate any resource gaps, and prioritize initiatives as needed to ensure it can to implement and sustain its corrective actions; * closely track and independently validate the effectiveness and sustainability of its corrective actions and make midcourse adjustments as needed; and: * make continued progress in achieving the 21 actions and outcomes it has not fully addressed and demonstrate that systems, personnel, and policies are in place to ensure that progress can be sustained over time. We will continue to monitor DHS's efforts in this high-risk area to determine if the actions and outcomes are achieved and sustained over the long term. GAO Contact: For additional information about this high-risk area, contact David C. Maurer at (202) 512-9627 or maurerd@gao.gov. Related GAO Products: DHS Training: Improved Documentation, Resource Tracking, and Performance Measurement Could Strengthen Efforts. [hyperlink, http://www.gao.gov/products/GAO-14-688]. Washington, D.C.: September 10, 2014. Department of Homeland Security: Progress Made; Significant Work Remains in Addressing High-Risk Areas. [hyperlink, http://www.gao.gov/products/GAO-14-532T]. Washington, D.C.: May 7, 2014. Homeland Security Acquisitions: DHS Could Better Manage Its Portfolio to Address Funding Gaps and Improve Communications with Congress. [hyperlink, http://www.gao.gov/products/GAO-14-332]. Washington, D.C.: April 17, 2014. Department of Homeland Security: DHS's Efforts to Improve Employee Morale and Fill Senior Leadership Vacancies. [hyperlink, http://www.gao.gov/products/GAO-14-228T]. Washington, D.C.: December 12, 2013. DHS Financial Management: Continued Effort Needed to Address Internal Control and System Challenges. [hyperlink, http://www.gao.gov/products/GAO-14-106T]. Washington, D.C.: November 15, 2013. Information Technology: Additional OMB and Agency Actions are Needed to Achieve Portfolio Savings. [hyperlink, http://www.gao.gov/products/GAO-14-65]. Washington, D.C.: November 6, 2013. DHS Financial Management: Additional Efforts Needed to Resolve Deficiencies in Internal Controls and Financial Management Systems. [hyperlink, http://www.gao.gov/products/GAO-13-561]. Washington, D.C.: September 30, 2013. DHS Recruiting and Hiring: DHS Is Generally Filling Mission-Critical Positions, but Could Better Track Costs of Coordinated Recruiting Efforts. [hyperlink, http://www.gao.gov/products/GAO-13-742]. Washington, D.C.: September 17, 2013. Information Technology: Additional Executive Review Sessions Needed to Address Troubled Projects. [hyperlink, http://www.gao.gov/products/GAO-13-524]. Washington, D.C.: June 13, 2013. [End of section] Establishing Effective Mechanisms for Sharing and Managing Terrorism- Related Information to Protect the Homeland: Why Area Is High Risk: The government faces significant challenges in analyzing and disseminating terrorism-related information in a timely, accurate, and useful manner. Since designating this issue as high risk in 2005, we have monitored federal efforts to implement the Information Sharing Environment (Environment)--an overarching approach to strengthening the sharing of intelligence, terrorism, homeland security, law enforcement, and other information among federal, state, local, tribal, international, and private sector partners.[Footnote 171], [Footnote 172] Continued progress toward improved information sharing is critical, in order to reduce the risks of threats to the homeland-- such as the Boston Marathon bombings in 2013--and to respond to the changing nature of domestic threats. The Program Manager for the Information Sharing Environment (Program Manager), the individual responsible for planning, overseeing and managing the Environment, along with the key departments--the Departments of Homeland Security, Justice, State, and Defense, and the Office of the Director of National Intelligence (ODNI)--are critical to developing and implementing the Environment.[Footnote 173] What GAO Found: Figure: Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] The federal government has made significant progress in promoting the sharing of information on terrorist threats, in meeting our criteria for leadership commitment and capacity, and in partially meeting the remaining criteria for this high-risk area. The government has made significant progress by developing a more structured approach to achieving the Environment and by defining the highest priority initiatives to accomplish. In our 2013 high-risk update, we reported that the federal government had demonstrated leadership commitment by establishing and sustaining an interagency policy committee and by defining the vision for the Environment. In 2013, the Program Manager released the Strategic Implementation Plan for the National Strategy for Information Sharing and Safeguarding (Implementation Plan). [Footnote 174] The Implementation Plan provides detailed guidance for the 16 priority objectives that are fundamental to creating the standards, technologies, and cooperation necessary to advance information sharing. However, additional actions could help ensure that the government also measures the extent to which these initiatives have improved information sharing, by demonstrating progress--such as meeting key milestones and time frames described in the Implementation Plan--and by monitoring results (including evolving metrics). The federal government made progress in this high-risk area largely by developing the Implementation Plan, which identifies 16 priority objectives that are critical to implementing the Environment. Each priority objective is housed within a governance entity (e.g., a department, agency, subcommittee, or working group) and is assigned a steward. The steward is responsible for ensuring that participating agencies communicate and collaborate to complete the objective, while also raising to senior management any issues that might hinder progress. Stewards are to communicate these issues via the Information Sharing and Access Interagency Policy Committee (Policy Committee)-- located within the Executive Office of the President--which is responsible for resolving these barriers.[Footnote 175] The Implementation Plan also outlines specific milestones and time frames for each priority objective, which is to allow the Policy Committee and key departments to measure progress towards achieving Environment initiatives. Program officials from each of the five key departments noted that the Implementation Plan has been useful in providing a structure in which numerous departments leverage capabilities and services that advance the Environment, and work collaboratively to protect against terrorist threats. Additionally, shifts in how key departments approach funding to implement Environment priorities, combined with recently released enterprise architecture guidance, have also helped move the Environment forward.[Footnote 176] In our 2011 report on the Environment, we recommended that key departments better define incremental costs for information sharing activities, so as to plan and budget for these costs.[Footnote 177] Additionally, we recommended establishing an enterprise architecture management plan to improve collaboration and coordination of departments' activities, as a management plan also would drive the management of operational and technological capabilities and services for the Environment nationwide.[Footnote 178] In our 2013 high-risk update, we included defining incremental costs as a key action item for successful implementation of the Environment. In 2014, officials from each of the five key departments said that information sharing activities are a daily activity that go hand in hand with the mission of the agency and related budgets, and are not separate mandates to fund. Therefore, there is no need to separately identify incremental costs since information sharing activities and costs are embedded within the agency's mission operations. Further, the 2013 Implementation Plan includes actions for developing aspects of an architecture for the Environment. In addition, the Program Manager has issued the Information Interoperability Framework (I2F), which begins to describe key elements intended to help link systems across departments to enable information sharing (i.e. interoperability). For example, the I2F calls for a common profile for achieving interoperability among systems, which provides (among other things) an approach for identifying core sets of standards and specifications across organizations. Maritime partners have used this framework to enhance interoperability among themselves and to increase their shared awareness of anything associated with the global maritime environment that could adversely affect the security, safety, economy, or environment of the United States. To mitigate remaining potential risks, the Program Manager and key departments have several additional actions to complete. Such actions include demonstrating that (1) concepts outlined in the Enterprise Architecture framework are executed as planned, (2) metrics have evolved to the point that they measure the extent to which initiatives have improved sharing and achieved homeland security results, in addition to measuring activities completed, and (3) a process exists to ensure that identified time frames and milestones for completing priority objectives are met. In our 2013 high-risk update, we listed nine action items that were critical for moving the Environment forward. In that report, we determined that two of those action items--demonstrating that the leadership structure has the needed authority to leverage participating departments and updating the vision for the Environment-- had been completed. Since then, the Program Manager and key departments have achieved four of the seven remaining action items and have made progress on the remaining three actions. Achieving all nine actions would--in effect--address our high-risk criteria. Table 8 summarizes the Program Manager's and key departments' progress in achieving the action items. Table 8: Status of Action Items: Action Items: Demonstrate that the Information Sharing and Access Interagency Policy Committee has needed authority, is leveraging participating departments, and is producing results; Action Item Status: Met[A]; High Risk Category: Leadership Commitment. Action Items: Update the vision for the Environment--the information sharing capabilities and procedures that need to be in place to help ensure terrorism-related information is accessible and identifiable to relevant federal, state, local, private, and foreign partners; Action Item Status: Met[A]; High Risk Category: Leadership Commitment. Action Items: Demonstrate that departments are defining incremental costs and funding needed to complete the responsibilities and activities which substantially achieve the Environment; Action Item Status: Met; High Risk Category: Capacity to resolve risk. Action Items: Continue to identify technological capabilities and services that can be shared collaboratively within and across the Environment, consistent with a federated architecture approach; Action Item Status: Met; High Risk Category: Capacity to resolve risk. Action Items: Demonstrate that initiatives within individual departments are, or will be, leveraged to benefit all relevant federal, state, local, and private security stakeholders participating in the Environment; Action Item Status: Met; High Risk Category: Plans that provide corrective measures. Action Items: Establish an enterprise architecture management capability and demonstrate that it will be used to guide selection of projects for substantially achieving the Environment; Action Item Status: Partially Met; High Risk Category: Plans that provide corrective measures. Action Items: Demonstrate that stakeholders generally agree with the strategy, plans, time frames, their responsibilities, and their activities for substantially achieving the Environment; Action Item Status: Met; High Risk Category: Plans that provide corrective measures. Action Items: Demonstrate that the federal government can show the extent to which sharing has improved under the Environment, or can show it has actions underway to more fully develop a set of metrics and processes to measure results achieved, both from individual projects and activities, as well as from the overall Environment; Action Item Status: Partially Met; High Risk Category: Monitor and validate the effectiveness of corrective measures. Action Items: Demonstrate that established milestones and time frames are being used as baselines to track and monitor progress on individual projects and in substantially achieving the overall Environment; Action Item Status: Partially Met; High Risk Category: Demonstrated Progress. Source: GAO. GAO-15-290. [A] In our 2013 high-risk report we determined that these actions had been completed. [End of table] Leadership Commitment: In our 2013 high-risk update, we reported that the federal government had fundamentally met this high-risk criterion-- primarily because the government had put into place the Policy Committee and defined the vision for the Environment. Since then, the government has issued the Implementation Plan and I2F, among other actions which demonstrate continued leadership commitment. Key departments have also played an increased leadership role by serving as stewards for the priority objectives in the Implementation Plan. Additionally, key departments have taken various actions to govern their own information sharing activities and to coordinate with the Environment. For example, as we reported in 2012, the Department of Homeland Security (DHS) has established a governance board to serve as the decision-making body for DHS information sharing issues.[Footnote 179] This board has identified information-sharing gaps and has developed a list of key initiatives to help address those gaps. Many of these initiatives--such as those related to information safeguarding--are consistent with established priorities for the Environment. Capacity to Resolve Risk: The government has met this high-risk criterion by changing its approach to funding information-sharing activities: funding is now a part of mission activities and operations. Additionally, the Implementation Plan defines the fundamental technological capabilities and services for advancing the Environment. The Program Manager and key departments also continue to make progress in identifying and establishing technological services consistent with a federated architecture approach.[Footnote 180] Specifically, regarding the government's approach to funding, senior officials in each key department explained that any incremental costs related to implementing the Environment are now embedded within each department's mission activities and operations and do not require separate funding. The Program Manager and department officials also noted that the Implementation Plan assigns priority objectives to those departments whose mission most aligns to the initiatives under each objective, thereby helping to ensure that the activities receive funding. The Program Manager and key departments have also made progress in continuing to define and establish technological capabilities and services which improve information sharing and the safeguarding of data. For example, a key initiative to develop capacity for the Environment is the Federal Identity Credential and Access Management (FICAM) program, which is also identified as a priority objective in the Implementation Plan. FICAM's goal is to control access to sensitive information on computer networks while also providing authorized users the information they need. FICAM comprises (among other things) the technologies and services used to create trusted digital credentials that can be used to verify and provide authorized access to an agency's information. This is useful for ensuring that information can be shared without the threat of security breaches. The 2014 Environment Performance Assessment Questionnaire noted that 8 out of 11 agencies in the Environment had made progress implementing FICAM standards in the sensitive but unclassified information domain. [Footnote 181] Having agencies adopt these standards represents an important step in federal capabilities that will allow agencies to establish individual accountability and facilitate the appropriate level of information access. An additional capacity-related priority objective in the Implementation Plan involves the discovery and access of information-- the ability to identify the existence of information and retrieve it. According to the results of the 2014 questionnaire, over 80 percent of agencies reported improvement in their ability to discover, access, and retrieve information necessary to accomplish their mission. In addition, the intelligence community is moving its data to a cloud- computing environment--a system that uses on-demand access to shared computing resources to centralize data storage, among other things-- which could allow agencies to share information and services much more easily. The Implementation Plan also has an objective dedicated to standards-based acquisition, which seeks to ensure that future products and services are interoperable. The goal of this objective is to develop common technical standards that are available to all departments and agencies as a guide when making acquisition decisions. Continued focus on implementing standards--through the annual questionnaire and the Policy Committee's monitoring of progress on the implementation plan--will help to ensure that agencies strive for more comprehensive adoption of these standards.-The Implementation Plan also identifies capacity-related activities consistent with a federated architecture approach, such as identifying technological capabilities and services to be used across communities of interest. For example, Environment stakeholders are to develop a plan in fiscal year 2015 that includes development and maintenance of a repository of capabilities and services. According to officials from the office of the Program Manager, the office has already developed a web-based collection of tools, best practices, and frameworks for improving information interoperability which is an example of such a repository. Another initiative identified in the Implementation Plan is the use of an Environment capability roadmap to select priority pilots. Although not specifically defined by the Implementation Plan, such a roadmap might help define the capabilities needed by the Environment over time and the steps needed to achieve those capabilities--including the establishment of priority pilot projects. Officials from the Program Manager's office cited the Maritime Domain Awareness initiative, which aims to help improve information sharing at sea and on other waterways, as one example of such a pilot. Since information-sharing services are shared across the government, rather than being funded and controlled by an individual agency, the Implementation Plan also states that the Federal Chief Information Officers Council's Shared Services Sub Committee will determine a mechanism for resolving budget, appropriation, and procurement issues associated with federal- wide shared services.[Footnote 182] Action Planning: The government has made progress in meeting this high- risk criterion by developing the Implementation Plan. The government achieved additional progress by leveraging information-sharing initiatives across the government and by issuing guidance to improve enterprise architecture management--both actions that we recommended in our 2011 report on the Environment.[Footnote 183] The development of the Implementation Plan was an important step for the Environment and, as we have reported, is one of the characteristics that can enhance the usefulness of national strategies.[Footnote 184] However, the Program Manager has not yet demonstrated that key departments are implementing the approach and interoperability concepts described by the I2F across the Environment. In addition to identifying key initiatives--such as those intended to control information access, safeguard information, increase a user's ability to search for relevant information, and increase interoperability among data systems--the Implementation Plan seeks to address gaps in information sharing that Environment stakeholders identified and that we highlighted in our 2013 high-risk report. For example, the plan establishes a priority objective dedicated to information sharing with the private sector. This objective seeks to ensure that processes and procedures are in place for identifying threats, including those related to cybersecurity and to critical infrastructure--such as financial institutions, commercial facilities, and energy production and transmission facilities, among others. Additionally, in the 2013 high-risk report, we noted that the Environment could benefit from leveraging individual departments' information sharing initiatives and that the Program Manager--in consultation with the Policy Committee and key departments--should determine potential ways to realize such benefits government-wide. The 2013 Annual Report to Congress identified several instances where key agencies were incorporating other agencies' initiatives.[Footnote 185] For example, the Federal Bureau of Investigation's (FBI) eGuardian system allows law enforcement agencies to submit suspicious activity reports into a single system that is accessible by thousands of law enforcement personnel. In the 2013 annual report, 11 of 15 agencies that participate in the Environment indicated that they use the FBI's eGuardian system. In the 2014 Performance Assessment Questionnaire, numerous agencies also mentioned fusion center information sharing as an initiative that they were leveraging.[Footnote 186] Specifically, all agencies that answered the 2014 question related to fusion center progress reported satisfaction with improvements made in the last year to enhance the capabilities and performance of the national network of fusion centers. This included improving the sharing of threat and encounter information between the federal government and state, local, and private partners. In November 2014, we reported on federal efforts to improve fusion center capabilities and results.[Footnote 187] Additionally, we have reported on the work of fusion centers in the past. For example, in April 2013 we reported that fusion centers, along with other field-based information sharing entities, provided a variety of analytical activities which resulted in benefits, such as intelligence products.[Footnote 188] The Program Manager has also made progress by issuing guidance to improve the Environment's enterprise architecture management. For example, the Implementation Plan includes tasks and time frames associated with establishing aspects of the Environment architecture. Such tasks and time frames include improving interoperability by developing the Information Interoperability Framework (I2F), defining needed capabilities and services, and developing a plan for a repository of these capabilities and services. This plan will help ensure that the information-sharing community is aware of the available capabilities and services. The Program Manager has issued an initial version of I2F to guide the implementation of information- sharing capabilities. I2F begins to describe key information sharing elements, including how different departments might be able to align their enterprise architectures with interoperability concepts described in I2F. In addition, this framework outlines (among other things) an approach for establishing core sets of standards and specifications across organizations. For example, officials from the office of the Program Manager stated that the framework helped provide technical specifications for a Maritime Information Sharing Environment, including specifications to publish and search for information about a ship's location. However, the Program Manager has not yet demonstrated that key departments are implementing over time the approach and interoperability concepts described by I2F. Additionally, the Program Manager has not yet demonstrated how he will hold key departments and entities accountable over time for executing key architecture-related tasks described in the Implementation Plan and for achieving associated outcomes. We will continue to monitor these enterprise architecture activities in this high-risk area to ensure that they are sustained over time. Monitoring: The Program Manager has made progress in meeting this high- risk criterion by continuing to devise and implement ways to measure the impact the Environment is having on the sharing of information to address terrorist and other threats to the homeland. However, the Program Manager should continue developing metrics that measure the performance and results achieved by the overall Environment, in addition to measuring department participation in key initiatives. The Program Manager and key departments have created a performance management framework to measure the performance of key departments in completing Environment initiatives, many of which are included in the Implementation Plan. This framework consists of several measures, including the Performance Assessment Questionnaire and homeland security scenarios that define information-sharing capabilities agencies are to achieve over time. Additionally, the Program Manager has used this information to support the 2014 Annual Report to Congress and has supplemented its website with additional performance data not included in the annual report. The performance management framework is intended to assess the maturity of the nation's ability to detect and respond to terrorism. All five of the key departments--in addition to other Environment stakeholders--participated in the 2014 Performance Assessment Questionnaire, which is designed to allow the Program Manager to assess department performance against national strategy goals and is a main component of the framework. For example, through the annual questionnaire, the Program Manager measures results from key Environment initiatives, such as the extent that information gathered from international partners is integrated into the process the government uses to screen individuals for potential terrorist threats. As such, it will be important for the annual questionnaire to continue to incorporate measures that demonstrate results and benefits achieved from information sharing, rather than counting departmental activities accomplished--such as the number of agencies with information-sharing governance boards. Officials from the Office of the Program Manager also developed a set of homeland security scenarios in 2011 to assist key departments in planning for and executing the Environment's initiatives. The scenarios are designed to demonstrate information-sharing capabilities relevant to an agency's mission as well as to allow the Program Manager and departments to determine if the Environment is achieving desired capabilities. For example, one scenario describes how departments need to mature their capabilities over the next 7 years such that an analyst does not have to manually check numerous databases to find information related to a suspicious activity, but rather can conduct one search of linked databases from a single point of entry. However, key departments are not using these scenarios to assess performance. For example, Department of Justice officials noted that the scenarios needed to be more real-world and law-enforcement specific for them to be useful. Given that the annual questionnaire is still evolving into an outcome-based document and departments have not adopted the scenarios, we will continue to monitor this issue. Demonstrated progress: The Program Manager and the key departments have identified time frames and milestones for meeting each priority objective listed in the Implementation Plan, among other things. However, it will be critical for all involved in the Environment to make sure that these time frames and milestones are being met. There are differing opinions among the key departments about the accountability for achieving these time frames. For example, a State department official noted that the time frames for that agency's objectives are flexible and can be pushed back to accommodate needs. On the other hand, DHS program officials--who are responsible for a majority of the priority objectives--noted that they have not needed to shift any time frames or milestones and have developed many detailed plans to meet the time frames. Additionally, the Implementation Plan assigns stewards to each priority objective--in most cases, a senior official within a key department--who have primary responsibility for coordinating, integrating, and synchronizing activities to achieve the priority objectives within the time frames established. Stewards for the key departments all noted that the Implementation Plan is useful for clarifying and guiding the activities of the Environment. However, concerns have been raised about the staff resources and administrative burdens associated with implementing 16 priority objectives. For example, FBI officials have noted that the same individuals are responsible for ensuring that multiple objectives are achieved and, therefore, a conversation around the structure and approach of the Environment might be useful. As of October 2014, the Program Manager and key departments were discussing the potential for prioritizing or streamlining aspects of the Implementation Plan or Environment structure. We will continue to monitor any potential changes to the Environment to determine how they might affect stated time frames and milestones. While the Implementation Plan contains specific objectives and milestones, the Program Manager stated that he has no ability to direct the actions of the agencies in the Environment. Rather, he noted that he serves to coordinate agency activity, but that the agencies have the central role in managing their participation. The Program Manager does have some ability to indirectly influence the process by, for example, publicly accounting for the progress in meeting the national strategy objectives in the annual reports that he submits to Congress. The Policy Committee also provides a forum for updates on the status of achieving time frames and allows the co- chairs to monitor overall progress. Due to the relatively recent introduction of the Implementation Plan, the Program Manager, Policy Committee, and key departments should continue to closely monitor stakeholders' progress and make any necessary adjustments to ensure that stakeholders are meeting milestones. The Implementation Plan denotes critical milestones through fiscal year 2018. As a result, we will continue to monitor the progress of stakeholders in meeting these time frames and milestones. What Remains to Be Done: Going forward, in addition to maintaining leadership commitment and capacity, the Program Manager and key departments will need to continue working to address remaining action items informed by our five high-risk criteria, thereby helping to reduce risks and enhance the sharing and management of terrorism-related information. Action Planning: The program manager, in coordination with the Policy Committee and key departments, should demonstrate over time that Environment participants are implementing the approach and concepts described by the March 2014 I2F across the Environment. The Program Manager should also demonstrate that departments and entities are executing key architecture-related tasks described in the Implementation Plan and are achieving related outcomes. Monitoring: The Program Manager, in coordination with the Policy Committee and key departments, should continue developing metrics that measure not only actions accomplished, but tangible results achieved, such as improved decisions based on information sharing plans and investments. These metrics should cover both department participation in key information sharing initiatives as well as the overall Environment. Demonstrated Progress: The Program Manager, in coordination with the Policy Committee and key departments, should demonstrate that established time frames and milestones are being used to track progress of the objectives in the Implementation Plan. Achieving these objectives is critical for advancing the overall goals of the Environment. If time frames or milestones begin to slip, it will be important for the Policy Committee to provide the leadership to ensure that initiatives are able to get back on track. As key milestones come due in future fiscal years, it will be important for departments to demonstrate they are meeting these milestones so that the work of the Environment can move forward. GAO Contact: For additional information about this high-risk area, contact David C. Maurer at (202) 512-9627 or MaurerD@gao.gov. Related GAO Products: Information Sharing: DHS Is Assessing Fusion Center Capabilities and Results, but Needs to More Accurately Account For Federal Funding Provided to Centers. [hyperlink, http://www.gao.gov/products/GAO-15-155]. Washington, D.C.: November 4, 2014. Maritime Critical Infrastructure Protection: DHS Needs to Better Address Port Cybersecurity. [hyperlink, http://www.gao.gov/products/GAO-14-459]. Washington, D.C.: June 5, 2014. DHS Intelligence Analysis: Additional Actions Needed to Address Analytic Priorities and Workforce Challenges. [hyperlink, http://www.gao.gov/products/GAO-14-397]. Washington, D.C.: June 4, 2014. Intelligence, Surveillance, and Reconnaissance: DOD Has Taken Steps to Improve Data Management, but Key Guidance Is Incomplete. [hyperlink, http://www.gao.gov/products/GAO-13-398SU]. Washington, D.C.: May 8, 2013. Intelligence, Surveillance, and Reconnaissance: DOD Has Partially Implemented GAO's Recommendations to Enhance Intelligence Information Sharing. [hyperlink, http://www.gao.gov/products/GAO-13-440SU]. Washington, D.C.: April 26, 2013. Information Sharing: Agencies Could Better Coordinate to Reduce Overlap in Field-Based Activities. [hyperlink, http://www.gao.gov/products/GAO-13-471]. Washington, D.C.: April 4, 2013. Information Sharing: Additional Actions Could Help Ensure That Efforts to Share Terrorism-Related Suspicious Activity Reports Are Effective. [hyperlink, http://www.gao.gov/products/GAO-13-233]. Washington, D.C.: March 13, 2013. [End of section] Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information: Why Area Is High Risk: Federal agencies and our nation's critical infrastructures--such as energy, transportation systems, communications, and financial services--are dependent on computerized (cyber) information systems and electronic data to carry out operations and to process, maintain, and report essential information.[Footnote 189] The security of these systems and data is vital to public confidence and the nation's safety, prosperity, and well-being. Safeguarding federal computer systems and the systems that support critical infrastructures-- referred to as cyber critical infrastructure protection--is a continuing concern. The security of our federal cyber assets has been on our list of high-risk areas since 1997. In 2003, we expanded this high-risk area to include the protection of critical cyber infrastructure. This year, we added protecting the privacy of personally identifiable information (PII)--information that is collected, maintained, and shared by both federal and nonfederal entities. Risks to cyber assets can originate from unintentional and intentional threats. These include insider threats from disaffected or careless employees and business partners, escalating and emerging threats from around the globe, the ease of obtaining and using hacking tools, the steady advance in the sophistication of attack technology, and the emergence of new and more destructive attacks. The ineffective protection of cyber assets can result in the loss or unauthorized disclosure or alteration of information. This could lead to serious consequences and result in substantial harm to individuals and to the federal government. Regarding PII, advancements in technology, such as new search technology and data analytics software for searching and collecting information, have made it easier for individuals and organizations to correlate data and track it across large and numerous databases. In addition, lower data storage costs have made it less expensive to store vast amounts of data. Also, ubiquitous Internet and cellular connectivity facilitates the tracking of individuals by allowing easy access to information pinpointing their location. These advances-- combined with the increasing sophistication of hackers and others with malicious intent, and the extent to which both federal agencies and private companies collect sensitive information about individuals-- have increased the risk of PII being exposed and compromised. Furthermore, the number of reported security incidents involving PII at federal agencies has increased significantly in recent years and a number of high-profile breaches of PII have occurred at commercial entities.[Footnote 190] For these reasons, we added protecting the privacy of PII to this high-risk area. What GAO Found: Figure: Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Leadership at the White House and Department of Homeland Security (DHS) have committed to improving cybersecurity. For example, the President has issued strategy documents for improving aspects of cybersecurity and an executive order and policy directive for improving security and resilience of critical cyber infrastructure. In addition, Congress has recently enacted legislation intended to strengthen information security across the federal government and to improve the protection of critical cyber assets. This legislation needs to be effectively implemented and challenges remain, such as shortages in qualified cybersecurity personnel and continued weaknesses in agencies' information security programs. These challenges need to be addressed as initial steps toward removal from the High Risk List. Furthermore, progress will need to be demonstrated by agencies fully implementing their information security programs and by critical infrastructure sectors improving their cybersecurity. The White House and senior leaders at DHS have met the criterion of demonstrating top leadership commitment to securing federal information systems and critical cyber assets and protecting privacy. For example, the President has signed legislation and issued strategy documents for improving aspects of cybersecurity. In addition, senior leaders at DHS have committed time and resources to advancing cybersecurity efforts at federal agencies and within critical infrastructures.[Footnote 191] As part of its ongoing oversight, Congress recently enacted five laws that are intended to improve federal cybersecurity. The first, The Federal Information Security Modernization Act of 2014, revises the Federal Information Security Management Act of 2002 (FISMA).[Footnote 192] Among other things, the act includes provisions to clarify and strengthen information security roles and responsibilities for the Office of Management and Budget (OMB), DHS, and federal agencies. Specifically, the act codifies and clarifies existing requirements for DHS to 1) assist OMB with overseeing and monitoring agencies' implementation of security requirements; 2) operate the federal information security incident center; and 3) provide agencies with operational and technical assistance, such as that for continuously diagnosing and mitigating cyber threats and vulnerabilities. Furthermore, the act provides for the expanded reporting of security incidents and data breaches; requires OMB to annually assess agencies' implementation of data breach notification policies and procedures; and specifies that the agency head ensure all personnel are held accountable for complying with information security. Finally, the act also calls for OMB to revise OMB Circular A-130 to eliminate inefficient or wasteful reporting. This law is consistent with our prior suggestion that Congress consider legislation to better define roles and responsibilities for implementing and overseeing federal information security. The second and third laws are intended to help DHS address its cybersecurity workforce challenges. The Cybersecurity Workforce Assessment Act requires DHS to assess its cybersecurity workforce and develop a strategy for addressing workforce gaps, and The Homeland Security Cybersecurity Workforce Assessment Act requires DHS to identify all of its cybersecurity positions and calls for the department to identify specialty areas of critical need in its cybersecurity workforce.[Footnote 193] Both of these laws are consistent with our recommendations for actions to improve governmentwide cybersecurity workforce planning initiatives and workforce planning efforts at the agencies we reviewed. The fourth, The National Cybersecurity Protection Act of 2014, codifies the role of DHS' National Cybersecurity and Communications Integration Center as the federal civilian interface for sharing information concerning cybersecurity risks, incidents, analysis, and warnings for federal and non-federal entities, including owners and operators of information systems supporting critical infrastructure. [Footnote 194] It directs DHS to provide shared situational awareness to federal and non-federal entities to enable real time visibility of cybersecurity risks and incidents. The act requires DHS to coordinate the sharing of information related to cybersecurity risks and incidents and, upon request, to provide timely technical assistance, risk management support, and incident response capabilities to federal and non-federal entities. The act is consistent with our recommendation that the Special Assistant to the President and Cybersecurity Coordinator and the Secretary of Homeland Security bolster efforts to build out the National Cybersecurity and Communications Integration Center as the central focal point for leveraging and integrating the capabilities of the private sector, civilian government, law enforcement, the military, and the intelligence community. It is also addresses our prior suggestion that Congress consider legislation to better define roles and responsibilities for protecting the nation's critical cyber assets. The fifth, The Cybersecurity Enhancement Act of 2014, among other things, authorizes the National Institute of Standards and Technology (NIST) to facilitate and support the development of voluntary standards to reduce cyber risks to critical infrastructure and to continue to develop and encourage the implementation of a comprehensive strategy for the use and adoption of cloud computing services by the federal government.[Footnote 195] These provisions are consistent with our work highlighting NIST's role in providing guidance to agencies and illustrating agencies' challenges in implementing cloud computing. In addition, the act requires the Office of Science and Technology Policy (OSTP) in the Executive Office of the President to facilitate agencies development of a federal cybersecurity research and development plan. This law is consistent with our recommendations that the Director of the OSTP, in conjunction with the national Cybersecurity Coordinator, take several actions to address key cybersecurity research and development challenges. Senior leadership at OMB and DHS have partially met the criterion for improving the capacity of federal agencies to sufficiently protect their information systems. For example, DHS expanded the capacity of the National Cybersecurity and Communications Integration Center to improve the capability of federal stakeholders to share cyber information with the private sector owners and operators who own the vast majority of the nation's critical infrastructure. In addition, DHS is spearheading an initiative to enhance the capabilities of federal agencies to continuously diagnose and mitigate information security vulnerabilities. However, more needs to be done to address shortages in qualified cybersecurity professionals. Officials at several agencies have identified concerns with the availability of qualified candidates for certain highly technical positions, such as network security engineers, malware analysts, and computer forensics experts. Previously, we reported that the extent to which federal agencies had implemented and established workforce planning practices for cybersecurity personnel varied by agency and that workforce plans at most (six of eight) agencies we reviewed did not fully define cybersecurity needs.[Footnote 196] We recommended that the agencies take steps to improve their cybersecurity workforce planning and that agencies involved with government-wide cybersecurity workforce initiatives, such as DHS, take actions to improve coordination and planning for those initiatives. The White House and DHS have partially met the criterion for having a corrective action plan to improve the protection of cyber assets. For example, the White House and DHS have issued various strategies and corrective action plans over the years to mitigate known cyber deficiencies and threats. However, the strategies and plans sometimes omitted (1) key elements such as milestones, performance metrics, required resources, roles, and responsibilities; and (2) key challenge areas such as developing risk-based information security programs. The President also issued Executive Order 13636, which outlines an action plan for improving security for critical cyber infrastructure. This includes developing a cybersecurity framework, performance measures, and incentives for its implementation. While some actions have been taken to address the Executive Order, such as NIST's development of a critical infrastructure cybersecurity framework, others are ongoing. The White House, OMB, and federal agencies have partially met the criterion for implementing programs to monitor corrective actions. For example, the White House and OMB have continued to monitor and track the performance of agencies' capabilities in the cybersecurity cross- agency priority areas related to continuous monitoring and strong authentication, and have added antiphishing and malware defense as a priority area for fiscal year 2015. However, agencies did not meet the overall fiscal year 2014 performance targets for continuous monitoring and strong authentication. In addition, OMB and DHS have continued to monitor agencies' implementation of information security requirements using FISMA metrics that are tracked in the CyberScope system. [Footnote 197] Nonetheless, we have previously reported that the paucity of metrics that measure the effectiveness of those activities limits the usefulness of the system for monitoring how well agencies are securing their computer systems and networks.[Footnote 198] DHS has also conducted CyberStat reviews that are intended to hold agencies accountable and offer assistance for improving their information security posture.[Footnote 199] Nonetheless, we have previously reported that more actions could be taken to better oversee and assist agencies with improving their information security practices. Continued improvement and implementation of these capabilities and activities are steps in the right direction and could enhance federal information security. Federal stakeholders also need to enhance their coordination and monitoring efforts with private sector entities to facilitate improvements to the cybersecurity of critical infrastructure, including the adoption or use of a cybersecurity framework. In February 2014, NIST completed the development of the initial version of the cybersecurity framework. This framework, among other things, is intended to enable organizations to apply risk management principles for improving the security of critical infrastructures. It also is designed to provide multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are being used in industry today. Federal agencies and DHS have partially met the criterion of demonstrating progress in implementing many of the requirements for securing federal systems and networks. For example, some agencies have established certain components of their information security programs, but not others. Also, DHS has established a program to promote critical infrastructure sectors' use of NIST's cybersecurity framework. However, cyber threats and incidents to systems supporting the federal government and national critical infrastructures are increasing. These threats come from a variety of sources and vary in terms of the types and capabilities of the actors, their willingness to act, and their motives. For example, advanced persistent threats--where adversaries possess sophisticated levels of expertise and significant resources to pursue their objectives--pose increasing risks. Further underscoring this risk are the increases in incidents that could threaten national security, public health, and safety, or lead to inappropriate access to and disclosure, modification, or destruction of sensitive information. Such incidents may be unintentional, such as a service disruption due to an equipment failure or a natural event, or intentional, where for example, a hacker attacks a computer network or system. Over the past 8 years, the number of information security incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team (US-CERT) has increased from 5,503 in fiscal year 2006 to 67,168 in fiscal year 2014, an increase of 1,121 percent (see figure 8).[Footnote 200] Figure 8: Incidents Reported to US-CERT by Federal Agencies in Fiscal Years 2006-2014: [Refer to PDF for image: vertical bar graph] Fiscal year: 2006; Number of reported incidents: 5,503. Fiscal year: 2007; Number of reported incidents: 11,911. Fiscal year: 2008; Number of reported incidents: 16,843. Fiscal year: 2009; Number of reported incidents: 29,999. Fiscal year: 2010; Number of reported incidents: 41,776. Fiscal year: 2011; Number of reported incidents: 42,854. Fiscal year: 2012; Number of reported incidents: 48,562. Fiscal year: 2013; Number of reported incidents: 61,214. Fiscal year: 2014; Number of reported incidents: 67,168. Source: GAO analysis of United States Computer Emergency Readiness Team data for fiscal years 2006-2014. GAO-15-290. [End of figure] In addition, the federal government continues to face challenges in effectively implementing cybersecurity policies. GAO and agency inspector general reports have identified challenges in a number of key areas of the government's approach to cybersecurity, including those related to protecting government information and systems and the nation's critical cyber infrastructures. These challenges remain in the following areas. * Designing and implementing risk-based cybersecurity programs at federal agencies. Shortcomings persist in assessing risks, developing and implementing security controls, and monitoring results at federal agencies. Specifically, for fiscal year 2014, 17 of the 24 major federal agencies covered by the Chief Financial Officers Act reported that information security control deficiencies were either a material weakness or significant deficiency in internal controls over financial reporting.[Footnote 201] Further, inspectors general at 22 of the 24 agencies cited information security as a major management challenge for their agency.[Footnote 202] For fiscal year 2014, most of the agencies had information security weaknesses in the majority of five key control categories: limiting, preventing, and detecting inappropriate access to computer resources; managing the configuration of software and hardware; segregating duties to ensure that a single individual does not have control over all key aspects of a computer- related operation; planning for continuity of operations in the event of a disaster or disruption; and implementing agencywide information security management programs that are critical to identifying control deficiencies, resolving problems, and managing risks regularly (see figure 9). Figure 9: Information Security Weaknesses at Major Federal Agencies for Fiscal Year 2014: [Refer to PDF for image: vertical bar graph] Information security weaknesses: Information security weakness: Access control; Number of agencies: 20. Information security weakness: Configuration management; Number of agencies: 21. Information security weakness: Segregation of duties; Number of agencies: 11. Information security weakness: Continuity of operations; Number of agencies: 18. Information security weakness: Security management; Number of agencies: 23. Source: GAO analysis of agency annual financial reports as of January 13, 2015. GAO-15-290. [End of figure] * Managing risks to the global information technology (IT) supply chain. Reliance on a global supply chain for IT products and services introduces risks to systems. Federal agencies have not always addressed them. Specifically, in March 2012, we reported that four national security-related agencies varied in the extent to which they had defined supply chain protection measures for their information systems and that two were not in a position to develop implementing procedures and monitoring capabilities for the measures.[Footnote 203] We recommended that three of the four agencies we reviewed take steps to better address IT supply chain-related security risks. The agencies concurred with our recommendations. * Addressing cybersecurity for the nation's critical infrastructures. In December 2014, we reported that although DHS and other stakeholders were taking preliminary steps to address cyber risk to building and access control systems, significant work remained.[Footnote 204] Specifically, DHS lacked a strategy for addressing cyber risk and the department's Interagency Security Committee (ISC), responsible for developing physical security standards for nonmilitary federal facilities, had not incorporated cyber threats to building and access control systems in its threat report to federal agencies. In addition, the General Services Administration (GSA) had not fully assessed the risk of building control systems to a cyber attack in a manner that was consistent with FISMA or its implementation guidelines. We recommended that DHS develop and implement a strategy to address cyber risk to building and access control systems and direct ISC to revise its threat report to include cyber threats to building and access control systems. We also recommended that GSA assess cyber risk of its building control systems by fully reflecting FISMA and its guidelines. DHS and GSA agreed with our recommendations. In June 2014, we reported that federal efforts to address cybersecurity in the maritime port environment had been limited. [Footnote 205] For example, while the Coast Guard had initiated a number of activities to improve physical security in specific ports, it had not (1) conducted a risk assessment that fully addressed cyber- related threats, vulnerabilities, and consequences; or (2) provided guidance that ensured the maritime security plans required by law and regulation identified or addressed potential cyber-related threats and vulnerabilities. Also, in January 2014, we reported, among other things, that critical infrastructure planning for the cybersecurity of state and local public safety entities involved in handling 911 emergency calls did not address the development and implementation of more interconnected, Internet-based information technologies.[Footnote 206] In addition, we reported in April 2013 that, along with other things, DHS and its partners had not developed outcome-based performance measures related to the cyber protection of key parts of the communications infrastructure sector.[Footnote 207] We concluded that outcome-based metrics related to communications networks and critical components supporting the Internet would provide federal decision makers with additional insight into the effectiveness of partner protection efforts at the sector level. * Enhancing oversight of contractors providing IT services. In August 2014, we reported that five of the six agencies reviewed were inconsistent in overseeing the execution and review of security assessments that were intended to determine the effectiveness of contractor implementation of controls, resulting in security lapses. [Footnote 208] A contributing reason for these shortfalls was that agencies had not documented IT security procedures for officials to follow to effectively oversee contractor performance. In addition, according to OMB, 16 of 24 inspectors general reported that their agency's program for managing contractor systems lacked at least one required element. For example, 11 agencies did not obtain sufficient assurance that security controls of such systems and services had been effectively implemented and complied with federal and organizational requirements, and 9 agencies had contractor owned or operated systems that were not compliant with FISMA requirements, OMB policy, and applicable NIST guidelines. We recommended that OMB, in collaboration with DHS, develop and clarify reporting guidance to agencies for annually reporting the number of contractor-operated systems. We also recommended that the reviewed agencies develop, document, and implement IT security oversight procedures for their contractor- operated systems. OMB did not provide any comments, but the agencies we reviewed generally concurred with our recommendations. * Improving security incident response practices. In April 2014, we reported that the 24 major federal agencies did not consistently demonstrate that they had been effectively responding to cyber incidents.[Footnote 209] Based on the statistical sample of cyber incidents reported in fiscal year 2012, we projected that these agencies did not completely document actions taken in response to detected incidents in about 65 percent of cases (with 95 percent confidence that the estimate falls between 58 and 72 percent). For example, agencies did not consistently demonstrate that they had determined the impact of incidents or taken actions to prevent recurrence of an incident. Although all six agencies we reviewed in depth had developed parts of policies, plans, and procedures to guide their cyber incident response activities, agencies' efforts were not comprehensive or fully consistent with federal requirements. We recommended that OMB and DHS address agency incident response practices government-wide, in particular through CyberStat meetings, and also recommended that the reviewed agencies take actions to improve the effectiveness of their cyber incident response programs. The agencies generally concurred with our recommendations. * Implementing security programs at small agencies. In June 2014, we reported that while small agencies had developed many of the requirements of an information security program, their programs had not been fully implemented.[Footnote 210] Specifically, four of the six agencies reviewed had developed an information security program that included risk assessments, security policies and procedures, system security plans, security awareness training, periodic testing and evaluation, remedial action plans, incident handling, and contingency planning. However, key elements of their plans, policies, or procedures in these areas were outdated, incomplete, or did not exist. In addition, two of the six agencies did not develop an information security program with the required FISMA elements. We recommended that OMB include in its annual report to Congress on agencies' implementation of FISMA a list of agencies that did not report on the implementation of their information security programs, and information on small agencies' implementation of privacy requirements. We also recommended that DHS develop services and guidance targeted to small and micro agencies. OMB and DHS generally concurred with our recommendations. With regards to protecting the privacy of personally identifiable information, actions have been taken but more needs to be done. The president has issued a consumer privacy "bill of rights" intended to be a blueprint for privacy in the information age. He has also established a presidentially-chartered review group on intelligence and communications technologies that has made recommendations intended to strengthen personal privacy protections while maintaining national security. Nevertheless, the federal government continues to face challenges in effectively addressing increasing concerns about the protection of the privacy of personally identifiable information (PII). The number of reported security incidents involving PII at federal agencies has increased in recent years, rising from 10,481 incidents in 2009 to 27,624 incidents in 2014. (See figure 10): Figure 10: Incidents Involving PII, Fiscal Years 2009-2014: [Refer to PDF for image: vertical bar graph] Fiscal year: 2009; Number of reported incidents: 10,481. Fiscal year: 2010; Number of reported incidents: 13,028. Fiscal year: 2011; Number of reported incidents: 15,584. Fiscal year: 2012; Number of reported incidents: 22,156. Fiscal year: 2013; Number of reported incidents: 25,566. Fiscal year: 2014; Number of reported incidents: 27,624. Source: GAO analysis of United States Computer Emergency Readiness Team data for fiscal years 2009-2014. GAO-15-290. [End of figure] In addition, the recent high-profile breaches of PII at federal agencies and commercial entities have heightened concerns that personal privacy is not being adequately protected. For example: * In September 2014, a cyber intrusion into the United States Postal Service's information systems may have compromised PII for more than 800,000 of its employees. * In March 2014, a cyber attack on the Office of Personnel Management's system for maintaining security clearance information could have exposed the PII of thousands of federal employees. * Credit and debit card information of 56 million customers of Home Depot, Inc. may have been compromised in a 5-month attack on its payment terminals. * Credit and debit card information for 40 million customers of Target was stolen by hackers in November and December 2013. We have previously identified PII-related challenges for Congress and federal agencies to address in the following areas. * Updating federal law. We testified in July 2012 that technological developments since the Privacy Act became law in 1974 had rendered some of the provisions of the Privacy Act and the E-Government Act of 2002 inadequate to fully protect all PII collected, used, and maintained by the federal government.[Footnote 211] In addition, we suggested that Congress consider amending those laws by revising their scope to cover all PII collected, used, and maintained by the federal government; setting requirements to ensure that the collection and use of PII is limited to a stated purpose; and establishing additional mechanisms for informing the public about privacy protections by revising requirements for the structure and publication of public notices. * Implementing programs to protect privacy and PII. In September 2014, we reported that the Centers for Medicare & Medicaid Services had not fully assessed privacy risks associated with handling PII or identified mitigating controls to address such risks when it prepared privacy impact assessments for its major Healthcare.gov systems. [Footnote 212] It also had not established computer matching agreements with two federal agencies that each had a role in verifying information submitted by healthcare coverage applicants. We recommended, among other things, that all privacy risks associated with Healthcare.gov be analyzed and documented in privacy impact assessments, and that computer matching agreements be established with the two federal agencies with which it did not have an agreement. HHS generally concurred, but disagreed in part with our assessment that its privacy impact assessments did not fully address privacy risks associated with Healthcare.gov operations. In June 2014, we also reported that the six small agencies we reviewed had mixed progress in implementing privacy requirements.[Footnote 213] For example, although five of the six agencies had assigned a senior official for privacy, most of the agencies did not consistently issue system of records notices or conduct privacy impact assessments for all systems containing personally identifiable information. We recommended, among other things, that the Director of OMB include in the annual report to Congress on agencies' implementation of FISMA, information on small agencies' implementation of privacy requirements. OMB generally concurred with our recommendations. * Consistently implementing requirements for computer matching programs. The Computer Matching Act, which modifies the Privacy Act, aims to ensure that privacy is protected when agencies compare data across different systems to, among other things, assist in making determinations about benefits. In January 2014, we reported that the seven federal agencies we reviewed had implemented the act's requirements inconsistently.[Footnote 214] Agencies interpreted the act's requirements in varied ways leading to inconsistent policies and procedures. Further, the act's requirements may discourage agencies from using computer matching because the required processes are lengthy and resource-intensive. We recommended that the seven reviewed agencies take steps to improve their implementation of the act. Six of the seven agencies generally agreed with our recommendations. * Responding to breaches of PII. In December 2013, we reported that the eight federal agencies we reviewed had inconsistently implemented policies and procedures for responding to a data breach involving PII.[Footnote 215] Inconsistent implementation occurred in areas such as documenting how risk levels had been determined, offering credit monitoring to affected individuals, and evaluating lessons learned from incidents. In addition, OMB requirements for agency reporting of PII-related data breaches were not always feasible or necessary. We concluded that agencies may not be consistently taking actions to limit the risk to individuals from PII-related data breaches, and may be expending resources to meet OMB reporting requirements that provide little value and divert time and attention from responding to a breach. We recommended that OMB revise its guidance on federal agencies' responses to a PII-related data breach and also recommended that the reviewed agencies take specific actions to improve their response to data breaches involving PII. OMB neither agreed nor disagreed with our recommendations. Of the eight agencies we reviewed, four agreed with all our recommendations, two partially agreed, and the remaining two neither agreed nor disagreed. * Better protecting privacy of mobile device location data. In September 2012, we reported on concerns among privacy advocates that consumers may be unaware of how location data captured by their smartphones is shared and used by third parties, and could be at risk of identity theft or other harm if that information is misused or inadequately protected.[Footnote 216] The Department of Commerce's National Telecommunications and Information Administration (NTIA) planned a multistakeholder process to develop codes of conduct for protecting the privacy of location data, but specific goals, milestones, and performance measures for that effort had not been set. We recommended that NTIA develop such goals, milestones, and performance measures, and that the Federal Trade Commission consider issuing guidance to mobile companies on appropriate actions for protecting the privacy of location data. The Department of Commerce disagreed with our recommendation to NTIA, but the Federal Trade Commission agreed with our recommendation and implemented it. Furthermore, revelations about the extent to which private companies collect detailed information about the activities of individuals have raised concerns about the potential for significant erosion of personal privacy. For example, private sector uses of PII through data analytics programs raise concerns about transparency (the analytical activities are done in "secret"), context (the data being analyzed may be specific to a certain context, which is lost when it is combined with other data), accuracy (the data may be inaccurate or out of date, or they may not be sufficiently accurate for the new purpose), and redress (individuals adversely affected by the analytical results have no way to correct the problem or be compensated for any resulting hardship). In September 2013, we noted that no overarching federal privacy law governs the collection and sale of personal information among private- sector companies, including information resellers (companies that collect and resell information on individuals).[Footnote 217] We also concluded that the current statutory framework for consumer privacy does not fully address new technologies--such as the tracking of online behavior or mobile devices--and the vastly increased marketplace for personal information, including the proliferation of information sharing among third parties. What Remains to Be Done: The administration needs to prepare an overarching cybersecurity strategy that includes all desirable characteristics of a national strategy, including milestones and performance measures; cost, sources, and justification for needed resources; specific roles and responsibilities of federal organizations; guidance, where appropriate, regarding how this strategy relates to priorities, goals, and objectives stated in other national strategy documents; and then demonstrate progress in implementing the strategies and achieving measurable and appropriate outcomes. The strategy should include a roadmap for making significant improvements in cybersecurity challenge areas listed above and better ensure that federal departments and agencies are held accountable for making significant improvements in those cybersecurity challenge areas. In addition, DHS, for its role in overseeing agencies' cybersecurity, should expand CyberStat reviews to all major agencies and continue to enhance the FISMA performance metrics. Executive branch agencies, in particular DHS, also need to continue to enhance their cyber analytical and technical capabilities (including capabilities to address federal cross-agency priorities), expand oversight of federal agencies' implementation of information security, and demonstrate progress in strengthening the effectiveness of public-private sector partnerships in securing cyber critical infrastructures. Agencies also need to (1) develop and implement remedial action plans for resolving known security deficiencies in government systems; (2) fully develop and effectively implement agencywide information security programs, as required by FISMA; (3) demonstrate measurable, sustained progress in improving security over federal systems; (4) fully develop and implement capabilities for continuously diagnosing and mitigating cyber threats and vulnerabilities; (5) improve their response to information security incidents and data breaches involving PII; and (6) consistently develop and implement privacy policies and procedures.[Footnote 218] Such progress should include having the government-wide material weakness in information security upgraded to a significant deficiency for two consecutive years and reducing the factors that contribute to the significant deficiency, as we reported in our annual audit of the financial statements for the United States government. Until the White House and executive branch agencies implement the hundreds of recommendations that we and agency inspectors general have made to address cyber challenges, resolve identified deficiencies, and fully implement effective security programs and privacy practices, a broad array of federal assets and operations may remain at risk of fraud, misuse, and disruption, and the nation's most critical federal and private sector infrastructure systems will remain at increased risk of attack from adversaries. In addition to the recently passed laws addressing cybersecurity and the protection of critical infrastructures, Congress should also consider amending applicable laws, such as the Privacy Act and E- Government Act, to more fully protect PII collected, used, and maintained by the federal government. GAO Contact: For additional information about this high-risk area, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Related GAO Products: Healthcare.gov: Actions Needed to Address Weaknesses in Information Security and Privacy Controls. [hyperlink, http://www.gao.gov/products/GAO-14-730]. Washington D.C.: September 16, 2014. Information Security: Agencies Need to Improve Oversight of Contractor Controls. [hyperlink, http://www.gao.gov/products/GAO-14-612]. Washington, D.C.: August 8, 2014. Information Security: Additional Oversight Needed to Improve Programs at Small Agencies. [hyperlink, http://www.gao.gov/products/GAO-14-344]. Washington, D.C.: June 25, 2014. Maritime Critical Infrastructure Protection: DHS Needs to Better Address Port Cybersecurity. [hyperlink, http://www.gao.gov/products/GAO-14-459]. Washington, D.C.: June 5, 2014. Information Security: Agencies Need to Improve Cyber Incident Response Practices. [hyperlink, http://www.gao.gov/products/GAO-14-354]. Washington, D.C.: April 30, 2014. Critical Infrastructure Protection: More Comprehensive Planning Would Enhance the Cybersecurity of Public Safety Entities' Emerging Technology. [hyperlink, http://www.gao.gov/products/GAO-14-125]. Washington D.C.: January 28, 2014. Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent. [hyperlink, http://www.gao.gov/products/GAO-14-34]. Washington, D.C.: December 9, 2013. Federal Information Security: Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness. [hyperlink, http://www.gao.gov/products/GAO-13-776]. Washington, D.C.: September 26, 2013. Communications Networks: Outcome-Based Measures Would Assist DHS in Assessing Effectiveness of Cybersecurity Efforts. [hyperlink, http://www.gao.gov/products/GAO-13-275]. Washington, D.C.: April 3, 2013. Cybersecurity: National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented. [hyperlink, http://www.gao.gov/products/GAO-13-187]. Washington, D.C.: February 14, 2013. [End of section] Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests: Why Area Is High Risk: Technological superiority is critical to U.S. military strategy. As such, the Department of Defense (DOD) spends billions of dollars each year to develop and acquire sophisticated technologies to provide an advantage for the warfighter during combat or other missions. Many of these technologies are also sold or transferred to promote U.S. economic, foreign policy, and national security interests. These technologies can also be acquired through foreign investment in the U.S. companies that develop or manufacture them. In addition, they are targets for unauthorized transfer, such as theft, espionage, reverse engineering, and illegal export. To identify and protect technologies critical to U.S. interests, the U.S. government has a number of programs. These include export controls--those developed to regulate exports and ensure that items and information are transferred to foreign parties in a manner consistent with U.S. interests--as well as a number of non-export control programs, including the Foreign Military Sales program, anti- tamper policies, and reviews of transactions that could result in control of a U.S. business by a foreign person. These programs are administered by multiple federal agencies with various interests, including DOD and the Departments of Commerce, Homeland Security, Justice, State, and the Treasury. We designated this area as high risk in 2007 because these programs, established decades ago, were ill- equipped to address the evolving 21st century challenge of balancing national security concerns and economic interests. While these agencies are making progress in addressing challenges identified by our work, we believe that additional leadership coordination of existing programs, among other things, is needed to identify strategic reforms that will help to ensure the advancement of U.S. interests. What GAO Found: Figure: Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests: [Refer to PDF for image: star illustration] Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Agencies responsible for critical technologies programs have made notable progress. Specifically, leadership commitment to addressing challenges has been evident in several areas of the critical technologies portfolio. For example, in August 2009, the president directed a broad-based interagency review of the U.S. export control efforts. However, greater collaboration among the critical technologies programs could ensure that a consistent approach is taken by the lead and stakeholder agencies in meeting program goals. The capacity for addressing challenges and implementing reforms has improved at some programs. For example, according to a senior DOD official, the National Industrial Security Program--a DOD program established to ensure that federal contractors cleared for classified information, including information associated with critical technologies, are taking steps to safeguard that information--reports it has increased its staffing to reduce the backlog of reviews of new companies handling classified information. In contrast, according to Commerce officials, Commerce is experiencing delays in its capacity to migrate to a single information technology system for export licensing due to requirements concerning crossover from classified to unclassified domains and the interface between Commerce's licensing and enforcement databases. Action plans to guide improvements are in place at some programs. Specifically for the export control-related programs, in April 2010, the president proposed a plan for implementing export control reform through a phased approach, with the goals of creating a single control list, single licensing agency, unified information technology system, and primary enforcement coordination center. Outside the area of export control reform, however, DOD has not taken steps to formally replace the Militarily Critical Technologies List--a technical reference for which DOD is primarily responsible to help identify critical technologies and assess the risks associated with their protection--or developed a formal plan specifying the best approach to meeting user needs. Monitoring of efforts to meet key challenges also has improved at some programs. For example, the DOD and State offices responsible for the Foreign Military Sales program have implemented some, but not all, of our past recommendations on performance measures, tracking, and monitoring program outcomes. Programs across the critical technologies portfolio have demonstrated progress through increased collaboration. For example, staff at Commerce, DOD, and State have worked closely together in implementing export control reform. This increased collaboration is a concrete step toward a better coordinated, more effective portfolio of programs for protecting critical technologies. In summary, our body of work in this area has identified significant progress in the programs designed to protect technologies critical to U.S. national security interests, but challenges remain. Since we first designated the effective protection of critical technologies as a high-risk area, the administration has implemented broad export control reform efforts, and federal agencies have taken individual steps to improve their non-export control programs. Consequently, we have since grouped the programs into export control programs and non-export control programs to improve clarity and assist in measuring progress. Critical Technologies--Export Controls: Figure: Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests: [Refer to PDF for image: star illustration] Critical Technologies--Export Controls: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Our past work highlighted the need for export control reform. Some of the issues identified through these reports include poor interagency coordination, inefficiencies in the license application process, and a lack of systematic assessments. Leadership commitment and development of an action plan have been met through the administration's export control reform efforts that began in 2010--consisting of a three-phase framework of agency actions to implement reforms to export control lists, licensing, enforcement, and information technology--which have the potential to improve the efficiency and effectiveness of the export control process. For example, the licensing agencies have reviewed 15 of the 21 U.S. Munitions List categories to determine whether they should remain under State control or move to Commerce control. The goal is to move certain less sensitive items from State's jurisdiction to Commerce's, while leaving high-risk and high-priority items on State's list. In addition, 15 federal agencies have come together through the establishment of the Export Enforcement Coordination Center, which, according to statistics the Center Director provided to us, has resulted in a heightened awareness through exchange of investigation-related information. While these are positive steps, we also have identified areas in which further action is needed: * The Export Enforcement Coordination Center has made good progress in addressing our prior findings that export enforcement agencies had poor interagency coordination by setting forth an action plan and instituting the capacity for "deconfliction"--a procedure for coordinating enforcement efforts at multiple agencies--and dispute resolution among export control agencies represented at this Center. In particular, the deconfliction process provides a forum for export control enforcement agencies to share information on and monitor potential enforcement actions with the goal of limiting duplicative or counterproductive activities. However, several additional procedures are in varying stages of completion. For example, we found that no formal process exists for the investigative export control enforcement and intelligence communities to quantify and identify statistical trends and patterns relating to information on illicit transshipments. The Center has not yet finalized the procedures to help facilitate this data-sharing to improve monitoring of illicit transshipment activity. * We found that export control agencies operate with disparate, sometimes antiquated information technology systems. As part of export control reform, DOD's USXPORTS system has undergone enhancements to have the capacity to be the single export licensing database. Treasury is expected to enter an agreement with DOD to use this system for approving export licenses to embargoed countries. Also, DOD has signed separate agreements with State and Commerce to adopt its USXPORTS system to improve communication and coordination in the export licensing process. However, problems in implementing system requirements needed by Commerce have limited its progress toward using USXPORTS as the single information technology system. * We recommended in 2012 that State and Commerce, in consultation with the Departments of Homeland Security and Justice, and other agencies as appropriate, improve the license determination process. This process confirms whether an item is subject to export controls and requires a license, and thereby helps officials determine whether an export control violation has occurred. State officials told us that a memorandum of understanding was being drafted to formalize changes that could address this concern, but it has not yet been finalized. * We recommended in 2012 that DOD and State eliminate gaps and inconsistencies in implementing their respective efforts to monitor the end-use of items exported to foreign entities. Critical Technologies--Non-Export Controls: Figure: Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests: [Refer to PDF for image: star illustration] Critical Technologies--Non-Export Controls: Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] For the non-export control segment, DOD has made progress in developing action plans and in leadership commitment for some of the critical technology programs. In previous reports, we have concluded that this portfolio of programs is fragmented and poorly coordinated. Since then, DOD has initiated a plan and instituted the capacity for oversight and collaboration on those programs related to security cooperation and disclosure. For example, since 2008, for security cooperation programs, such as Foreign Military Sales, a group of senior DOD officials reviewed proposed transactions--such as security cooperation agreements and sales or transfers of military equipment to other countries--that raise major concerns about risks to critical technologies. This group, the Arms Transfer and Technology Release Senior Steering Group (ATTR SSG), reviews transactions under the Foreign Military Sales program and considers the national disclosure policy and anti-tamper policy when it conducts these reviews. Representatives of other agencies, including two State offices, participate in ATTR SSG as observers. DOD has also taken action to implement procedures to improve the availability of information on security assistance agreements for Foreign Military Sales. However, additional actions are needed in these and in other areas: * DOD has not yet implemented our recommendations regarding performance measures to improve monitoring for Foreign Military Sales and other security cooperation programs in which military equipment is provided directly to foreign governments. * DOD officials told us that their freight tracking system does not provide a complete, real-time picture of the current locations of military items in transit to foreign governments. * DOD's Militarily Critical Technologies List, originally developed in response to the Export Administration Act of 1979 in order to inform export decisions, is no longer being updated or used by DOD officials who provide input on the criticality of technologies as part of export license determinations, and reviews of foreign acquisition of U.S. companies. According to several program officials with responsibility for protection of critical technologies, they do not use the list and are determining whether to seek relief from the requirement to maintain the list. In the meantime, the officials are relying on subject matter experts or other lists, such as the revised U.S. Munitions List, which they describe as more current and better suited to their need for a clear and comprehensive list of technologies to be protected. What Remains to Be Done: We have made a number of recommendations to agencies aimed at improving coordination among the programs that are intended to protect technologies critical to U.S. national security. We believe that implementing these recommendations could result in significant improvements. However, our body of work shows that challenges remain. To address these challenges, we have previously reported that the executive branch and Congress should consider reevaluating the wider portfolio of critical technologies protection programs, including an assessment of prospects for achieving collaboration across separate but related programs designed to protect critical technologies. The commitment by executive branch leadership to reform in the area of export controls and the development of concrete action plans in that area represent important steps forward, but leadership commitment is less evident in the critical technologies programs that fall outside the scope of export control reform. The need for action remains both at the individual program level and the portfolio level. Individual agencies need to continue to implement our recommendations to address weaknesses in their respective programs. Doing so could increase these programs' capacity for implementing reforms and their ability to monitor progress. For example, the export control agencies should finalize the memorandum of understanding that will enable them to process license determinations in a more timely manner. Similarly, DOD should take additional actions to enhance its ability to provide security assistance through, for example, its Foreign Military Sales program by establishing performance measures for all phases of the security assistance process. At the portfolio level, implementation of export control reforms demonstrates leadership commitment, but the agencies involved in export controls must continue to implement reforms to achieve the goals set out by the administration with the goal of protecting U.S. interests. For non-export control reform, DOD's technology security and foreign disclosure reforms represent an important step forward in coordinating the activities of selected programs. However, other decisions remain to be made, such as whether to maintain the Militarily Critical Technologies List and what level of interagency coordination is needed to ensure protection of critical technologies. GAO Contact: For additional information about this high-risk area, contact Marie A. Mak at (202) 512-4841 or makm@gao.gov. Related GAO Products: Critical Technologies: Agency Initiatives Address Some Weaknesses, but Additional Interagency Collaboration Is Needed. [hyperlink, http://www.gao.gov/products/GAO-15-288]. Washington, D.C.: February 10, 2015. Export Controls: NASA Management Action and Improved Oversight Needed to Reduce the Risk of Unauthorized Access to Its Technologies. [hyperlink, http://www.gao.gov/products/GAO-14-315]. Washington, D.C.: April 15, 2014. Countering Overseas Threats: DOD and State Need to Address Gaps in Monitoring of Security Equipment Transferred to Lebanon. [hyperlink, http://www.gao.gov/products/GAO-14-161]. Washington, D.C.: February 26, 2014. Protecting Defense Technologies: DOD Assessment Needed to Determine Requirement for Critical Technologies List. [hyperlink, http://www.gao.gov/products/GAO-13-157]. Washington, D.C.: January 23, 2013. Security Assistance: DOD's Ongoing Reforms Address Some Challenges, but Additional Information Is Needed to Further Enhance Program Management. [hyperlink, http://www.gao.gov/products/GAO-13-84]. Washington, D.C.: November 16, 2012. Export Controls: Compliance and Enforcement Activities and Congressional Notification Requirements under Country-Based License Exemptions. [hyperlink, http://www.gao.gov/products/GAO-13-119R]. Washington, D.C.: November 16, 2012. Nonproliferation: Agencies Could Improve Information Sharing and End- Use Monitoring on Unmanned Aerial Vehicle Exports. [hyperlink, http://www.gao.gov/products/GAO-12-536]. Washington, D.C.: July 30, 2012. Export Controls: U.S. Agencies Need to Assess Control List Reform's Impact on Compliance Activities. [hyperlink, http://www.gao.gov/products/GAO-12-613]. Washington, D.C.: April 23, 2012. Export Controls: Proposed Reforms Create Opportunities to Address Enforcement Challenges. [hyperlink, http://www.gao.gov/products/GAO-12-246]. Washington, D.C.: March 27, 2012. Export Controls: Agency Actions and Proposed Reform Initiatives May Address Previously Identified Weaknesses, but Challenges Remain. [hyperlink, http://www.gao.gov/products/GAO-11-135R]. Washington, D.C.: November 16, 2010. [End of section] Improving Federal Oversight of Food Safety: Why Area Is High Risk: For more than a decade, we have reported on the fragmented federal food safety system, which has caused inconsistent oversight, ineffective coordination, and inefficient use of resources. We added federal food safety oversight to the High Risk List in 2007 because of risks to the economy, to public health, and to safety. Data from the Centers for Disease Control and Prevention (CDC) indicate that each year--as a result of foodborne illness--48 million people (or roughly 1 in 6 Americans) get sick, 128,000 are hospitalized, and 3,000 die. Two independent studies published in 2012 estimated the cost of foodborne illness in the United States. According to a September 2013 bulletin from the U.S. Department of Agriculture (USDA) Economic Research Service, the study that used the more conservative approach estimated the cost to be over $14 billion per year. Three major trends also create food safety challenges. First, a substantial and increasing portion of the U.S. food supply is imported. Second, consumers are eating more raw and minimally processed foods. Third, segments of the population that are particularly susceptible to foodborne illnesses, such as older adults and immune-compromised individuals, are growing. The safety and quality of the U.S. food supply is governed by a highly complex system stemming from at least 30 laws related to food safety that are collectively administered by 15 federal agencies. The agencies with primary food safety oversight responsibility are the USDA Food Safety and Inspection Service (FSIS) and the Department of Health and Human Services (HHS) Food and Drug Administration (FDA). FSIS is responsible for the safety of meat, poultry, and processed egg products.[Footnote 219] FDA is responsible for virtually all other food. Because we believe that federal agencies can address fragmentation in food safety oversight by improving planning and collaboration, we have changed the title of this high-risk area from "Revamping Federal Oversight of Food Safety" to "Improving Federal Oversight of Food Safety." What GAO Found: Figure: Improving Federal Oversight of Food Safety: [Refer to PDF for image: star illustration] Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] With the enactment of the GPRA Modernization Act of 2010 (GPRAMA) in January 2011,[Footnote 220] Congress and the executive branch demonstrated commitment and top leadership support for improving collaboration across the federal government. HHS and USDA have demonstrated progress in addressing fragmentation in federal oversight of food safety by taking steps to implement GPRAMA's crosscutting requirements for their food safety efforts, but the agencies vary in the amount of detail they provide on those efforts and do not include several other relevant efforts. Federal food safety agencies have the capacity to more fully address crosscutting food safety efforts in their individual strategic and performance planning documents; however, they require Office of Management and Budget (OMB) action to use those documents as building blocks to develop a government-wide performance plan on food safety to guide corrective actions and monitor progress. The President demonstrated strong commitment and top leadership support by establishing the Food Safety Working Group (FSWG) to coordinate federal efforts, but the group has not met for at least 3 years.[Footnote 221] Federal food safety agencies have the capacity to participate in a broad-based, centralized collaborative mechanism on food safety--like the FSWG--but congressional action would be required to formalize such a mechanism through statute to ensure sustained leadership across food safety agencies over time. The criterion of demonstrating commitment to, and top leadership support for, addressing fragmentation in federal oversight of food safety has been partially met. With the enactment of GPRAMA in January 2011, Congress and the executive branch demonstrated strong commitment and top leadership support for improving collaboration across the federal government. When we added federal food safety oversight to the High Risk List, we suggested that Congress and the executive branch work together to develop a government-wide performance plan for food safety. In March 2011, we recommended that OMB, in consultation with the federal agencies having food safety responsibilities, develop such a plan. However, OMB has not acted on that recommendation. GPRAMA further highlights the need for crosscutting strategic and performance planning for issues that involve multiple federal agencies and could provide the initial steps toward a government-wide performance plan for food safety. GPRAMA added new requirements for addressing crosscutting efforts in federal strategic and performance planning. For example, GPRAMA requires agencies to describe in their strategic and performance planning documents how they are working with other agencies to achieve their goals. HHS and USDA have taken steps to implement GPRAMA's crosscutting requirements for their food safety efforts. However, the agencies do not fully address crosscutting food safety efforts in their strategic and performance planning documents. HHS and USDA vary in the amount of detail they provide on their crosscutting food safety efforts. In addition, they do not include several relevant crosscutting efforts, such as the National Antimicrobial Resistance Monitoring System, which tracks whether foodborne and other bacteria are resistant to the antibiotics used to treat and prevent the spread of illness. In December 2014, we recommended that HHS and USDA continue to build upon their efforts to implement GPRAMA requirements to address crosscutting food safety efforts in their strategic and performance planning documents. Fully addressing crosscutting food safety efforts in individual strategic and performance planning documents is an important first step toward providing a comprehensive picture of the federal government's performance in overseeing food safety. However, the agency-by-agency focus of individual planning documents alone does not provide the integrated perspective on federal food safety performance necessary to guide congressional and executive branch decision-making and to inform the public about what federal agencies are doing to ensure food safety. Those individual documents could, however, provide building blocks toward the next, more challenging task of developing a single, government-wide performance plan for food safety. The President demonstrated strong commitment and top leadership in March 2009, when the President established the Food Safety Working Group (FSWG) to coordinate federal efforts and develop goals to make food safer. In March 2011, we indicated that creation of the FSWG was a positive step. However, the group is no longer meeting. According to senior FDA and FSIS officials and OMB staff, the FSWG is no longer needed, given the existence of other collaborative mechanisms. FDA and FSIS are involved in numerous mechanisms to facilitate interagency coordination on food safety; however, existing mechanisms focus on specific issues and none provides for broad-based, centralized collaboration. For example, FDA and FSIS are collaborating with CDC through the Interagency Food Safety Analytics Collaboration to improve estimates of the most common sources of foodborne illnesses. However, this and other mechanisms do not allow FDA, FSIS, and other agencies to look across their individual programs and determine how they all contribute to federal food safety goals. In addition, the FDA Food Safety Modernization Act (FSMA)[Footnote 222]--enacted in 2011 to amend existing food safety laws--includes numerous provisions requiring interagency collaboration, but these too focus on specific topics and do not provide for centralized, broad-based collaboration across food safety regulations and programs. In December 2014, we reported that 10 of 12 experts in food safety that we interviewed agreed that a centralized collaborative mechanism on food safety is important to foster effective interagency collaboration and could enhance food safety oversight. Federal food safety agencies have partially met the criterion for capacity to address the fragmentation in food safety oversight. USDA and HHS have the capacity to more fully address crosscutting food safety efforts in their individual strategic and performance planning documents; however, they require OMB action to use those documents as building blocks to develop a government-wide performance plan on food safety. OMB has not taken action in almost 4 years to develop such a plan. We continue to believe that a government-wide performance plan for food safety is necessary. In December 2014, we suggested that Congress consider directing OMB to develop a government-wide performance plan for food safety. Federal food safety agencies also have the capacity to participate in a centralized collaborative mechanism on food safety--like the FSWG--but congressional action would be required to formalize such a mechanism through statute. In December 2014, we reported that experts we interviewed suggested that a centralized collaborative mechanism on food safety could provide sustained leadership across agencies over time if it were formalized in statute. The FSWG served as a centralized mechanism for broad-based collaboration on food safety and resulted in a number of accomplishments, including improved coordination. However, the group has not met for an estimated 3 years. The President's Council on Food Safety, a previous centralized mechanism for broad-based collaboration, was also not sustained. Our prior reports have identified other cases where leadership of an interagency collaborative mechanism changed, and the mechanism ceased or became less useful. Without formalization, centralized collaborative mechanisms on food safety may continue to be short-lived. In December 2014, we suggested that Congress consider formalizing the FSWG through statute to help ensure sustained leadership across food safety agencies over time. The criteria of having a corrective action plan and a program to monitor corrective measures have not been met. Without a government- wide performance plan for food safety, Congress, program managers, and other decision-makers are hampered in their ability to identify agencies and programs addressing similar missions and to set priorities, allocate resources, and restructure federal efforts, as needed, to achieve long-term goals. In addition, without such a plan, federal food safety efforts are not clear and transparent to the public. Currently, to understand what its government is doing to ensure the safety of the food supply, Congress, program managers, other decision-makers, and the public must access and attempt to make sense of and reconcile individual documents across the 15 federal food safety federal agencies. Moreover, without a centralized collaborative mechanism on food safety--like the FSWG--there is no forum for agencies to reach agreement on a set of broad-based food safety goals and objectives that could be articulated in a government-wide performance plan on food safety. The criterion of demonstrating progress in implementing corrective measures to address fragmentation in federal oversight of food safety has been partially met. As noted, HHS and USDA have taken steps to implement GPRAMA's crosscutting requirements for their food safety efforts but could more fully address crosscutting food safety efforts in their individual strategic and performance planning documents and thereby provide building blocks toward OMB's development of a government-wide performance plan on food safety. Establishing the FSWG was another positive step, but the group is no longer meeting and nothing like it has taken its place to provide for broad-based, centralized collaboration across food safety regulations and programs. What Remains to Be Done: To address capacity constraints for addressing fragmentation in federal oversight of food safety and to guide corrective actions and monitor progress, Congress should consider directing OMB to develop a government-wide performance plan for food safety and formalizing the FSWG through statute. To provide building blocks toward OMB's development of a government-wide performance plan for food safety, HHS and USDA should implement our recommendation--also discussed above-- related to GPRAMA crosscutting requirements. These actions should provide federal food safety agencies with vehicles to demonstrate strong commitment to, top leadership support for, and progress in implementing corrective measures to address fragmentation in federal oversight of food safety. If, over the next several years, weaknesses in the food safety system persist, Congress may wish to assess the need for comprehensive, uniform, risk-based food safety legislation or to amend FDA's and USDA's existing authorities--recognizing that tight budgets may constrain far-reaching actions for the foreseeable future. Congress should then also consider commissioning a detailed analysis of alternative organizational structures for food safety. GAO Contact: For additional information about this high-risk area, contact Steve D. Morris at (202) 512-3841 or morriss@gao.gov. Related GAO Products: Federal Food Safety Oversight: Additional Actions Needed to Improve Planning and Collaboration. [hyperlink, http://www.gao.gov/products/GAO-15-180]. Washington, D.C.: December 18, 2014. Food Safety: FDA and USDA Should Strengthen Pesticide Residue Monitoring Programs and Further Disclose Monitoring Limitations. [hyperlink, http://www.gao.gov/products/GAO-15-38]. Washington, D.C.: October 7, 2014. [End of section] Protecting Public Health through Enhanced Oversight of Medical Products: Why Area Is High Risk: Millions of medical products are used daily by Americans at home, in the hospital, and in other health care settings. The Food and Drug Administration (FDA) has the vital mission of protecting the public health by overseeing the safety and effectiveness of these products-- drugs, biologics, and medical devices--marketed in the United States. The agency's responsibilities begin long before a product is brought to market and continue after a product's approval, regardless of whether it is manufactured here or abroad. The importance of FDA's role in ensuring our citizens' well-being cannot be overstated. In recent years, FDA has been confronted with multiple challenges. Rapid changes in science and technology, globalization, unpredictable public health crises, an increasing workload, and the continuing need to monitor the safety of thousands of marketed medical products have strained the agency's resources. The oversight of medical products was added to our High Risk List in 2009 because FDA was facing a variety of difficulties that threatened to compromise its ability to protect the public health. While progress has been made, we have found that challenges remain. What GAO Found: Figure: Protecting Public Health through Enhanced Oversight of Medical Products: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] FDA has demonstrated leadership commitment toward the enhanced safety and efficacy of drugs and medical devices, most notably through organizational changes and special initiatives. For example, it has established a new office to emphasize its commitment to confronting the challenges of globalization and relocated its Drug Shortage staff to a more prominent position in the agency. FDA's initiatives focused on improved oversight of medical devices have strengthened its management of device recalls and led to progress in its reclassification of device types based on risk. However, globalization and shortages of medically necessary drugs remain pressing concerns. It is unclear whether FDA has the financial resources and staff to effectively address globalization. In addition, FDA's monitoring of drug shortages requires its continued attention. FDA has made substantial progress in addressing the concerns we raised regarding its oversight of medical device recalls and the implementation of the Safe Medical Devices Act of 1990. In recognition of the agency's significant strides in these two areas, we have narrowed the scope of our high-risk designation. FDA has met all five criteria--demonstrating strong leadership commitment, ensuring sufficient capacity, developing both specific action plans and effective monitoring tools, and demonstrating progress--for having the high-risk designation removed for these two areas. The agency has greatly improved its oversight of medical device recalls by fully implementing all of the recommendations made in our 2011 report on this topic. It has also made considerable progress in fulfilling the requirements of the Safe Medical Devices Act of 1990, as we recommended in 2009. Medical Device Recalls: Figure: Protecting Public Health through Enhanced Oversight of Medical Products: [Refer to PDF for image: star illustration] Medical Device Recalls: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Medical device recalls provide an important remedial action that can mitigate the risk of serious health consequences associated with a defective or unsafe medical device. In 2011, we reported on gaps in FDA's oversight of these recalls and made recommendations to the agency to enhance its oversight of medical device recalls. The Food and Drug Administration Safety and Innovation Act (FDASIA) required the agency to implement these recommendations. FDA demonstrated its leadership commitment to enhanced oversight and initiated a recall improvement project. The agency developed--and has now implemented--a detailed action plan to improve the recall process. FDA proved it had the capacity to initiate change and has fully implemented all of our recommendations. For example, as we recommended, FDA took steps to ensure the consistent application of its recall procedures by its investigatory staff and developed explicit criteria and set thresholds for determining whether recalling firms have performed effective corrections or removals of defective products. FDA also established a standardized recall termination review process that utilizes a template to document that recalls were effectively completed based on its new explicit criteria. The template also ensures that the criteria are routinely applied. FDA has demonstrated clear progress in implementing this process--it reported that it has documented the termination of every Class I, or highest- risk, recall using this template since January 1, 2013. In addition, as we also recommended, FDA began a recall monitoring program and, in March 2014, issued a report analyzing medical device recall data that includes detailed information on recalls from fiscal year 2003 through fiscal year 2012. This report provides a systematic analysis of recall information. The report states that FDA will continue to use recall information to better inform decision making across the total product life cycle, provide guidance to industry, and target needed interventions. In addition, FDA's report notes that review and analyses of these data will help to guide both it and industry in strategically focusing on efforts that will improve the quality of medical devices and thereby improve patient outcomes-- another indicator of the agency's commitment to enhancing its oversight of medical device safety. Safe Medical Devices Act of 1990: Figure: Protecting Public Health through Enhanced Oversight of Medical Products: [Refer to PDF for image: star illustration] Implementing Safe Medical Devices Act of 1990: Leadership Commitment: Met; Capacity: Met; Action Plan: Met; Monitoring: Met; Demonstrated Progress: Met. Five Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] The act requires FDA to determine the appropriate process for reviewing certain high-risk devices--either reclassifying certain high- risk medical device types to a lower-risk class or establishing a schedule for such devices to be reviewed through its most stringent premarket approval process. Although FDA determined that more than 100 device types were subject to this provision, we found that the agency had never established a timetable for its reclassification or re- review process. We reported that FDA's progress was slow and, as a result, a significant number of high-risk devices--including device types that FDA has identified as implantable; life sustaining; or posing a significant risk to the health, safety, or welfare of a patient--still entered the market through FDA's less stringent premarket review process. In 2009, we recommended that FDA expedite its implementation of the act. FDA has since demonstrated commitment, capacity, and progress in implementing our recommendation. For example, FDA proved it was committed to progress in late 2009 when it established a new initiative for the 26 device types that still needed to be evaluated for reclassification as a lower-risk device or be reviewed through the most stringent premarket approval process. Additionally, in both 2011 and 2012, FDA's Center for Devices and Radiological Health made the determination to either reclassify these devices or review them through the most stringent review process a strategic priority. FDA also began monitoring its progress and posting the status of its reviews on its website. Later, in July 2012, the enactment of FDASIA provided FDA authority to reclassify a device by administrative order rather than through notice and comment rulemaking, which FDA said would ultimately streamline the reclassification process. In August 2014, FDA reiterated its commitment to expeditious action. By that time, the agency had made considerable progress, having made reclassification determinations for 12 of the 26 device types. Although FDA still has more work to do, it has taken steps to begin work on all of the 14 remaining device types. It has also developed an action plan with a goal of fully implementing the provisions of the Safe Medical Devices Act by the second quarter of calendar year 2015. FDA is also making progress in two areas where we have identified shortcomings in the agency's oversight of two threats to public health- -globalization and drug availability. We recognize that FDA cannot resolve the persistent problems associated with these challenges alone. Thus far, FDA has met two of the criteria for having the high- risk designation removed for these two areas--demonstrating leadership commitment and developing action plans. However, FDA needs to meet the remaining three criteria. Specifically, the agency has not shown it has sufficient capacity to address these challenges and its monitoring still warrants greater attention. FDA also needs to demonstrate sustained progress in both areas. Response to Globalization: Figure: Protecting Public Health through Enhanced Oversight of Medical Products: [Refer to PDF for image: star illustration] Response to Globalization: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] As the world has become more interconnected, new threats to the safety and effectiveness of our medical products have grown. The U.S. has become increasingly dependent on global markets to supply the drugs and devices used daily. According to FDA, nearly 40 percent of finished drugs and about 50 percent of all medical devices are made overseas, with products coming from more than 150 countries, including those with less sophisticated regulatory systems. FDA also reports that approximately 80 percent of the manufacturers of active pharmaceutical ingredients used in the United States are located elsewhere. Import lines from emerging markets, including Mexico, India, China, and Thailand, have increased faster between 2002 and 2009 than lines from developed markets. China has the fourth-highest volume of exports to the U.S. of medical equipment and the largest number of foreign, FDA-registered, drug manufacturing establishments, followed by India. The rapid pace and magnitude of globalization has complicated FDA's efforts to ensure that the medical products we need are of high quality. FDA has engaged in a variety of activities in response, but the challenges are many, the stakes are high, and progress, while steady, is far from rapid. We have had long-standing concerns with FDA's foreign drug inspection program. In 2008, we reported that FDA inspected relatively few foreign establishments each year. We also pointed out that FDA has not utilized its risk-based process to select foreign establishments for inspection to the extent it had for selecting domestic establishments. Since then, FDA had increased the number of foreign establishments it inspects each year. In addition, FDASIA directed FDA to take a risk-based approach to inspecting both foreign and domestic drug manufacturing establishments, consistent with our 2008 recommendation. However, foreign inspections are costly and FDA cites resources as a concern. FDA has stated that it may not have the capacity to implement our recommendation, which would limit its ability to monitor medical products from overseas. It estimates that it may not be able to fully implement this provision until fiscal year 2017. The agency is also continuing to fine-tune its risk-based model for selecting establishments to inspect, but the time frame for completing this task is unclear. In 2011, FDA formed a new office--the Office of Global Regulatory Operations and Policy--comprised of its Office of Regulatory Affairs and its Office of International Programs. This reorganization emphasizes the agency's leadership commitment to confronting the challenges of globalization and to help prepare the agency to move from being a regulator of domestic products to one overseeing a worldwide market. The agency's leadership commitment was further made evident with the release of a report in 2012 on its strategies for responding to globalization. Also, in September 2014, FDA published its strategic priorities for fiscal years 2014 through 2018, which features its desire to expand its regulatory presence and partnerships overseas to build a stronger, more secure global product safety net. FDA's foreign offices, overseen by the Office of International Programs, continue to play a part in the agency's response to globalization. Through its overseas offices, FDA is working to increase its knowledge base about the standards used by foreign regulators in countries that produce medical products destined for the U.S. market. It is also providing assistance to help certain countries improve their regulatory capacities. The agency increased its presence overseas by opening new offices and now has established a permanent presence overseas in 12 foreign posts, including China, Europe, India, Latin America, the Middle East and South Africa. Among other things, these offices help FDA build partnerships with its foreign regulatory counterparts and industry by providing enhanced opportunities for cooperation and capacity building. They also perform intelligence gathering, foster information sharing with FDA headquarters, and provide a platform for inspection of foreign establishments. However, while FDA's Office of International Programs has advanced its strategic planning process, it has yet to develop a set of performance goals and measures that can be used to monitor the long-term contributions of the overseas offices and demonstrate progress in improving the regulation and oversight of imported medical products, as we recommended in 2010. In addition, the agency continues to face capacity constraints, as it struggles to find officials to staff its overseas offices. Further, our 2010 recommendation that it develop a strategic workforce plan to ensure the agency is able to recruit and retain staff with necessary experience remains to be addressed. Finally, collaboration with FDA's foreign counterparts is a key component of its response to globalization. FDA is working to harmonize standards, leverage resources, and conduct joint inspections of foreign manufacturing establishments. FDASIA increased FDA's ability to partner with foreign regulatory authorities to leverage resources through increased information sharing and recognition of foreign inspections. FDA is exploring using this new ability to build and strengthen its regulatory capacity. The agency reports it now has more than 60 agreements with foreign counterparts to share certain information in inspection reports and other nonpublic information that can help it make better decisions about the safety of foreign products. In addition, according to FDA, it has worked with Canada, India, and the European Union to inspect facilities in countries that supply active pharmaceutical ingredients and finished drugs. This could help improve the agency's monitoring and enhance its capacity to oversee medical product safety around the world. Drug Availability: Figure: Protecting Public Health through Enhanced Oversight of Medical Products: [Refer to PDF for image: star illustration] Drug Availability: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Over the last decade, an increasing number of prescription drugs-- including life-saving and life-sustaining drugs--has been in short supply, preventing health care providers and patients from accessing medications that are essential for treatment. In 2011 we reported on drug shortages and recommended that FDA take several steps to enhance its ability to respond to such shortages. For example, we recommended that, to improve its capacity, FDA assess the allocation of its resources to improve the agency's ability to respond to drug shortages. FDA has implemented this recommendation and increased the number of personnel devoted to shortages. FDA also elevated the office of its drug shortage staff to a more prominent position in the agency, demonstrating its commitment to this issue. It also has assigned drug shortage coordinators in each of its 20 district offices. These coordinators have helped increase capacity by bringing drug shortage- related concerns to light earlier, such as inspections citing violations of good manufacturing practices at establishments producing a large volume of drugs. FDA has also expanded its ability to respond with additional experts from throughout the agency. In addition to the drug shortage staff, FDA estimates that an average of 25 additional staff members work on any given shortage, including staff from the clinical review divisions, chemistry groups, compliance staff, and others as required based on the expertise needed to address the shortage. We issued a second report in 2014 and found that, while shortages have persisted, FDA had prevented more potential shortages in the prior 2 years by improving its responsiveness by, for example, working with manufacturers to increase production. In addition, FDASIA further strengthened the agency's ability to respond to shortages. We suggested in 2011 that Congress consider establishing a requirement for manufacturers to report to FDA any changes that could affect the supply of their drugs. FDASIA contains a provision requiring manufacturers of drugs that are life supporting, life sustaining, or used to prevent or treat debilitating diseases or conditions to notify FDA at least 6 months in advance if they either plan to discontinue manufacturing the drug or anticipate an interruption in manufacturing that is likely to lead to a meaningful disruption in the drug's supply. FDA reported that there was a sizable increase in notifications from manufacturers following the law's enactment in 2012. FDA also noted that this provision has allowed the agency to take action sooner and has helped the agency become more proactive and successful in its efforts. We found that FDA was able to prevent more shortages as a result. Additionally, in accordance with another provision in FDASIA, FDA has developed a Drug Shortages Task Force representing multiple disciplines, centers, and offices with the agency, which has enhanced the agency's capacity in multiple ways. For example, the task force has helped the agency revise internal policies and procedures and facilitate coordination across the agency on issues related to drug shortages. In 2011, we reported that, despite the recent increase in drug shortages, FDA had not substantially changed the priority it places on its response to drug shortages. We recommended that FDA's strategic plan articulate goals and priorities for maintaining the availability of all medically necessary drugs. FDASIA also required FDA to issue a strategic plan to enhance the agency's ability to prevent and mitigate shortages. FDA issued this strategic plan in October 2013. This action plan focuses on two goals. First, it emphasizes strengthening FDA's ability to respond to notices of a disruption in supply, including improving mitigation tools. Second, it stresses developing long-term prevention strategies to address the underlying causes of supply disruptions and prevent drug shortages. The plan outlines the actions FDA is taking--or plans to take--to strengthen and expand its efforts and identifies potential actions for other stakeholders to consider. FDA reported that the actions outlined in its Strategic Plan will improve the agency's ability to address drug shortages. In addition, in September 2014, FDA published its strategic priorities for fiscal years 2014 through 2018, which emphasizes the agency's continued commitment to preventing and responding to drug shortages. Yet, drug shortages continue to remain a serious public health concern and we recognize that FDA cannot resolve this concern alone. FDA has demonstrated progress in addressing and preventing shortages, including through its use of new authorities granted by FDASIA. However, it can do more, including implementing recommendations we made in 2011. We continue to believe that FDA needs results oriented outcome performance measures to assess and quantify its goals and response to drug shortages. In addition, we remain concerned with shortcomings in FDA's management of its drug shortage data. In our 2014 report, we noted that FDA has not created policies or procedures governing the management of the data and does not perform routine quality checks. Such shortcomings could ultimately hinder FDA's efforts to understand the causes of specific shortages as well as undermine its efforts to prevent them from occurring. In addition, FDA has not conducted routine analyses of the data to proactively identify and evaluate the risks of drug shortages. We believe that, to enhance its monitoring, FDA needs to do more to ensure the reliability of the information it gathers and periodically assess these data to proactively identify drug shortage risks and take preventive measures as quickly as possible. We will continue to assess FDA's progress in this area in our ongoing work examining drug shortages. Congressional Action: In addition to FDA's efforts, action taken by Congress since our last High-Risk Series report was issued should help the agency better protect public health. Specifically, the Drug Quality and Security Act (DQSA), enacted in November 2013, contains provisions to address drug safety concerns that we reported on in 2013--the safety and security of the pharmaceutical supply chain and the regulation of compounded drugs. The pharmaceutical supply chain has grown increasingly complex. Networks of handlers, suppliers, and middlemen have made it difficult to trace an ingredient back to its source. At every step in global supply chain networks--from raw materials and other ingredients, to manufacture, storage, sale, and distribution--there are opportunities for a product to be improperly formulated or packaged, contaminated, diverted, counterfeited, or adulterated. The breakdown of the supply chain has led to public health crises involving contaminated heparin, a common blood-thinner, in 2008 and the distribution of counterfeit Avastin, a cancer treatment, in 2012 and 2013. In July 2013 we reported on the hazard of one component of the supply chain--Internet pharmacies, many of which are fraudulent enterprises. Although the exact number of these "rogue" Internet pharmacies is unknown, most operate from abroad. They may sell drugs that are expired; improperly labeled, stored, or shipped; or are counterfeits--unauthorized versions--of other drugs. These drugs may be manufactured under conditions that do not meet FDA standards, including unsanitary and unsterile conditions and have been found to contain dangerous contaminants, such as rat poison. The threat they pose becomes all the more worrisome in light of an FDA survey which found that nearly 1 in 4 adult U.S. Internet consumers have purchased prescription drugs online. To improve the safety of drugs, Congress enacted DQSA, which contains a variety of provisions designed to make it more difficult for unscrupulous members of the pharmaceutical supply chain to operate. The new law requires the Secretary of Health and Human Services to facilitate the establishment over the next ten years of an electronic, interoperable system to trace prescription drug products through the pharmaceutical supply chain. In the shorter term, the law requires members of the supply chain--drug manufacturers, wholesalers, repackagers, and dispensers--to comply with new requirements to facilitate the tracking and tracing of drugs through the supply chain. Specifically, manufacturers and repackagers must place standardized product identifiers on certain prescription drug products. Manufacturers, wholesale distributors, repackagers, and dispensers, are also required to implement a system to help ensure products are not counterfeit or otherwise unfit for distribution. The law also prohibits them from purchasing from or selling drugs to entities that do not meet certain requirements. FDA is taking steps to implement the provisions of this law. DQSA also includes provisions aimed at ensuring the safety of compounded drugs. Traditionally, a drug is compounded through the process of mixing, combining, or altering ingredients to create a customized drug tailored to the medical needs of an individual patient upon receipt of a prescription. For example, a pharmacist may tailor a drug for a patient who is allergic to an ingredient in a manufactured drug. Compounding is an integral part of the pharmacy profession and is practiced in a variety of settings, including hospital, community, and chain drug store pharmacies. However, compounded drugs--especially compounded sterile drugs--pose special risks of contamination if made improperly. An outbreak of fungal meningitis in 2012 linked to contaminated compounded drugs resulted in more than 60 deaths and hundreds of people becoming ill. Following this outbreak, concerns were raised that some pharmacies were producing large quantities of compounded drugs without prescriptions for individual patients, and without meeting safety and other requirements with which manufacturers must comply, and selling those drugs to facilities in multiple states. This outbreak also raised concerns about state and federal oversight of drug compounding. While FDA is responsible for overseeing drug manufacturers, compounding performed in pharmacies is traditionally regulated by state pharmacy regulatory bodies. In July 2013, we reported that FDA's authority to oversee drug compounding was unclear as a result of conflicting federal court decisions regarding the applicability of the drug compounding provisions in the Food, Drug, and Cosmetic Act (FDCA). FDCA exempts compounded drugs meeting certain criteria from drug approval, certain labeling, and good manufacturing practice requirements. We recommended that Congress consider clarifying FDA's authority to regulate entities that compound drugs. DQSA clarifies that the FDCA's drug compounding provisions apply to drug compounding throughout the country. The law also established a new category of entities, known as "outsourcing facilities." Outsourcing facilities that register with FDA and provide information to the agency about the products they compound are exempt from FDA drug approval and certain labeling requirements. However, they are required to comply with current good manufacturing practices, report semiannually on the drugs they are compounding, submit adverse event reports to the agency as appropriate, and clearly label the compounded drugs they manufacture as such. FDA has taken steps to implement these provisions. For example, FDA has issued draft guidance on registration and information reporting for entities that intend to register as outsourcing facilities. Since the 2012 outbreak, FDA has also increased inspections of compounding pharmacies in response to reports of serious adverse events and quality problems. In addition, it has inspected other pharmacies with deficient sterile compounding practices that the agency has proactively identified. While DQSA should improve oversight of drug compounding, we remain concerned about FDA's oversight in this area. We reported in 2013 that FDA lacks timely and reliable information to oversee the entities that compound drugs. Specifically, FDA's inspection database cannot identify all of the agency's inspections of compounding pharmacies or the final classification of inspection results for all of the inspections. In addition, we found that there were high-risk compounding pharmacies that may have registered with FDA to market themselves as "FDA registered." This may lead some purchasers to assume that FDA has inspected or approved their compounded drugs which, according to FDA officials, is generally not the case. We will continue to monitor FDA's efforts to improve its data collection and regulation of compounding. What Remains to Be Done: FDA has made considerable progress in the last 2 years, particularly in ensuring the safety and effectiveness of medical devices. FDA has developed meaningful action plans and has already shown--and must sustain--strong leadership in addressing management challenges. While these action plans and strong leadership are two of the five criteria an agency must meet for the high-risk designation to be removed, the oversight of medical products remains on our High Risk List because more needs to be done before the remaining three criteria can be met in the areas of globalization and drug availability. FDA needs to demonstrate that it has the capacity to address the challenges we have identified, along with effective monitoring strategies. In addition, FDA must demonstrate clear and sustained progress in implementing these measures. Finally, FDA should implement our prior recommendations to resolve new and previously identified concerns. Specifically, FDA needs to: * conduct more inspections of foreign establishments manufacturing medical products for the U.S. market and utilize its authority to take a risk-based approach in selecting foreign drug establishments to ensure that they are inspected at a frequency comparable to domestic establishments with similar characteristics; * establish a set of performance goals and measures that can be used to demonstrate contributions of its overseas offices to long-term outcomes related to the regulation of imported products and develop a strategic workforce plan to ensure the agency is able to recruit and retain staff with necessary experience; * strengthen its ability to prevent, mitigate, and resolve drug shortages by systematically tracking data on shortages; ensure the accuracy of the data it collects; conduct periodic analyses of the data to proactively identify trends, clarify causes, and resolve problems before drugs go into short supply; and develop relevant results-oriented performance metrics to gauge the agency's response to shortages; and: * take steps to consistently collect reliable and timely information on inspections and enforcement actions associated with compounded drugs, and collect information that clearly differentiates manufacturers of FDA-approved drugs that are inspected for compliance with good manufacturing practices from those entities that are compounding drugs that are neither FDA approved nor routinely inspected. GAO Contact: For additional information about this high-risk area, contact Marcia Crosse at (202) 512-7114 or crossem@gao.gov. Related GAO Products: Internet Pharmacies: Most Rogue Sites Operate from Abroad, and Many Sell Counterfeit Drugs. [hyperlink, http://www.gao.gov/products/GAO-14-386T]. Washington, D.C.: February 27, 2014. Drug Shortages: Public Health Threat Continues, Despite Efforts to Help Ensure Product Availability. [hyperlink, http://www.gao.gov/products/GAO-14-194]. Washington, D.C.: February 10, 2014. Drug Shortages: Threat to Public Health Persists, Despite Actions to Help Maintain Product Availability. [hyperlink, http://www.gao.gov/products/GAO-14-339T]. Washington, D.C.: February 10, 2014. Drug Compounding: Clear Authority and More Reliable Data Needed to Strengthen FDA Oversight. [hyperlink, http://www.gao.gov/products/GAO-13-702]. Washington, D.C.: July 31, 2013. Internet Pharmacies: Federal Agencies and States Face Challenges Combating Rogue Sites, Particularly Those Abroad. [hyperlink, http://www.gao.gov/products/GAO-13-560[. Washington, D.C.: July 8, 2013. [End of section] Transforming EPA's Processes for Assessing and Controlling Toxic Chemicals: Why Area Is High Risk: The Environmental Protection Agency's (EPA) ability to effectively implement its mission of protecting public health and the environment is critically dependent on credible and timely assessments of the risks posed by chemicals. Such assessments are the cornerstone of scientifically sound environmental decisions, policies, and regulations under a variety of statutes, such as the Safe Drinking Water Act, the Toxic Substances Control Act (TSCA), and the Clean Air Act. EPA conducts assessments of chemicals under its Integrated Risk Information System (IRIS) Program. EPA is also authorized under TSCA to obtain information on the risks of chemicals and to control those the agency determines pose an unreasonable risk. Because EPA had not developed sufficient chemical assessment information under these programs to limit exposure to many chemicals that may pose substantial health risks, we added this issue to the High Risk List in 2009. What GAO Found: Figure: Transforming EPA's Processes for Assessing and Controlling Toxic Chemicals: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Not Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Not Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] EPA has met the criteria for leadership commitment as its Administrator and top leadership have publicly stated their focus on improving the IRIS program and implementing TSCA as it currently exists. However, because the agency has not assessed the current and future workload of people and resources for these programs, EPA may not have the adequate capacity to resolve this high-risk area. EPA needs to work with Congress to ensure that the resources dedicated to IRIS and TSCA activities are sufficient to maintain a viable IRIS database of chemical assessments and effectively implement TSCA. In addition, EPA has partially met the criteria for having a corrective action plan by starting work on an IRIS multiyear plan that will focus on needs for IRIS assessments during the next 5 years, and making progress since 2009 in implementing its new approach to managing toxic chemicals under its existing TSCA authority. However, EPA has not defined how corrective measures will be implemented and needs to continue to work with Congress to facilitate legislative changes that could provide the agency with sufficient authority to assess and control toxic chemicals. EPA has begun to submit IRIS assessments for independent review to an entity with scientific and technical credibility. But to help ensure that resources dedicated to TSCA are sufficient for effective implementation of the law, EPA needs to institute a program to monitor and independently validate the effectiveness and sustainability of its initiative to use existing TSCA authorities. EPA's Integrated Risk Information System: Figure: Transforming EPA's Processes for Assessing and Controlling Toxic Chemicals: [Refer to PDF for image: star illustration] EPA's Integrated Risk Information System: Leadership Commitment: Met; Capacity: Not Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Not Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] EPA's IRIS database is intended to provide the basic information the agency needs to determine whether it should establish controls to, for example, protect the public from exposure to toxic chemicals in the air, in water, and at hazardous waste sites. In July 2013, the new EPA Administrator demonstrated leadership commitment to the IRIS program by identifying action on toxics and chemical safety as one of her top seven priorities for the agency. EPA's top leadership has also demonstrated support for improving the IRIS program by implementing some recommendations from us, the National Academies, and EPA's Science Advisory Board. Because EPA has not issued an analysis of the IRIS program's need for people and resources, it is unclear if the IRIS program has the capacity to address the issues it faces. In addition, EPA has only partially met the criteria for having an action plan to address the issues. Specifically, in May 2013, we reported that EPA had not conducted a recent evaluation of demand for IRIS toxicity assessments with input from users inside and outside EPA. EPA issued a needs assessment report in 2003, which estimated that 50 new or updated IRIS toxicity assessments were needed each year to meet users' needs. However, we did not find sufficient support for the estimate. In addition, IRIS program officials recognize that the 2003 estimate does not reflect current conditions. In response to our report, EPA started work on a multiyear IRIS plan in the summer of 2013. According to EPA, the purpose of the chemical multiyear plan is to help schedule IRIS assessments for specific chemicals over the next 5 years. Specifically, the plan will focus on EPA needs for IRIS assessments during the next 5 years and is based primarily on information solicited from EPA Program Offices and Regions. EPA is currently finalizing the multiyear plan. Until EPA finalizes the plan, the agency does not know how many people and resources to dedicate to the IRIS program. Also, until the plan is made public, there is no way for stakeholders to evaluate if the plan defines the root cause and solutions, and provides for substantially completing corrective measures. While EPA has not finalized the multiyear IRIS plan, it has begun to monitor the IRIS program. Specifically, the program has begun to implement our recommendation to submit assessments for independent review to an entity with scientific and technical credibility--EPA's Science Advisory Board. Moreover, EPA presented a plan for how the agency will implement the National Academies' suggestions for improving IRIS assessments in the "roadmap for revision" included in the National Academies' peer review report on the draft formaldehyde assessment. The National Academies' most recent report on the IRIS program, issued in May 2014, independently validates some of the corrective measures the IRIS program is implementing. EPA has not met the criteria for demonstrating progress in having implemented corrective measures and resolving the IRIS Program as a high-risk area. For example, EPA did not issue any IRIS assessments in fiscal year 2014. In addition, the issuance of the multiyear IRIS plan that EPA indicated will include some corrective measures for the program has repeatedly been delayed. EPA initially indicated the plan would be issued in August 2014 and, then the fall of 2014, and as of January 2015, the new expected release date is the end of the second quarter 2015. Toxic Substances Control Act: Figure: Transforming EPA's Processes for Assessing and Controlling Toxic Chemicals: [Refer to PDF for image: star illustration] Toxic Substances Control Act: Leadership Commitment: Met; Capacity: Not Met; Action Plan: Partially Met; Monitoring: Not Met; Demonstrated Progress: Not Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] We reported that EPA has found much of TSCA difficult to implement-- hampering the agency's ability to obtain certain chemical data or place limits on chemicals. For example, EPA has found it difficult to obtain adequate information on toxicity--that is, the degree to which the chemical is harmful or deadly--and exposure levels--the frequency and duration of contact with the chemical. Without this information, it is difficult for EPA to determine whether a chemical poses an unreasonable risk to human health or the environment and then take any action necessary to regulate such chemicals. TSCA generally places the burden on EPA to obtain data on the risks posed to human health and the environment by the chemicals industry produces. Even when EPA has toxicity and exposure information and determines that chemicals pose an unreasonable risk, the agency has had difficulty banning or placing limits on the production or use of chemicals due to a legal threshold that EPA has found difficult to meet. Consequently, EPA has used its authority to limit or ban the use of only five chemicals since TSCA was enacted in 1976. However, EPA has met the criteria for leadership commitment because of the Administrator's explicit support for taking action on toxics, including modernizing TSCA. In addition, the EPA Administrator and top leadership have expressed support for implementing TSCA as it currently exists to the maximum extent possible in the near term and have provided views on key concepts that should be reflected in revised TSCA legislation. Because EPA has not conducted a workload analysis, it is unclear if EPA's TSCA program has the capacity--people and resources--to resolve the risk to the program. We have reported that EPA has found many provisions of TSCA cumbersome and time consuming to implement. EPA's TSCA program continues to work on an action plan, but it is unclear if it includes the steps necessary to implement solutions we recommended. Specifically, we reported in March 2013 that since 2009, EPA has made progress implementing its new approach to managing toxic chemicals under its existing TSCA authority--particularly by increasing efforts to obtain chemical toxicity and exposure data and initiating chemical risk assessments. The results of EPA's data collection activities, in most cases, have yet to be realized, and it may take several years before EPA obtains much of the data it is seeking. Of the 83 chemicals EPA prioritized in 2012 for risk assessment, 4 have been completed as of January 2015. As we previously reported, it may take several years to complete the initial risk assessments and, at the agency's current pace, more than a decade to complete all 83. In addition to its risk assessment activity, EPA has initiated other actions--such as increasing review of certain new uses of chemicals--that may discourage the use of these chemicals. But, it is too early to tell whether these actions will reduce chemical risks. The TSCA program does not have mechanisms in place to monitor and independently validate the effectiveness and sustainability of the program. EPA has expressed support for providing technical assistance in support of a bipartisan effort to modernize the 1976 law. A number of bills have been introduced and hearings held, but Congress has not yet passed any legislative changes. In addition, in 2009, the administration outlined core principles to strengthen U.S. chemical management laws and Congress has considered legislative changes to TSCA. It is too soon to determine whether EPA's approach to managing chemicals within its existing TSCA authorities will position the agency to achieve its goal of ensuring the safety of chemicals; therefore, EPA has not met the criteria for demonstrated progress. EPA officials said that the agency's approach, summarized in its 2012 Existing Chemicals Program Strategy, is intended to guide EPA's efforts to assess and control chemicals in the coming years. However, EPA's strategy, which largely focuses on describing activities EPA has already begun, does not include leading federal strategic planning practices that could help guide its effort, and does not include corrective measures to resolve the high-risk area. What Remains to Be Done: Integrated Risk Information System. EPA faces both long-standing and new challenges in implementing the IRIS program. First, EPA has not fully addressed recurring issues concerning the clarity and transparency of its development and presentation of draft IRIS assessments. In addition, EPA has not addressed other long-standing issues regarding the availability and accuracy of current information to IRIS users. These issues include EPA program offices, the status of IRIS assessments, including when an assessment will be started, which assessments are ongoing, and when an assessment is projected to be completed. In addition, EPA does not have a strategy for identifying and filling data gaps that would enable it to conduct IRIS toxicity assessments for nominated chemicals that are not selected for assessment because sufficient data from health studies are not available. IRIS program officials stated that no agencywide mechanism exists for EPA to ensure that chemicals without sufficient scientific data during one nomination period will have such information by the next nomination period or even the one after that. These officials acknowledged that better coordination across EPA and with other federal agencies could help address the issue. EPA also does not have agencywide guidance for addressing unmet needs when IRIS toxicity assessments are not available, applicable, or current. In the absence of agencywide guidance, officials from select EPA offices stated that they used a variety of alternatives to IRIS toxicity assessments to meet their needs, including using toxicity information from other EPA offices or other federal agencies. Further, EPA needs to work with Congress to ensure that the resources dedicated to IRIS activities are sufficient to maintain a viable IRIS database of chemical assessments that are produced in a timely manner. Specifically, EPA needs to perform a workload analysis to determine the optimal number of staff needed, where they are needed, and what skills they must possess. It also must request funding and prioritize resources to enable EPA to maintain a viable IRIS database of chemical assessments that meets the needs of EPA's program offices and other stakeholders. EPA is still responding to the National Academies' suggestions by implementing changes to the way it develops draft IRIS assessments. As EPA demonstrates more progress toward its planned changes, we will continue to monitor its approach. EPA should continue to use the Science Advisory Board's Chemical Assessment Advisory Committee and, if needed, more regularly use the independent advisory board for EPA's Office of Research and Development--the Board of Scientific Counselors--to monitor and independently validate the effectiveness and sustainability of EPA's IRIS assessment process--including the changes made to the IRIS process in response to the National Academies' suggestions. Toxic Substances Control Act. For the past several years, congressional committees have considered legislation aimed at reforming TSCA, but Congress has not passed such legislation. In 2009, EPA announced principles for reforming TSCA to help inform efforts underway in Congress. EPA provided some further views concerning TSCA reform legislation in 2014 in testifying on a discussion draft of a House TSCA reform bill. Supporters of the draft bill testified that it would substantially improve EPA's ability to protect human health and the environment, and that it would make chemical regulation more efficient and effective. EPA testified that the bill would not have (1) provided for the timely review of chemicals of concern; (2) significantly altered the current TSCA safety standard; or (3) kept the safety determination free of cost considerations. EPA stated that cost should be taken into account in making risk management decisions, but not in making the initial safety determination. Along with the announcement in 2009 of its principles for reforming TSCA, EPA initiated a new approach to managing chemicals within the limits of existing authorities--which, according to agency documents, will transition the agency from an approach dominated by voluntary data submissions by industry to a more proactive approach. In this approach, EPA would use its data collection and other rulemaking authorities under TSCA to ensure chemical safety. In our 2013 report, we found that EPA had made progress in implementing its new approach, but it was unclear whether this approach would position the agency to achieve its goal of ensuring the safety of chemicals. EPA and Congress need to ensure that the resources dedicated to TSCA activities are sufficient to effectively implement TSCA. Specifically, EPA needs to assess its current and future TSCA workload; determine the optimal number of staff needed, where they are needed, and what skills they must possess; and request funding and prioritize resources to enable EPA to effectively implement TSCA. EPA needs to institute a program to monitor and independently validate the effectiveness and sustainability of EPA's initiative to use existing TSCA authorities. EPA must also demonstrate progress toward fully utilizing existing TSCA authorities, identifying needed legislative changes, and continuing to work with Congress to facilitate these legislative changes to TSCA. For example, as we previously reported, EPA has not provided information on its planned approach to pursuing data submitted to the European Chemicals Agency from U.S. companies, and whether it may include voluntary or regulatory means to pursue such data. EPA has not defined strategies that address challenges--many of which are rooted in TSCA's regulatory framework--that may impede EPA's ability to meet its long-term goal of ensuring chemical safety. Specifically, EPA has not clearly articulated how it will address challenges associated with obtaining toxicity and exposure data needed for risk assessments, and placing limits on or banning chemicals under existing TSCA authorities. In addition, EPA's strategy does not describe the resources needed to execute its approach. For example, EPA's strategy does not identify roles and responsibilities of key staff or offices, or identify staffing levels or costs associated with conducting the activities under its approach. As we previously reported, without a plan that incorporates leading strategic planning practices, EPA cannot be assured that its approach to managing chemicals, as described in its Existing Chemicals Program Strategy, will provide a framework to effectively guide its effort. Consequently, EPA could be investing valuable resources, time, and effort without being certain that its efforts will bring the agency closer to achieving its goal of ensuring the safety of chemicals. In addition, EPA needs to continue to work with Congress to facilitate legislative changes needed to provide the agency with sufficient authority to assess and control toxic chemicals. GAO Contact: For additional information about this high-risk area, contact Alfredo Gomez at (202) 512-3841 or gomezj@gao.gov. Related GAO Products: Chemical Assessments: Agencies Coordinate Activities, but Additional Action Could Enhance Efforts. [hyperlink, http://www.gao.gov/products/GAO-14-763]. Washington, D.C.: September 29, 2014. Chemical Regulation: Observations on the Toxic Substances Control Act and EPA Implementation. [hyperlink, http://www.gao.gov/products/GAO-13-696T]. Washington, D.C.: June 13, 2013. Chemical Assessments: An Agencywide Strategy May Help EPA Address Unmet Needs for Integrated Risk Information System Assessments. [hyperlink, http://www.gao.gov/products/GAO-13-369]. Washington, D.C.: May 10, 2013. Toxic Substances: EPA Has Increased Efforts to Assess and Control Chemicals but Could Strengthen Its Approach. [hyperlink, http://www.gao.gov/products/GAO-13-249]. Washington, D.C.: March 22, 2013. [End of section] DOD Contract Management: Why Area Is High Risk: The Department of Defense (DOD) obligates more than $300 billion annually on contracts for goods and services, including major weapon systems, support for military bases, information technology, consulting services, and commercial items. Contracts also include those in support of contingency operations, such as those in Afghanistan. Our work and that of others has identified challenges DOD faces within four segments of contract management: (1) the acquisition workforce, (2) contracting techniques and approaches, (3) service acquisitions, and (4) operational contract support. Ensuring DOD has the people, skills, capacities, tools, and data needed to make informed acquisition decisions is essential if DOD is to effectively and efficiently carry out its mission in an era of more constrained resources. We added this area to our High Risk List in 1992. What GAO Found: Figure: DOD Contract Management: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] DOD has demonstrated sustained leadership commitment to addressing its contract management challenges. This commitment has been reflected in several ways, including a continued emphasis on growing and training the acquisition workforce, the appointment of senior officials within the Office of the Secretary of Defense and the military departments to improve service acquisitions, and the issuance of policies and guidance. Overall, we assessed that DOD has partially met each of the other four criteria for removal from the High Risk List--having the people and resources to reduce risk, the development of an action plan to identify and address root causes, the use of measures and data to monitor progress, and demonstrated progress in implementing corrective actions. DOD has made varying progress addressing challenges in the four segments that comprise this high-risk area. For one segment-- contracting techniques and approaches--DOD has met all the criteria. In the three other segments, however, DOD has not met one or more of the criteria. For example, DOD lacks an action plan to guide its efforts in improving the acquisition workforce and service acquisitions, and the department has not resolved capacity shortfalls or the lack of performance measures to address operational contract support issues. Continued DOD leadership is essential to building on the progress DOD made in recent years and to effectively addressing ongoing challenges. Acquisition Workforce: Figure: DOD Contract Management: [Refer to PDF for image: star illustration] Acquisition Workforce: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] To properly manage the acquisition of goods and services, an agency needs a workforce with the right skills and capabilities. The commitment of DOD's leadership to addressing challenges with the acquisition workforce is underscored by the department's emphasis on growing and training the acquisition workforce through its Better Buying Power initiative. For example, DOD has made progress in building the capacity of the acquisition workforce by increasing its size from about 126,000 in 2008 to more than 150,000 in 2014. As noted in our 2013 high-risk update, DOD has also completed competency assessments that identified the current skills and capabilities of the acquisition workforce and helped identify areas needing further management attention. In that regard, in areas such as cost estimating and systems engineering, our work found that DOD may not have adequate resources to fully implement recent weapon system reform initiatives. Further, in July 2014, we found that DOD had taken steps to address or partially address 27 of 32 statutory reporting requirements, such as conducting assessments of critical skills and competencies, in its 2013-2018 strategic civilian workforce plan. However, DOD had not yet addressed the other 5 requirements, including the requirement to assess the appropriate mix of civilian, military, and contractor capabilities in its plan. Additionally, DOD has delayed the planned issuance of an updated strategic plan specific to the acquisition workforce. The department has not issued the biennial plan since April 2010 nor has it demonstrated that it has aligned its workforce needs with projected funding. Consequently, while DOD does collect data and monitor the size of its acquisition workforce, particularly the civilian acquisition workforce, it is unclear whether DOD has determined the appropriate size of the workforce and has sufficient funds budgeted to meet its workforce requirements. As a result, DOD cannot fully monitor its progress in meeting its goals for the acquisition workforce. As we previously reported, workplace planning provides agencies with the information they need to ensure that their annual budget requests include adequate funds to implement human capital strategies. Contracting Techniques and Approaches: Figure: DOD Contract Management: [Refer to PDF for image: star illustration] Contracting Techniques and Approaches: Leadership Commitment: Met; Capacity: Met; Action Plan: Met; Monitoring: Met; Demonstrated Progress: Met. Five Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] DOD has made substantial progress in addressing concerns we have previously raised in addressing the management and oversight of contracting techniques and approaches. Contracting techniques and approaches encompass the broad array of options available to DOD acquisition and contracting personnel to acquire goods and services. These options include choosing the most appropriate contract type and the effective use of competition. These and other techniques and approaches are critical to the successful acquisition of goods and services. In the past, we have found weaknesses in several of these areas. For example, we have identified weaknesses in DOD's use of undefinitized contract actions (which authorize contractors to begin work before reaching a final agreement on contract terms), time-and- materials contracts (which compensate contractors based on hours of effort rather than outcomes achieved), award fees, and competition. We made numerous recommendations to address the specific issues we identified. DOD leadership has generally taken actions to address our recommendations. Over the past several years, DOD's top leadership has taken significant steps to plan and monitor progress in the management and oversight of contracting techniques and approaches. Through its Better Buying Power initiatives, for example, DOD leadership identified a number of actions to promote effective competition and better utilize specific contracting techniques and approaches. In that regard, in 2010 DOD issued a policy containing new requirements for competed contracts that received only one offer--a situation the Office of Management and Budget has noted deprives agencies of the ability to consider alternative solutions in a reasoned and structured manner and which DOD has termed "ineffective competition." These changes were codified in DOD's acquisition regulations in 2012. In May 2014, we concluded that DOD's regulations help decrease some of the risks of one-offer awards, but also that DOD needed to take additional steps to continue to enhance competition, such as establishing guidance for when contracting officers should assess and document the reasons only one offer was received. DOD concurred with the two recommendations we made in our report and has since implemented one of them. DOD officials reported that DOD has been using its Business Senior Integration Group (BSIG)--the Under Secretary of Defense for Acquisition, Technology, and Logistics' executive-level leadership forum for providing oversight in the planning, execution, and implementation of DOD's Better Buying Power initiatives--as a mechanism to review ongoing and emerging issues, including competition and other weaknesses in contracting techniques and approaches. For example, in March 2014, the Director of the Office of Defense Procurement and Acquisition Policy presented an assessment of DOD competition trends that provided information on competition rates across DOD and for selected commands within each military department and proposed specific actions to improve competition. Further, in June 2014, DOD issued its second annual assessment of the performance of the defense acquisition system, which included data on its competition rate and goals, assessments of the effect of contract type on cost and schedule control, and the impact of competition on the cost of major weapon systems. An institution as large, complex and diverse as DOD, and one that obligates hundreds of billions of dollars on contracts each year, will continue to face challenges with its contracting techniques and approaches. We will maintain our focus on identifying these challenges and proposing solutions. At this point, however, DOD's continued commitment and demonstrated progress in this area, including the establishment of a framework by which DOD can address ongoing and emerging issues associated with the appropriate use of contracting techniques and approaches, provide a sufficient basis to remove this segment from the DOD contract management high-risk area. Service Acquisition: Figure: DOD Contract Management: [Refer to PDF for image: star illustration] Service Acquisition: Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] DOD has made a number of changes to its approach to managing the acquisition of services, which accounted for more than 50 percent of DOD's contract obligations in fiscal year 2013. These changes include designating the Principal Deputy Under Secretary of Defense for Acquisition, Technology, and Logistics as the department's senior manager for service acquisition, as well as building capacity to address service acquisition issues by designating a senior manager for service acquisitions in each military department and adopting a standard approach for categorizing spending on services. DOD also has ongoing efforts to develop a new department-wide policy that will govern the acquisition of services. DOD acknowledged in 2010 the need for a cohesive, integrated strategy for acquiring services but continues to lack such a strategy, as well as reliable data to inform decision making. For example, in June 2013 we reported that while DOD had taken many actions intended to improve service acquisition, it was not yet positioned to determine the effects of these actions, in part because DOD did not have adequate data on the current state of service acquisition, including spending analyses by each category of service it buys. Further, DOD does not have an action plan that would enable it to assess progress toward achieving its goals. We have continued to find that DOD faces challenges in meeting its statutory requirement to prepare an annual inventory of contracted services--one that could help it manage its acquisitions of services; make more strategic decisions about the right workforce mix of military, civilian, and contractor personnel; and better align resource needs through the budget process to achieve that mix. For example, in November 2014 we found that DOD still did not have an accurate inventory of contractor personnel, including those that closely support inherently governmental activities. Further, we have found that DOD has made some progress in acquiring services through strategic sourcing--a process of moving away from numerous individual procurements to a broader aggregate approach--but has more to do. As of March 2014, we found that DOD had identified some high-spend categories as candidates for strategic sourcing, but the department still needed to issue guidance establishing goals and metrics to track its progress. Operational Contract Support: Figure: DOD Contract Management: [Refer to PDF for image: star illustration] Operational Contract Support: Leadership Commitment: Met; Capacity: Not Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] We have identified long-standing issues in DOD's use of contractors to support contingency operations, such as those in Iraq and Afghanistan. In light of these issues, we found in our 2013 high-risk update that DOD needs to sustain efforts throughout the department to integrate operational contract support through policy, planning, and training for both current and future contingency operations. DOD has demonstrated leadership commitment in addressing these issues as evidenced in several new or revised policies aimed at improving operational contract support, but several areas still need continued management attention. For example, in a September 2012 manpower study to determine the number of dedicated civilian operational contract support analysts and planners needed at the strategic and operational level, the Joint Staff identified a shortfall of 70 positions which have not been addressed. Further, in February 2013 we recommended that DOD further integrate operational contract support into contingency planning in the military services and combatant commands. The department generally concurred with our recommendations, but with the exception of the Army, the military departments have not yet developed operational contract support guidance, a key step in integrating operational contract support into the military department planning process. According to service officials, one reason that they have not issued comprehensive guidance similar to the Army's guidance is because the Navy, Marine Corps, and Air Force have not been the lead service for contracting in recent operations; however, these three services combined spent over a billion dollars under contracts for services in Afghanistan in fiscal year 2011. Without specific, service-wide guidance, the other services' future planning efforts may not reflect the full extent of the use of contract support and the attendant cost and need for oversight. Also, according to some geographic combatant command officials, the combatant commands have made some progress in including operational contract support in their plans, but some plans do not include operational contract support considerations. DOD issued an update to its 2013 Operational Contract Support action plan which refines actions needed to address 10 critical operational contract support capability gaps that the department must close before it can effectively and efficiently conduct operational contract support tasks in support of contingency operations. While the update provides information on more than 170 tasks that have been assigned to the Office of the Secretary of Defense and other DOD agencies against a target completion date, not all tasks contain metrics of success that are clear and measurable. For example, in the update to the action plan, DOD stated that the establishment of an operational contract support joint lessons learned process was complete, citing the development of operational contract support universal joint tasks. While the establishment of universal joint tasks supports lessons learned through the joint operation planning process, the lack of clear and measurable metrics makes it unclear how this establishes and provides formal oversight of the operational contract support joint lessons learned process. What Remains to Be Done: To further improve outcomes on the billions of dollars spent annually on goods and services, DOD needs to: * continue efforts, including strategic planning and alignment of funding, to increase the department's capacity to manage and oversee contracts by ensuring that its acquisition workforce is appropriately sized and trained to meet the department's needs; * determine the appropriate mix of military, civilian, and contractor personnel; * strategically manage its acquisition of services by defining desired outcomes, establishing goals and measures, and obtaining the data needed to monitor progress; and: * sustain efforts throughout the department to integrate operational contract support through policy, planning, training, and application of necessary resources for both current and future contingency operations. GAO Contact: For additional information about this high-risk area, contact Timothy J. DiNapoli at (202) 512-4841 or dinapolit@gao.gov. Related GAO Products: Defense Contractors: Additional Actions Needed to Facilitate the Use of DOD's Inventory of Contracted Services. [hyperlink, http://www.gao.gov/products/GAO-15-88]. Washington, D.C.: November 19, 2014. Human Capital: DOD Should Fully Develop Its Civilian Strategic Workforce Plan to Aid Decision Makers. [hyperlink, http://www.gao.gov/products/GAO-14-565]. Washington, D.C.: July 9, 2014. Defense Acquisitions: Update on DOD's Efforts to Implement a Common Contractor Manpower Data System. [hyperlink, http://www.gao.gov/products/GAO-14-491R]. Washington, D.C.: May 19, 2014. Defense Contracting: Early Attention in the Acquisition Process Needed to Enhance Competition. [hyperlink, http://www.gao.gov/products/GAO-14-395]. Washington, D.C.: May 5, 2014. Defense Acquisitions: Goals and Associated Metrics Needed to Assess Progress in Improving Service Acquisition. [hyperlink, http://www.gao.gov/products/GAO-13-634]. Washington, D.C.: June 27, 2013. Human Capital: Additional Steps Needed to Help Determine the Right Size and Composition of DOD's Total Workforce. [hyperlink, http://www.gao.gov/products/GAO-13-470]. Washington, D.C.: May 29, 2013. 2013 Annual Report: Actions Needed to Reduce Fragmentation, Overlap, and Duplication and Achieve Other Financial Benefits. [hyperlink, http://www.gao.gov/products/GAO-13-279SP]. Washington, D.C.: April 9, 2013. Defense Contracting: Actions Needed to Increase Competition. [hyperlink, http://www.gao.gov/products/GAO-13-325]. Washington, D.C.: March 28, 2013. Warfighter Support: DOD Needs Additional Steps to Fully Integrate Operational Contract Support into Contingency Planning. [hyperlink, http://www.gao.gov/products/GAO-13-212]. Washington, D.C.: February 8, 2013. [End of section] DOE's Contract Management for the National Nuclear Security Administration and Office of Environmental Management: Why Area Is High Risk: The Department of Energy (DOE), the largest civilian contracting agency in the federal government, relies primarily on contractors to carry out its diverse missions and operate its laboratories and other facilities. Approximately 90 percent of DOE's budget is spent on contracts and large capital asset projects. We designated DOE's contract management- -which includes both contract administration and project management-- as a high-risk area in 1990 because DOE's record of inadequate management and oversight of contractors has left the department vulnerable to fraud, waste, abuse, and mismanagement. In January 2009, to recognize progress made by DOE's Office of Science, we narrowed the focus of its high-risk designation to two DOE program elements--the Office of Environmental Management (EM) and the National Nuclear Security Administration (NNSA). Together, these two programs accounted for almost 63 percent of DOE's fiscal year 2015 discretionary funding of more than $26 billion. In February 2013, we further narrowed the focus of the high-risk designation to EM and NNSA's major contracts and projects, those with an estimated cost of $750 million or more, to acknowledge progress made in managing projects with an estimated cost of less than $750 million. Our 2013 assessment found that DOE satisfied 3 of the 5 criteria needed for removal from the High Risk List. This year, we did not observe similar progress in DOE's management of major projects. EM and NNSA struggled to stay within cost and schedule estimates for most of their major projects. What GAO Found: Figure: DOE's Contract Management for the National Nuclear Security Administration and Office of Environmental Management: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Not Met; Action Plan: Partially Met; Monitoring: Not Met; Demonstrated Progress: Not Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Since our high-risk update in February 2013, DOE met one of our five criteria for removal from the High Risk List based on its performance in managing its major contracts and projects. DOE met the criteria for demonstrating a strong commitment and top leadership support to improve contract and project management in EM and NNSA. DOE's top leadership continued to be engaged and take action to address this high-risk area. DOE did not meet the criteria for having the capacity (people and resources) to resolve contract and project management problems. DOE, including EM and NNSA, took some actions to address capacity issues, but these actions did not ensure that the department has the capacity to fully address its contract and project management challenges. DOE partially met the criteria for having a corrective action plan that identifies effective solutions. In 2008, DOE developed a corrective action plan. However, we are concerned that DOE did not adequately identify root causes of its contract and project management challenges, because it has continued to identify additional corrective actions since it declared in 2011 that it had mitigated the root causes of its most significant contract and project management challenges. DOE did not meet the criteria for monitoring and independently validating the effectiveness and sustainability of corrective measures as DOE continued to propose new measures to address ongoing performance problems. In our 2013 high-risk update, we reported that DOE had met the criteria for demonstrating progress toward implementing corrective measures. This was largely a result of the progress DOE had made in managing projects with an estimated cost of less than $750 million (nonmajor projects). However, because of continuing cost and schedule problems with EM and NNSA major projects, DOE did not meet this criterion for this 2015 update. DOE met one of our five criteria, partially met one, and did not meet three. The department met the criteria for demonstrating a strong commitment and top leadership support for improving contract and project management in EM and NNSA. DOE demonstrated top leadership attention to contract and project management challenges by initiating reorganizational efforts to better focus the department's resources on these challenges. In 2013, DOE revised its organizational structure by establishing the Office of Management and Performance and by creating a new position of deputy under secretary to head this office. The deputy under secretary functions as the chief operating officer of the department and has responsibility for mission support organizations, including project management, procurement, and human capital. The office is responsible for overseeing EM, including its contract and project management activities. The Secretary of Energy demonstrated top leadership support by establishing, in 2013, the Contract and Project Management Working Group to analyze project management issues. In December 2014, DOE shared with us a draft copy of a working group report that included 21 recommendations. According to the report, the key recommendations include, among others, (1) taking steps to ensure that DOE's project management requirements are followed and making the provisions in all DOE project management guides mandatory, (2) having program offices analyze alternatives independent of the contractor organization responsible for constructing the facility, and (3) fully funding projects with an estimated cost of less than $50 million. Accompanying this report was a memorandum from the Secretary of Energy to all department elements. According to the memorandum, four of the report recommendations will be implemented immediately: the 3 key recommendations mentioned above as well as a recommendation to establish a project leadership institute to create and sustain a culture of project delivery excellence. The memorandum explains that the Secretary will also strengthen the Energy Systems Acquisition Advisory Board, which is responsible for providing recommendations to the Deputy Secretary of Energy involving capital asset projects with an estimated cost of $750 million or greater. Further, the memorandum explains that the Secretary is establishing a project management risk committee to provide enterprise-wide project management risk assessment and expert advice to the Secretary and others in the department. The risk committee is to review the report recommendations and report back, within 60 days, to the Secretary and senior leadership with a specific suggested action for the remaining recommendations. DOE did not meet the criteria for having the capacity to resolve contract and project management problems. In its 2008 corrective action plan, DOE recognized that having sufficient people and other resources to resolve these problems was one of the top 10 issues facing the department. The plan said that the department lacked an adequate number of federal contracting and project personnel with the appropriate skills (such as cost estimating, risk management, and technical expertise) to plan, direct, and oversee project execution. In July 2013, DOE completed a review of its acquisition workforce. The review noted that DOE's acquisition workforce, which includes contract specialists and officers for both contracts and financial assistance agreements, comprised less than 5 percent of DOE's federal workforce, but was responsible for administering contract and other obligations representing over 90 percent of the agency's annual budget. The review concluded that DOE has an extremely low number of contract specialists, and that this finding is most apparent when benchmarked against other agencies. This review helped to identify the extent to which the department has adequate people and resources to effectively manage its acquisition process. However, this review did not include the other key staff members normally included in the description of the acquisition workforce, such as program and project managers and contracting officer representatives. In addition to this workforce review, DOE and NNSA have activities under way to improve the skills of the contracting and project management workforce. For example, in March 2014, the Secretary of Energy approved the implementation of the DOE Acquisition Fellows program, which is designed to recruit, acquire, develop, and retain contract specialists. NNSA officials explained that they have signed an agreement with the U.S. Army Corp of Engineers to provide support for, among other things, acquisition and project management. Similarly, NNSA awarded two contracts to industry experts to enhance federal oversight of its capital asset projects. NNSA officials explained that these contracts with experts are intended to fill the skills gap until NNSA can reach its goal of a developing a workforce by 2019 that is capable of planning and delivering capital asset projects within the performance baseline established for these projects. The department partially met the criteria for having a corrective action plan that identifies effective solutions. However, we are concerned that DOE did not adequately identify the root causes of its contract and project management problems. In 2009, we found that DOE met the criteria because it had issued a corrective action plan in 2008 that identified what it considered to be the 10 most significant issues DOE faced in managing its contracts and projects. The department officially closed out most of these issues in 2011, stating in a report that the corrective actions it implemented from its 2008 plan had effectively mitigated most of the root causes of their most significant contract and project management challenges. However, the department has continued to identify additional corrective actions and recommendations to address its persistent contract and project management challenges. In 2010, DOE identified six additional barriers to improving contract and project management and developed corrective actions to address these barriers. In 2012, DOE issued a report stating that it has completed or partially completed the corrective actions necessary to address these barriers. In December 2014, as noted above, DOE officials shared with us a draft report that includes 21 recommendations to address continuing project management challenges. DOE intends to immediately implement four of the recommendations and has tasked the new risk committee with reporting back within 60 days with suggested actions for the remaining recommendations. However, it is unclear whether and when DOE will implement these remaining 17 recommendations. While these recommendations seem well intended, they are also part of an ongoing cycle of announcing new corrective actions, declaring them successful, and then identifying more actions. We are concerned that this cycle may indicate that the department has not adequately identified the root causes of its challenges. Further, it is unclear whether this latest round of recommendations will be any more successful than those that have preceded them. The recent performance of EM and NNSA major projects did not meet the criteria for monitoring and independently validating the effectiveness and sustainability of corrective measures. Nor did it meet the criteria for demonstrating progress toward implementing corrective measures. As of December 2014, EM is managing seven major projects with estimated costs totaling as much as $49.4 billion. Four of these projects are in construction--the Salt Waste Processing Facility, the Waste Treatment and Immobilization Plant, the River Corridor Closure Project, and the K-25 Decontamination and Decommissioning Project--and the other three are in various stages of design. NNSA is managing three major projects with estimated costs totaling nearly $17 billion-- one of these projects, the Mixed Oxide Fuel Fabrication Facility, is under construction, and the other two, the Uranium Processing Facility and the Chemistry and Metallurgy Research Replacement Nuclear Facility, are in the design phase. NNSA is also managing a multibillion dollar project to upgrade the B61 nuclear weapon. Since our 2013 high-risk update, EM and NNSA have continued to struggle with many of these projects, as the following examples illustrate: * In August 2014, DOE increased the estimated cost for completing EM's Salt Waste Processing Facility by approximately $983 million and added an additional 6 years to the scheduled completion. The project is under construction at DOE's Savannah River site in South Carolina. This increase raises the total project cost to approximately $2.3 billion and extends the estimated completion date to January 2021. Since the project began in 2001, its estimated cost has increased by approximately $1.9 billion and completion has been delayed by about 12 years. * In 2012 we reported on the status of the construction of EM's Waste Treatment and Immobilization Plant (WTP) at DOE's Hanford site in the state of Washington. Since then, EM has had difficulty in developing a reliable cost and schedule estimate for completing this project. In December 2012, we found that the estimated cost to construct WTP had tripled to $13.4 billion since its inception in 2000, and the scheduled completion date had slipped by nearly a decade to 2019. We recommended, among other things, that DOE (1) not resume construction on WTP until the design of certain facilities has been completed to the level established by nuclear industry guidelines; (2) ensure the department's contractor performance evaluation process does not prematurely reward contractors for resolving technical issues later found to be unresolved; and (3) take appropriate steps to determine whether any incentive payments were made erroneously and, if so, take actions to recover them. DOE agreed with these recommendations. As of November 2014, DOE had partially implemented one of these recommendations by reviewing the incentive payments made to the WTP contractor. We have ongoing work examining the WTP, including DOE's recent proposal to design and construct two new nuclear facilities as part of the WTP project. We expect to issue a report early in 2015. In addition, we reported in November 2014 that the underground nuclear waste storage tanks were in worse condition than previously understood. We recommended that, in light of the continued delays in the WTP project and the deteriorating condition of waste storage tanks, DOE should, among other things, update the schedule for retrieving waste from the tanks and assess alternatives for creating additional tank storage space, including building new tanks. DOE accepted the report's recommendations and stated that the recommendations are well-aligned with DOE's ongoing initiatives for the management of its waste storage tanks. * In 2011, we reported that the Department of Defense and NNSA had experienced difficulty in scoping the planned refurbishment of the B61 nuclear weapon. Since then, the estimated cost of the effort has increased. NNSA refers to this refurbishment as the B61 Life Extension Program (B61 LEP). In November 2014, we found that two program reviews of the B61 LEP effort both concluded that the cost estimate was inaccurate, with one review noting that the program will cost approximately $3.6 billion more than NNSA's 2011 estimate of $6.5 billion. We also found that, in the absence of a DOE or NNSA requirement for programs to follow cost estimating best practices, managers for programs we reviewed, including the B61 LEP, used different processes in developing cost estimates. In regards to the B61 LEP, we found that NNSA managers developed an approach for developing cost estimates for the program using various sources, including DOE's project management order and cost guide and our cost- estimating guide. This effort resulted in the management team producing a document that defines the strategy and provides guidance for completing the cost estimate for the B61 LEP. We reviewed this document and found that it did not stipulate that NNSA program managers or its contractors must follow any DOE or NNSA requirements or guidance for the development of a program cost estimate when developing the estimate for the B61 LEP. * In February 2014 we reported that DOE had forecasted a cost increase of approximately $2.9 billion and a schedule delay of about 3 years for NNSA's Mixed Oxide (MOX) Fuel Fabrication Facility that is currently under construction at DOE's Savannah River Site. This increase would raise the total estimated cost of the facility to approximately $7.7 billion and extend the completion date to 2019. Since the project began in 1997, the estimated cost of the project has increased by more than $6.3 billion and the schedule has been delayed by about 15 years. We found that, among other things, NNSA had not analyzed the root causes of the construction cost increases to help identify lessons learned and to help address the agency's difficulty in completing projects within cost and schedule. We also found that NNSA's most recent cost estimates for the overall plutonium disposition program, of which the MOX facility is a part, did not fully reflect all the characteristics of reliable cost and schedule estimates, placing the program at risk of further cost increases. We recommended that, among other things, DOE conduct a root cause analysis of the program's cost increases and ensure that future estimates of the program's life-cycle cost and cost and schedule for the program's construction projects meet all best practices for reliable estimates. DOE generally agreed with our recommendations. * We reported several times in 2013 and 2014 on NNSA's continuing difficulties in designing a new Uranium Processing Facility at DOE's Y- 12 National Security Complex in Oak Ridge, Tennessee. We found in July 2013 that key assumptions contained in multiple cost estimates proved to be inaccurate and were the primary factors that contributed to project cost increases. We found that the upper bound of the project's cost range had increased from its initial 2004 estimate of $1.1 billion to $6.5 billion in June 2012. We found that the June 2012 estimate deferred significant portions of the original scope of the project. We also found that DOE estimated an additional $540 million in costs stemming from the need to modify the design of the facility by raising the facility roof by an additional 13 feet to accommodate the equipment needed in the facility. In December 2014, we found that DOE proposed a new project alternative consisting of building three, new smaller facilities within the $6.5 billion upper bound of the estimated cost range. * We reported in 2012 on significant cost increases associated with NNSA's Chemistry and Metallurgy Research Replacement Facility at DOE's Los Alamos National Laboratory in New Mexico. Since then, NNSA took action to reconfigure this project. This project was initially planned to include three subprojects--a laboratory (completed in 2010), installation of equipment for the laboratory (completed in 2013), and a nuclear facility. In March 2012, we found that the estimated cost of the overall project had increased from an initial estimate in 2005 of between $745 million and $975 million to a revised estimate in 2010 of between $3.7 billion and $5.8 billion. We also found that NNSA had decided to defer construction of the nuclear facility subproject by at least an additional 5 years. In August 2014, DOE canceled the nuclear facility and approved a new strategy that includes renovating three existing facilities, including the laboratory that was completed in 2010. According to NNSA, with this new strategy the total cost of the project--including the completed cost for the laboratory and installation and equipment--will be between $2.4 billion and $2.9 billion, which is lower than the 2010 estimate. According to NNSA, this revised cost range includes the completed cost for the laboratory, the laboratory equipment installation, and the design costs expended to date for the nuclear facility. In addition to examining these ongoing major projects, we conducted more broadly-focused reviews to identify potential corrective actions that may address some of DOE's contract and project management challenges. We reported in 2013 and 2014 on DOE contract and project management issues involving (1) cost estimating for projects and programs, (2) the process DOE uses to select a preferred project alternative at the beginning of acquiring a capital asset--a process referred to as analysis of alternatives (AOA), (3) issues related to DOE's use of management and operating contractors, and (4) financial management issues involving indirect costs and improper payments. Cost estimating. In November 2014, we reported that DOE has a history of struggling to complete many of its major construction projects within initial cost and schedule estimates. Our report examined the extent to which DOE's cost estimating requirements and guidance reflected best practices. We found that DOE and NNSA cost estimating requirements and guidance for projects and programs generally do not reflect best practices for developing cost estimates. We also found that, because DOE and NNSA do not require reviews of program cost estimates, the extent of weaknesses in program cost estimates is largely unknown. To address these issues, we recommended that DOE, among other things, revise its requirements and guidance for projects and programs to ensure DOE and NNSA and its contractors develop cost estimates in accordance with cost estimating best practices, and that independent reviews of programs are conducted periodically. DOE agreed with these recommendations. However, we noted in the report that DOE's unspecified, open-ended date for responding to many of these recommendations may have indicated a lack of urgency or concern about the need to implement these recommendations. Conducting AOAs. We found in December 2014 that several of DOE's major construction projects had incurred significant cost increases and schedule delays, and that DOE was in the process of reassessing the originally selected project alternative for these projects. Our report assessed the extent to which DOE's process for selecting project alternatives reflects best practices. We found that neither DOE's AOA requirements nor its guidance conform to best practices, and therefore DOE cannot have confidence that applying its requirements and guidance would lead to reliable AOAs. To address these issues, we recommended that DOE incorporate all best practices into its AOA requirements. DOE agreed with this recommendation. However, we noted in the report that DOE's unspecified, open-ended date for responding to this recommendation may have indicated a lack of urgency or concern about the need to implement these recommendations. Management and operating contracts. As we reported in our February 2013 high-risk update, one of the six barriers DOE identified in its 2010 Contract and Project Management Summit was that the department needed to improve its ability to hold both federal employees and contractors accountable for project and contract performance and to award fees to contractors consistent with project performance, operational targets, or both. DOE reported that the department needs to improve its process for documenting contractor performance. In addition, as we reported in July 2012, NNSA did not thoroughly review contractor-provided budget estimates before it incorporates them into its proposed annual budget. We made several recommendations to address this situation. As of September 2014, NNSA has only partially responded to these recommendations. We have ongoing work that assesses the extent to which the department's contractors have systems in place to accurately report performance and we expect to issue a report in early 2015. Financial management issues. In June 2013, to address concerns about the proportion of NNSA weapons laboratories' funds used for indirect costs, such as general and administrative costs that indirectly support a program, we reported that NNSA's contractors differ in how they classify and allocate indirect costs. We found that different approaches are allowed by Cost Accounting Standards, but these differences limit the ability of DOE and the Congress to compare costs across laboratories. Recognizing the limitations of its current cost data, we noted that DOE was implementing an initiative to create a standardized report of costs, including indirect costs. We recommended that DOE clarify the uses of the data collected through the initiative, conduct periodic risk assessments, and establish requirements for benchmarking in its laboratory contracts, among other things. DOE generally agreed with these recommendations, and has since taken steps to (1) clarify the uses and limitations of the data collected through the initiative, and (2) conduct a baseline risk assessment of its oversight of contractor financial management activities and draft a process description for annual risk assessments. In October 2013, we reported that in fiscal years 2008 through 2012, DOE performed about $2 billion annually of work for others (WFO) projects. Through these projects, DOE allows the capabilities of its national laboratories to be made available to perform work for other federal agencies and nonfederal entities. We found that DOE had not ensured that the WFO program requirements were consistently met and that DOE had not measured the extent to which WFO program performance is measured against program objectives and had not established performance measures to do so. We recommended, among other things, that DOE take steps to ensure compliance with project approval requirements and require laboratories to establish written procedures for charging costs to projects. DOE generally agreed with the report and its recommendations. In December 2014, DOE issued an updated WFO policy but this policy did not directly address any of the report's recommendations. In December 2013, we found that the estimates contained in NNSA's fiscal year 2014 budget materials excluded most of the budget estimates for two of NNSA's major construction projects--the Uranium Processing Facility and the Chemistry and Metallurgy Research Replacement Facility. To improve the utility of future budget estimates and address the misalignment between modernization plans and budget estimates, we recommended that the Administrator of NNSA include in future modernization plans at least a range of potential budget estimates for known construction projects. NNSA generally concurred with the recommendation and has taken action to implement it. For example, NNSA's fiscal year 2015 budget materials included preliminary estimates for all three phases of the Uranium Processing Facility and the Chemistry and Metallurgy Research Replacement Facility or its alternative. In December 2014, we reported that DOE developed a process to assess its programs' risk of improper payments in fiscal year 2011 that included both a qualitative risk assessment and quantitative information on improper payments. Based on our evaluation of the department's fiscal year 2011 risk assessment process, we found that (1) DOE did not prepare risk assessments for all of its programs and the quantitative information reported was not reliable; (2) DOE's risk assessments did not always include a clear basis for the risk determination; and (3) DOE's risk assessments did not fully evaluate other relevant risk factors. In addition, we found that in fiscal years 2012 and 2013, although not required, DOE directed its sites to prepare an overall risk assessment rating and information on the amount of actual improper payments identified through the normal course of business. However, we found that the information reported in fiscal years 2012 and 2013 constituted less information on improper payments risk than what was provided in fiscal year 2011 and provided limited insight into DOE's risk of improper payments. We made recommendations to help DOE improve its ability to assess the risk of improper payments, make more effective use of DOE and contractor resources, and provide better transparency regarding DOE's total known improper payments. DOE agreed with these recommendations. What Remains to Be Done: DOE's removal from the High Risk List requires meeting all five of our long-established criteria. DOE must sustain the leadership commitment it has already demonstrated to address its contract and project management challenges. In addition, DOE needs to commit sufficient people and resources to resolve its contract and project management problems. DOE must also ensure its corrective action plan and the initiatives needed to address underlying causes of contract and project management problems are up to date and address root causes. DOE will need to demonstrate progress in implementing corrective measures, especially measures intended to improve the performance of major projects. The department will also need to monitor and independently validate the effectiveness and sustainability of its corrective measures, particularly for major projects. Specifically, DOE must ensure that the corrective measures it is taking result in sustained improvements to the achievement of cost, schedule, and scope targets and that federal managers are receiving and validating accurate and reliable information from contractors that can be used to make decisions and to hold them and the department accountable for performance. GAO Contact: For additional information about this high-risk area, contact David Trimble at (202) 512-3841 or trimbled@gao.gov. Related GAO Products: Improper Payments: DOE's Risk Assessments Should Be Strengthened. [hyperlink, http://www.gao.gov/products/GAO-15-36]. Washington, D.C.: December 23, 2014. DOE Project Management: Analysis of Alternatives Could Be Improved By Incorporating Best Practices. [hyperlink, http://www.gao.gov/products/GAO-15-37]. Washington, D.C.: December 11, 2014. Hanford Cleanup: Condition of Tanks May Further Limit DOE's Ability to Respond to Leaks and Intrusions. [hyperlink, http://www.gao.gov/products/GAO-15-40]. Washington, D.C.: November 25, 2014. Project and Program Management: DOE Needs to Revise Requirements and Guidance for Cost Estimating and Program Review. [hyperlink, http://www.gao.gov/products/GAO-15-29]. Washington, D.C.: November 25, 2014. Nuclear Weapons: Some Actions Have Been Taken to Address Challenges with the Uranium Processing Facility Design. [hyperlink, http://www.gao.gov/products/GAO-15-126]. Washington, D.C.: October 10, 2014. Nuclear Weapons: Technology Development Efforts for the Uranium Processing Facility. [hyperlink, http://www.gao.gov/products/GAO-14-295]. Washington, D.C.: April 18, 2014. Plutonium Disposition Program: DOE Needs to Analyze the Root Causes of Cost Increases and Develop Better Cost Estimates. [hyperlink, http://www.gao.gov/products/GAO-14-231]. Washington, D.C.: February 13, 2014. Modernizing the Nuclear Security Enterprise: NNSA's Budget Estimates Do Not Fully Align with Plans. [hyperlink, http://www.gao.gov/products/GAO-14-45]. Washington, D.C.: December 11, 2013. National Laboratories: DOE Needs to Improve Oversight of Work Performed for Non-DOE Entities. [hyperlink, http://www.gao.gov/products/GAO-14-78]. Washington, D.C.: October 25, 2013. Nuclear Weapons: Information on Safety Concerns with the Uranium Processing Facility. [hyperlink, http://www.gao.gov/products/GAO-14-79R]. Washington, D.C.: October 25, 2013. Modernizing the Nuclear Security Enterprise: Observations on NNSA's Options for Meeting Its Plutonium Research Needs. [hyperlink, http://www.gao.gov/products/GAO-13-533]. Washington, D.C.: September 11, 2013. Department of Energy: Observations on DOE's Management Challenges and Steps Taken to Address Them. [hyperlink, http://www.gao.gov/products/GAO-13-767T]. Washington, D.C.: July 24, 2013. Nuclear Weapons: Factors Leading to Cost Increases with the Uranium Processing Facility. [hyperlink, http://www.gao.gov/products/GAO-13-686R]. Washington, D.C.: July 12, 2013. National Nuclear Security Administration: Laboratories' Indirect Cost Management Has Improved, but Additional Opportunities Exist. [hyperlink, http://www.gao.gov/products/GAO-13-534]. Washington, D.C.: June 28, 2013. Department of Energy: Observations on Project and Program Cost Estimating in NNSA and the Office of Environmental Management. [hyperlink, http://www.gao.gov/products/GAO-13-510T]. Washington, D.C.: May 8, 2013. Modernizing the Nuclear Security Enterprise: Observations on DOE's and NNSA's Efforts to Enhance Oversight of Security, Safety, and Project and Contract Management. [hyperlink, http://www.gao.gov/products/GAO-13-482T]. Washington, D.C.: March 13, 2013. [End of section] NASA Acquisition Management: Why Area Is High Risk: The National Aeronautics and Space Administration (NASA) plans to invest billions of dollars in the coming years to explore space, understand Earth's environment, and conduct aeronautics research. We designated NASA's acquisition management as high risk in 1990 in view of NASA's history of persistent cost growth and schedule slippage in the majority of its major projects. Our work has identified a number of causal factors, including antiquated financial management systems, poor cost estimating, and underestimating risks associated with the development of its major systems. What GAO Found: Figure: NASA Acquisition Management: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Met; Monitoring: Met; Demonstrated Progress: Partially Met. Three Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] NASA's senior leadership is committed to improving overall acquisition outcomes and has implemented key components of the agency's action plan. Specifically, the agency has instituted new tools aimed at providing increased insight into project performance, such as the collection of earned value management (EVM) data and the Joint Cost and Schedule Confidence Level (JCL) process. However, capacity remains an issue as the guidance for these tools has not been finalized and training to address identified skill gaps has only recently begun. NASA has established metrics to monitor progress in improving acquisition management, and in recent years we have found improvement in the cost and schedule performance of the agency's portfolio of major projects. However, more recently, a few of NASA's major projects are rebaselining their cost, schedule, or both in light of management and technical issues, which is tempering the progress of the whole portfolio. In addition, several of NASA's largest and most complex projects, such as NASA's human spaceflight projects, are at critical points in implementation. We have reported on several challenges that may further impact NASA's ability to demonstrate progress in improving acquisition management. NASA continues to take steps to reduce acquisition risk. Over the past several years, there has been improvement in the cost and schedule performance of the agency's portfolio of major projects, which include highly complex and sophisticated space transportation vehicles, robotic probes, and satellites equipped with advanced sensors to study space and earth. For example, we found in 2011 that--for projects in implementation--the portfolio average development cost growth was more than 14 percent and the average launch delay was 8 months. In 2014, when excluding the James Webb Space Telescope (JWST) project, we found those averages had fallen to 3 percent cost growth and launch delays were less than 3 months on average.[Footnote 223] In addition, NASA reports that it is meeting all of the metrics it established to monitor progress in improving its acquisition management. Some noteworthy steps the agency has taken include the following: * In 2014, NASA drafted revisions to its acquisition planning regulations, which it anticipates will be sent for notice and comment in February of 2015. If these revisions are issued as final rules, they would require acquisition plans to include a detailed independent government cost estimate as well as lessons learned from prior or predecessor contracts to improve follow-on acquisitions. * As of 2014, all NASA projects required to develop a Joint Cost and Schedule Confidence Level (JCL)--a tool which assigns a confidence level, or likelihood, of a project meeting its cost and schedule estimates--have done so. * NASA has also taken steps to improve the agency's use of earned value management (EVM)--a tool designed to help project managers monitor risks. In fiscal year 2013, the agency began a phased rollout of the EVM Capability process on the Space Launch System (SLS) project at the Marshall Space Flight Center and the Ice, Cloud, and Land Elevation Satellite (ICESat)-2 project at Goddard Space Flight Center. NASA started the EVM Capability process for the Ground Systems Development Office at the Kennedy Space Center in fiscal year 2014. In addition, the agency plans to implement the process for the Orion Multi-Purpose Crew Vehicle (Orion) program at Johnson Space Center in fiscal year 2015. NASA plans indicate that during the rollout phase, the agency will provide support to the respective centers to develop the institutional capability to support future projects. * In 2012, the agency established metrics to more consistently measure a project's design progress and, in 2014, we found that most major projects in the portfolio were tracking and reporting those metrics. In addition, experts that we met with confirmed that NASA's metrics are valid measures to assess design maturity in space systems. These actions have helped NASA to launch more projects on time and within cost and, ultimately, to maximize science and exploration objectives. We have also found, however, that NASA still faces significant challenges in managing and overseeing its most expensive and complex projects. More specifically, we have identified instances where the agency has either underestimated the risks and potential impacts; not reacted quickly enough to risks when they worsen; or resisted independent assessments of risk in light of changing conditions, as the following examples illustrate: * Over the past 2 years, the JWST project's cryocooler--which is necessary to cool one of the telescope's instruments--has had a series of design and manufacturing challenges that have used a disproportionate amount of the project's reserves and caused significant schedule delays. While the project has recently taken steps to increase oversight of the cryocooler development and manufacturing it remains to be seen if these efforts will keep the cryocooler effort on its current schedule. The cryocooler is now the main driver of schedule risk facing the $8.8 billion project. * In 2014, we found that neither the JWST project nor the prime contractor planned to update their cost risk analysis even though the analysis was based on risk data that was 3 years old and will be 7 years old by the time the telescope is launched and that the project's JCL remained outdated. We recommended that, consistent with best practice, NASA should update its cost estimate and risk analysis for the JWST prime contractor's remaining work. NASA disagreed, but then subsequently agreed to conduct an updated cost risk analysis for the prime contractor's remaining work. If done correctly, this type of information will provide increased insight into the project at a time when it is facing technical challenges that are increasing risk to the project. * NASA officials told us that the project underestimated the technical complexity of the ICESat-2 project's design and the project began underperforming against cost and schedule just 1 month after its baselines were set at confirmation. The project was subsequently rebaselined more than 30 percent higher than its original baseline. The laser contractor has encountered multiple technical issues while building the prototype laser for the project's only instrument. Recently, work to resolve an unexpected power issue encountered in testing has delayed qualification testing of the laser by at least six weeks. * The Space Network Ground Segment Sustainment project's contractor provided unrealistic estimates that, despite project officials being aware of this issue prior to project confirmation, led to the need for a rebaselining shortly after the project was confirmed. Specifically, the contractor underestimated costs for information technology infrastructure and overestimated its ability to meet its staffing requirements. As a result, the project's costs are expected to exceed the agency's committed baseline cost by 30 percent and the project's committed final acceptance review date is expected to occur 23 months past the originally scheduled date, slipping from June 2017 to May 2019. In addition, while NASA has implemented tools in recent years to provide better insight into and oversight of its acquisition projects, the agency has not consistently applied training for and implementation of these tools. In some instances, the reason may be a lack of agency expertise or guidance in how to apply the tools, but in others adherence to tools has not been consistent. For example: * The implementation of EVM across NASA's major projects has been critical to better understanding project development needs and reducing cost and schedule growth. We have found, however, that the amount of expertise available at NASA centers and the training provided to staff on how to both construct and apply the collected information is lacking. For example, in 2012 we found that the agency lacks adequate numbers of staff with the skill set needed to analyze EVM data and this was confirmed through NASA's skills gap analysis. To address these gaps, the agency released an EVM training plan in August 2014, and the training is currently underway. * NASA has used the JCL process since 2009 but has yet to release agency-wide guidance, which may have been a contributing factor to the inconsistent use of the factors that constitute the joint cost and schedule confidence level that we found for several projects and weaknesses found in the JWST project's JCL. For example, in 2012 we found that, in some instances, when projects provided data for JCL calculations they excluded or did not fully consider relevant cost inputs and risks, such as launch vehicle costs or risks associated with challenges faced by development partners. In 2012, we reported that the JWST project's cost estimate did not meet criteria for being accurate, in part because the summary schedule used to derive the JCL did not include the necessary level of detail nor did the project provide evidence that it planned to update the cost estimate. Despite weaknesses identified by us, the JWST project--rebaselined in 2011-- had not updated its JCL to be in line with cost estimating best practices as of 2014. * NASA's measurement of its progress for reducing acquisition risk has been inconsistent. Specifically, when NASA reports on cost and schedule performance for individual projects or across its portfolio, the agency uses rebaseline data rather than original project baseline data for measuring outcomes. In other words, cost and schedule growth that occurred prior to the replan of a troubled project would be excluded from tracking of overall progress. Finally, funding instability has been a leading cause of cost growth for NASA's largest projects as unstable funding combines with cost and schedule baselines to produce incentives for projects to stretch out, delay, or cut expensive but necessary risk reduction activities. Yet addressing this challenge is difficult in the context of constrained budgets and sometimes competing priorities. Having a complete picture of costs can enable both the Congress and the administration to set priorities for both the short and long term. However, insight into the costs of two of NASA's primary human spaceflight projects is limited. Specifically, in 2014, we found that NASA's cost estimates for the SLS and Orion projects do not extend beyond the first flight for the combined system. These estimates do not include production costs for the second test flight scheduled for 2021; development costs for advanced booster and upper-stage development for future SLS variants; or production, operations, and sustainment costs for Orion beyond the first test flight. The limited scope that NASA has chosen for constructing cost estimates for these projects means that the estimates are unlikely to serve as a way to measure progress and track cost growth over the life of the projects. In addition, NASA has continued to request funding that does not meet requirements for some of its most expensive programs. For example, in 2014 we reported the SLS project has carried a high risk that it would not meet project cost and schedule requirements with the funding available which put at risk the agency's planned launch readiness date in 2017.[Footnote 224] What Remains to Be Done: There will always be inherent technical, design, and integration risks associated with NASA's major acquisitions as these projects are highly complex and specialized and often push the state of the art in space technology. But there does not have to be a significant degree of management risk, particularly when it comes to estimating what resources are needed to complete a project, assessing whether projects are ready to move forward, and enabling sound management and oversight. NASA has already made strides in reducing acquisition risk from both a technical and management standpoint. More can be done, however, particularly with respect to anticipating and mitigating risks, implementing management tools, and forecasting costs for its largest projects. Areas that will be critical to improving NASA's acquisition outcomes include the following: * Ensuring that adequate and ongoing assessments of risks for larger projects--JWST, SLS, and Orion--are conducted, especially since each of these projects are at different critical points in development and implementation, as the impacts of any potential miscalculations will be felt across the portfolio. * Ensuring that improvements to its acquisition policies are implemented consistently agency-wide. Specifically, providing completed guidance and training for both EVM and the JCL process would ensure that NASA's workforce has the skills necessary to make best use of these tools and would provide additional insight into project performance and allow for more consistent JCL data across the portfolio. * Ensuring that projects' JCLs are updated regularly and consistently across the portfolio. As a project reaches the later stages of development, especially integration and testing, its risk posture may change. An updated project JCL would provide both project and agency management with data on relevant risks and impacts that can guide project decisions. * Ensuring that projects that have been rebaselined report cost and schedule growth from original baselines in order to provide stakeholders with a more accurate view of project performance and to enhance accountability. * Ensuring that long-term human spaceflight projects' costs are understood. Specifically, long-term cost estimates for the SLS and Orion projects, which currently have estimates through only the first test flight, would provide decision makers with an informed understanding of the agency's plans going forward. Our ongoing work assessing the SLS project, the development of JWST, and the performance of the portfolio as a whole will provide insight into how well NASA is performing over the next several years. GAO Contact: For additional information about this high-risk area, contact Cristina T. Chaplain at (202) 512-4841 or chaplainc@gao.gov. Related GAO Products: James Webb Space Telescope: Project Facing Increased Schedule Risk with Significant Work Remaining. [hyperlink, http://www.gao.gov/products/GAO-15-100]. Washington, D.C.: December 15, 2014: Space Launch System: Resources Need to be Matched to Requirements to Decrease Risk and Support Long Term Affordability. [hyperlink, http://www.gao.gov/products/GAO-14-631]. Washington, D.C.: July 23, 2014. NASA: Actions Needed to Improve Transparency and Assess Long-Term Affordability of Human Exploration Programs. [hyperlink, http://www.gao.gov/products/GAO-14-385]. Washington, D.C.: May 8, 2014. NASA: Assessments of Selected Large-Scale Projects. [hyperlink, http://www.gao.gov/products/GAO-14-338SP]. Washington, D.C: April 15, 2014. James Webb Space Telescope: Project Meeting Commitments but Current Technical, Cost, and Schedule Challenges Could Affect Continued Progress. [hyperlink, http://www.gao.gov/products/GAO-14-72]. Washington, D.C.: January 8, 2014. NASA: Assessments of Selected Large-Scale Projects. [hyperlink, http://www.gao.gov/products/GAO-13-276SP]. Washington, D.C.: April 17, 2013. [End of section] Enforcement of Tax Laws: Why Area Is High Risk: Internal Revenue Service (IRS) enforcement of the tax laws helps fund the U.S. government. IRS enforcement collects revenue from noncompliant taxpayers and, perhaps more importantly, promotes voluntary compliance by giving taxpayers confidence that others are paying their fair share. IRS last estimated (in 2012) that the gross tax gap--the difference between taxes owed and taxes paid on time--was $450 billion for tax year 2006. For a portion of the gap, IRS is able to identify the responsible taxpayers. The agency has estimated (in 2012) that it will collect $65 billion from these taxpayers through enforcement actions and late payments, leaving a net tax gap of $385 billion for tax year 2006. Given current and emerging risks, we are expanding the enforcement of tax laws high-risk area to include IRS's efforts to address tax refund fraud due to identity theft (IDT), which occurs when an identity thief files a fraudulent tax return using a legitimate taxpayer's identifying information and claims a refund. While acknowledging that the numbers are uncertain, IRS estimated paying about $5.8 billion in fraudulent IDT refunds while preventing $24.2 billion during the 2013 tax filing season. Since 2010, IRS's budget has been reduced by about 10 percent, and IRS enforcement performance and staffing levels have declined. What GAO Found: Figure: Enforcement of Tax Laws: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Not Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] IRS has demonstrated leadership commitment toward addressing the tax gap. For example, IRS continues to research taxpayer noncompliance to better target taxpayer examinations. However, significant capacity challenges--such as reduced staffing and examination coverage in an environment of constrained budgets--and incomplete monitoring of enforcement program performance progress need to be addressed. Over the next two years, we will also assess IRS's progress in addressing IDT refund fraud against the High Risk List criteria. We will report this information in the 2017 High Risk Update. IRS has met the criterion of demonstrating a strong commitment to, and top leadership support for, improving tax compliance and addressing the tax gap. Some steps IRS has taken include the following: * Continuing to research the extent and causes of taxpayer noncompliance and using the results to revise examination programs. We have consistently stressed the importance of IRS conducting tax compliance research. * Extending a program to encourage taxpayers to voluntarily report their previously undisclosed foreign accounts and assets. IRS has collected over $6 billion since this program was initiated, and has implemented some of our recommendations on better managing the program. * Implementing provisions from the Foreign Account Tax Compliance Act (FATCA). Under FATCA, U.S. financial institutions and other entities are required to withhold a portion of certain payments made to foreign financial institutions, if those institutions have not entered into an agreement with IRS to report U.S. account holders' details to IRS. IRS has implemented some of our recommendations aimed at improving FATCA implementation. However, IRS's ability to implement these and other initiatives (such as those required by the Patient Protection and Affordable Care Act) and carry out ongoing enforcement programs could be challenged under an uncertain budgetary environment. As a result, IRS does not meet the criterion of having the capacity to demonstrate progress toward improving compliance and addressing the tax gap. From fiscal year 2010 to fiscal year 2015, IRS's budget declined by about 10 percent (about $1.2 billion). Likewise, staffing has declined: the number of full time equivalents provided for in the enacted fiscal year 2014 budget represented a decrease of 11 percent compared to actual full time equivalents in fiscal year 2010. Amidst such reductions, IRS's enforcement performance has declined, and IRS officials expect continued decline in fiscal year 2015. For example, IRS's expects a decline of 20 percent in the individual examination rate in fiscal year 2015 compared to its original target for 2014. Also, IRS has reduced or eliminated services, slowed information systems modernization projects, and substantially reduced employee training. IRS partially meets the criterion for having a corrective action plan to improve tax compliance and address the tax gap. Specifically, IRS has a high level strategic plan that discusses general approaches to make voluntary compliance easier for taxpayers and to ensure taxes owed are paid. However, in some areas, the plan does not include specific tactics for improving compliance, particularly in an environment of resource challenges. We have identified several areas that could help IRS improve its corrective action plan, including the following: * Better measure return on investment. IRS's declining budget environment and increased workload demands underscore the importance of IRS maximizing its resources in fulfilling its mission. Further refining of direct revenue return-on-investment (ROI) measures of its enforcement programs could improve how IRS allocates resources across its programs. In 2012, we made various recommendations advising IRS to make better use of ROI measures, subject to other considerations of tax administration, such as minimizing compliance costs and ensuring equitable treatment across different groups of taxpayers. IRS is taking steps to implement the recommendations. * Better leverage automated processes. Taking greater advantage of automated processes could enhance some IRS enforcement programs. For example, IRS does not routinely match the K-1 information return--on which partnerships and S corporations report income distributed to partners or shareholders--to income information on tax returns for partners and shareholders that are themselves partnerships and S corporations. Matching such information might provide another tool for detecting noncompliance by these types of entities. In 2014, we recommended that IRS test the feasibility of such matching. IRS stated it would consider studying such testing if resources become available, but in the interim would not implement the recommendation. Likewise, continuing to enhance automated taxpayer services, such as web services, could result in lower-cost methods of interacting with taxpayers. In 2013, we made various recommendations for IRS to improve web services provided to taxpayers; IRS is taking steps to implement the recommendations. * Improve enforcement data. More complete enforcement data could help IRS better allocate resources across programs. For example, IRS has limited information about the extent and nature of income misreporting by partnerships and S corporations, as well as about the effectiveness of its examinations in detecting such misreporting. Likewise, IRS does not separately track results of large partnerships examinations. Without such information, IRS cannot make fully-informed decisions about allocating resources to examining such entities. In 2013, we recommended IRS transcribe additional data from paper-filed individual tax returns (for example, on business income) to potentially improve how IRS determines whether to examine an individual tax return, which tax issues on the return should be examined, and what examination techniques should be used. IRS agreed to study the possible benefits of such transcription. In 2014, we made various recommendations on improving enforcement data related to partnerships and S corporations. IRS agreed with the recommendations, but said its ability to fully implement them depends on funding considerations. IRS partially meets the criterion of having a program to monitor corrective measures. As previously mentioned, IRS continues to research the extent of taxpayer noncompliance, and periodically estimates the voluntary compliance rate--the amount of tax for a given year that is paid on time. However, IRS does not adequately measure the impact of some specific compliance programs, such as the following: * Correspondence examinations. IRS does not have information to determine how its program of examining tax returns via correspondence affects the agency's broader strategic goals for compliance, taxpayer burden, and cost. Thus, it is not possible to tell whether the program is performing better or worse from one year to the next. In 2014, we made several recommendations related to monitoring program performance; IRS plans to take action on these recommendations. * Compliance Assurance Process. IRS does not fully assess the savings it achieves through its Compliance Assurance Process (CAP)--through which large corporate taxpayers and IRS agree on how to report tax issues before tax returns are filed. In 2013, we recommended that IRS track savings from CAP and develop a plan for reinvesting any savings to help insure the program is meeting its goals. Although IRS has taken steps to track savings by analyzing and comparing the workload inventory of account coordinators who handle CAP cases against team coordinators who handle non-CAP cases, it did not show how such a workload comparison proved savings from CAP. Nor has IRS developed a plan for reinvesting any savings. Without a plan for tracking savings and using the savings to increase audit coverage, IRS cannot be assured that the savings are effectively invested in either CAP or non- CAP taxpayers with high compliance risk. IRS has partially met the criterion of demonstrating progress in implementing corrective measures to improve compliance and reduce the tax gap. For example, as previously mentioned, IRS has collected more than $6 billion through its program to encourage taxpayers to voluntarily report their previously undisclosed foreign accounts and assets. However, for some initiatives, such as those related to FATCA, it is either too soon to measure results or IRS has not been able to demonstrate an effect on the tax gap. Given that the tax gap has been a persistent issue, demonstrating progress toward reducing it may require targeted legislative actions, including the following: * Math error authority. IRS has statutory authority--called math error authority--to correct certain errors, such as calculation mistakes or omitted or inconsistent entries, during tax return processing. Expanding such math error authority--which at various times we have suggested Congress consider--could help IRS correct additional errors before interest is owed by taxpayers and avoid burdensome audits. * Enhanced electronic filing. Requiring additional taxpayers to electronically file tax and information returns could help IRS improve compliance in a resource-efficient way. For example, in 2014, we suggested Congress consider expanding the mandate for partnerships and corporations to electronically file their tax returns, as this could help IRS reduce return processing costs, select the most productive tax returns to examine, and examine fewer compliant taxpayers. * Additional information reporting. Taxpayers are much more likely to report their income accurately when the income is also reported to IRS by a third party. By matching information received from third-party payers with what payees report on their tax returns, IRS can detect income underreporting, including the failure to file a tax return. Currently, businesses must report payments for services made to unincorporated persons or businesses to IRS, but payments to corporations generally do not have to be reported. Taxpayers who rent out real estate are required to report expense payments for certain services to IRS, such as payments for property repairs, only if their rental activity is considered a trade or business. In 2008 and 2009, we suggested Congress consider expanding information reporting in these areas to increase payee reporting compliance. In 2010, the Joint Committee on Taxation estimated revenue increases for a 10-year period from third-party reporting of (1) rental real estate service payments to be $2.5 billion, and (2) service payments to corporations to be $3.4 billion. * Paid preparer regulation. Establishing requirements for paid tax return preparers could improve the accuracy of the tax returns they prepare. Given that they prepare approximately 60 percent of all tax returns filed, paid preparers have an enormous impact on IRS's ability to administer tax laws effectively. In limited studies, we found that some preparers have made significant errors. Based in part on our recommendation, in 2010, IRS initiated steps to regulate unenrolled preparers--those generally not subject to IRS regulation--through testing and education requirements; however, the courts ruled that IRS lacked such regulation authority. Although IRS has begun a voluntary program to recognize unenrolled preparers who complete continuing education and testing requirements, mandating these requirements could have a greater impact on tax compliance. In 2014, we suggested Congress consider granting IRS the authority to regulate paid tax preparers, if it agrees that significant paid preparer errors exist. * Tax reform and simplification. A broader opportunity to address the tax gap involves simplifying the Internal Revenue Code, as complexity can cause taxpayer confusion and provide opportunities to hide willful noncompliance. Fundamental tax reform could result in a smaller tax gap if the new system has fewer tax preferences or complex tax code provisions; such reform could reduce IRS's enforcement challenges and increase public confidence in the fairness of the tax system. Short of fundamental reform, targeted simplification opportunities exist. For example, changing tax laws to include more consistent definitions across tax provisions, such as which higher education expenses qualify for some of the savings and tax credit provisions in the tax code, could help taxpayers more easily understand and comply with their obligations. Enforcement of Tax Laws: Refund Fraud Related to Identity Theft: IRS has taken steps to address IDT refund fraud, such as recognizing the challenge of IDT refund fraud in its most recent strategic plan, allocating more than 3,000 employees to combat IDT refund fraud, and creating automated fraud filters to detect IDT and prevent fraudulent refunds. However, IDT refund fraud remains a persistent and evolving threat; IRS must do more to address the problem, or the risk of issuing fraudulent IDT refunds could grow. While there are no simple solutions to combating IDT refund fraud, we have identified various options that could help, some of which would require legislative action. Because some of these options represent a significant change to the tax system that could likely burden taxpayers and impose significant costs to IRS for systems changes, it is important for IRS to assess the relative costs and benefits of the options. This assessment will help ensure an informed discussion among IRS and relevant stakeholders--including Congress--on the best option (or set of options) for preventing IDT refund fraud. * Accelerate W-2 deadlines. Currently, wage information that employers report on Form W-2 (Wage and Tax Statement) is not available to IRS until after it issues most refunds. If IRS had access to W-2 data earlier, it could match such information to taxpayers' returns and identify discrepancies before issuing billions of dollars of fraudulent refunds. The Department of the Treasury (Treasury) has proposed that Congress accelerate W-2 deadlines to January 31. However, IRS has not fully assessed the impacts of this proposal, which could involve challenges such as a potential increase in W-2s that need to be corrected, required upgrades to IRS's information technology systems, and logistical challenges for the Social Security Administration (which processes W-2 data before transmitting it to IRS). Further, we found that pre-refund W-2 matching may require other policy changes, such as delaying refunds and the start of the filing season. In 2014, we recommended that IRS fully study the costs and benefits of accelerating W-2 deadlines and determine what other policy changes are needed; in November 2014, IRS reported that it had convened an internal working group to address our recommendations and that it anticipated implementing our recommendation by July 2015. * Increase electronic filing of W-2s. Increased electronic filing would allow IRS to obtain timely, accurate data from a significant number of additional employers and could further enhance the benefits IRS could obtain from the accelerated W-2 deadline and pre-refund W-2 matching. Treasury has requested authority to reduce the current, 250- return threshold for employers electronically filing information returns. In 2014, we suggested that Congress consider providing Treasury with the regulatory authority to lower the threshold for electronic filing of W-2s from 250 returns annually to between 5 to 10 returns, as appropriate. * Improve third-party partnership programs. IRS collaborates with financial institutions and other third parties to obtain valuable information about emerging IDT refund trends and fraudulent returns that have passed through IRS detection systems. However, IRS provides limited feedback on IDT refund leads that third parties submit, and offers limited general information on IDT refund fraud trends. As a result, third parties do not know if the leads they provide to IRS are useful. In 2014, we recommended that IRS provide information to third parties on the success of leads in identifying suspicious returns and emerging IDT trends. We also recommended that IRS develop metrics to track external leads by the submitting third party. According to IRS, the agency anticipates implementing our recommendations by November 2015. Over the next two years, we will assess IRS's progress in addressing IDT refund fraud against the High Risk List criteria and will report this information in the 2017 High Risk Update. What Remains to Be Done: In order to make progress in enforcing tax laws, IRS should implement our open recommendations--such as those discussed above--related to having a corrective action plan and monitoring measures for improving tax compliance and addressing the tax gap. These actions should also help IRS gauge progress in improving compliance and addressing the gap. Congress should also consider the legislative options we have suggested, as discussed above, to help IRS achieve progress. Additionally, given the capacity constraints IRS has faced, and may continue to face, it should develop a long-term strategy to address operations amidst an uncertain budget environment. The ongoing debate about tax reform also provides opportunities to consider the effect of tax simplification on taxpayer compliance and the tax gap. Similarly, with regard to IDT refund fraud, IRS should implement our open recommendations, discussed above, including those focused on assessing the costs and benefits of the various options for combating IDT refund fraud. The legislative options discussed above--and that we suggest Congress consider--could also provide IRS with additional tools to combat IDT refund fraud. GAO Contact: For additional information about this high-risk area, contact James R. McTigue, Jr. at (202) 512-9110 or mctiguej@gao.gov. Related GAO Products: Tax Filing Season: 2014 Performance Highlights the Need to Better Manage Taxpayer Service and Future Risks. [hyperlink, http://www.gao.gov/products/GAO-15-163]. December 16, 2014. Large Partnerships: With Growing Number of Partnerships, IRS Needs to Improve Audit Efficiency. [hyperlink, http://www.gao.gov/products/GAO-14-732]. September 18, 2014. Identity Theft: Additional Actions Could Help IRS Combat the Large, Evolving Threat of Refund Fraud. [hyperlink, http://www.gao.gov/products/GAO-14-633]. August 20, 2014. IRS 2015 Budget: Long-Term Strategy and Return on Investment Data Needed to Better Manage Budget Uncertainty and Set Priorities. [hyperlink, http://www.gao.gov/products/GAO-14-605]. June 12, 2014. IRS Correspondence Audits: Better Management Could Improve Tax Compliance and Reduce Taxpayer Burden. [hyperlink, http://www.gao.gov/products/GAO-14-479]. June 5, 2014. Partnerships and S Corporations: IRS Needs to Improve Information to Address Tax Noncompliance. [hyperlink, http://www.gao.gov/products/GAO-14-453]. May 14, 2014. Paid Tax Return Preparers: In a Limited Study, Preparers Made Significant Errors. [hyperlink, http://www.gao.gov/products/GAO-14-467T]. April 8, 2014. Corporate Tax Compliance: IRS Should Determine Whether Its Streamlined Corporate Audit Process Is Meeting Its Goals. [hyperlink, http://www.gao.gov/products/GAO-13-662]. August 22, 2013. Tax Administration: IRS Could Improve Examinations by Adopting Certain Research Program Practices. [hyperlink, http://www.gao.gov/products/GAO-13-480]. May 24, 2013. Offshore Tax Evasion: IRS Has Collected Billions of Dollars, but May be Missing Continued Evasion. [hyperlink, http://www.gao.gov/products/GAO-13-318]. March 27, 2013. [End of section] Improving and Modernizing Federal Disability Programs: Why Area Is High Risk: Federal disability programs across government remain fragmented and in need of modernization. Numerous federal programs provide a patchwork of services and supports to people with disabilities,[Footnote 225] and work independently without a unified vision and strategy or set of goals to guide their outcomes. Further, three of the largest disability benefit programs--managed by the Social Security Administration (SSA) and the Department of Veterans Affairs (VA)[Footnote 226]--rely on outdated criteria to determine whether individuals should qualify for benefits. Although SSA and VA have undertaken efforts to update their criteria, aspects of their programs continue to emphasize medical conditions when assessing an individual's ability to work without sufficient consideration of improvements offered by advances in medicine, technology, or changes in the modern work environment. Moreover, these programs may continue to face growing disability claims workloads resulting in part from individuals with disabilities leaving the workforce during a difficult economic recovery and from service members returning from war. These workload challenges are likely to persist, not withstanding SSA and VA efforts to process more claims. We designated improving and modernizing federal disability programs as high risk in 2003. What GAO Found: Figure: Improving and Modernizing Federal Disability Programs: [Refer to PDF for image: star illustration] Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Since our 2013 update, the federal government's progress in improving and modernizing disability programs has been mixed. Our summary assessment of partially met for each of the five high-risk criteria reflects that some agencies met the criteria while others did not. When the ratings are combined, the resulting summary rating shows the criteria were partially met. Specifically, SSA and VA have taken concrete steps towards modernizing their disability criteria and managing their claims workloads, but less has been done by Office of Management and Budget (OMB) to reduce fragmentation across all federal programs and to establish government-wide goals. Programs with Unified Strategies and Goals (OMB): Figure: Improving and Modernizing Federal Disability Programs: [Refer to PDF for image: star illustration] Programs with Unified Strategies and Goals (OMB): Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Not Met; Demonstrated Progress: Partially Met. No Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Since our 2013 update, OMB--the focal point for management in the executive branch--has made some progress towards enhancing coordination across programs that support employment for people with disabilities, but it has not established a larger vision for disability programs that include appropriate government-wide goals and strategies for achieving those goals. OMB partially met our criterion for leadership commitment. Specifically, since our 2013 update, the administration has taken steps towards establishing government-wide goals to support employment of individuals with disabilities in the federal sector. The Department of Labor promulgated a final rule that set a goal for hiring by federal contractors.[Footnote 227] In response to our recommendation, the administration also launched a training course in July 2014 to help federal agencies hire, retain, and advance employees with disabilities. Further, OMB reported that it is participating in interagency efforts to develop shared definitions for the common measures required by the recently enacted Workforce Innovation and Opportunity Act, and that these shared measures will allow for greater coordination of job-training efforts across core programs under the Departments of Education and Labor. This progress notwithstanding, OMB has not taken steps toward establishing government-wide goals across all relevant agencies and programs that support employment of individuals with disabilities beyond the federal sector, although our past work on duplication and cost savings suggested that doing so could spur greater coordination and more efficient service delivery. Without government-wide goals, the success of efforts--such as coordinating job-training efforts across various agencies and programs or working with private sector employers--cannot be known or measured effectively. OMB partially met our criterion for building capacity for agency coordination by continuing to leverage the Domestic Policy and National Economic Councils. For instance, these entities, with the Office of the Vice President, led a review of effective components of job training efforts, culminating in a final report issued in July 2014 that identified actions needed to ensure that federally funded job training programs--including those that serve individuals with disabilities--are linked to employer needs and track outcomes. Additionally, the administration announced a new, multiple-agency initiative, "Curb Cuts to the Middle Class," that is focused in the near term on supporting efforts to increase employment of individuals with disabilities by federal contractors and in the federal sector. Finally, the administration coordinated a multi-agency initiative to provide services to improve education and employment outcomes for youth in order to reduce their reliance on Social Security disability benefits. As of December 2014, however, the administration's efforts omit meaningful coordination with programs at other agencies--notably VA and the Department of Defense--that provide key benefits and supports to individuals with disabilities. With respect to monitoring and demonstrating progress, OMB partially met our criteria. The administration continued to track--and has made some progress increasing--employment for people with disabilities at federal agencies. Specifically, the administration made consistent progress hiring individuals with disabilities between fiscal years 2010 and 2013, and has hired a total of approximately 70,000 individuals with disabilities as of fiscal year 2013--the most current year of publicly available data. However, the administration has yet to meet its goal of hiring 100,000 individuals with disabilities in the federal workforce over 5 years--a goal originally set forth by Executive Order 13163[Footnote 228] and reiterated by Executive Order 13548.[Footnote 229] Finally, OMB has not met our criterion for developing an action plan. The administration has yet to articulate specific plans for establishing measurable, government-wide goals that support employment for people with disabilities outside of the federal government. Updating Disability Benefit Eligibility Criteria (SSA): Figure: Improving and Modernizing Federal Disability Programs: [Refer to PDF for image: star illustration] Updating Disability Benefit Eligibility Criteria (SSA): Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] SSA has taken steps on a number of fronts to update the disability criteria on which its benefit decisions are based. While the agency has developed plans to help ensure timely and ongoing updates to its criteria in the future, testing and development of some efforts are still underway and some related costs have yet to be determined. SSA met our criterion for leadership commitment. Specifically, SSA leadership has dedicated significant attention and resources on several fronts--updating medical criteria and occupational information, and studying how it might further consider assistive technology in making eligibility decisions--as described below. SSA partially met our criterion for capacity. With respect to updating medical criteria, since our 2013 update, SSA implemented our recommendation to identify and obtain additional resources needed to better ensure timely updates in accordance with its planned timetables. With respect to updating its occupational information, SSA replaced its earlier, highly ambitious plans with a potentially more cost-effective approach that makes use of existing expertise and resources in the federal government. Consistent with our recommendations, SSA (1) is partnering with the Bureau of Labor Statistics to collect and update occupational information through surveys, and (2) plans to work with the Institute of Medicine--under a contract with the National Academy of Sciences--to study how it might further incorporate the effect of assistive technologies and workplace accommodations into its determinations of individuals' ability to work. However, officials noted this research will not begin until late fiscal year 2015 or early fiscal year 2016. These efforts notwithstanding, it remains to be determined whether this additional capacity will be sufficient to achieve its goals. SSA partially met our criterion for action plans. As we reported in 2012, SSA has plans in place for updating its medical criteria-- through comprehensive and targeted reviews--on an ongoing basis. SSA is also moving forward with efforts to update its occupational information and, as of January 2015, has developed a project plan that identifies specific steps to be taken and related risks. However, SSA's plans do not include costs beyond 2015, even though we reported that estimating life-cycle costs--cost for the entire project--would help with management planning and decisions. Finally, SSA intends to further study the use of assistive technologies and workplace accommodations in its decision-making process, but does not plan to award a task order for this study until the summer of 2015. SSA met our criterion for monitoring. The agency has continually tracked its progress towards completing comprehensive and targeted reviews of its medical criteria over time. Moreover, SSA has in place, as of January 2015, a project plan, schedule, and work breakdown for monitoring progress against planned timeframes. SSA partially met our criterion for demonstrating progress. Since 2013, SSA reported progress updating its medical listing criteria, although it has had to extend target deadlines for publishing updates to several body systems. SSA also reported positive results from initial testing of its occupational information system. Nevertheless, key components of this update have not yet started or been fleshed out. For example, SSA expects in fiscal year 2015 to complete field testing of this effort and policy and process development by 2017. SSA also expects to begin developing an IT platform in 2015, but noted that progress in this area will depend upon funding. Finally, as noted above, SSA reported that research on the use of assistive technologies and workplace accommodations will not begin until late fiscal year 2015 or early fiscal year 2016. As such, it is too early to know the extent to which SSA's efforts on each front will ultimately be successful. We will continue to monitor the agency's progress. Updating Disability Benefit Eligibility Criteria (VA): Figure: Improving and Modernizing Federal Disability Programs: [Refer to PDF for image: star illustration] Updating Disability Benefit Eligibility Criteria (VA): Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] Beginning in 2009 and continuing after our 2013 update, VA has made progress in updating the criteria it uses for rating disability, and has developed project plans and identified resources to help ensure its efforts are successful. However, some of its plans have yet to be tested. VA leadership has dedicated significant attention and resources to completing an initial revision of its medical criteria and plans to keep them updated, as described below. As such, it met our criterion for leadership commitment for updating its disability eligibility criteria. VA partially met our criterion for building capacity. To conduct initial revisions of all body systems, the agency leveraged prior studies on earning loss, in-house medical officers and medical information, and input from targeted experts. VA also reported that it is evaluating plans to use contractors to conduct additional earnings loss studies in the future. Nevertheless, VA could further bolster its internal resources and plans for conducting future studies on the impact of impairments on earnings, for example by developing more in- house resources for conducting earnings loss analyses or establishing long-term partnerships with research organizations. We will continue to monitor VA's efforts toward making fact-based and timely revisions to the VA rating schedule. Regarding action plans, VA partially met our criterion. In August 2013, VA issued a project plan to ensure its medical criteria are updated on a regular basis. The plan calls for an initial revision of all body systems to be completed by December 2016. Thereafter, VA will stagger its review of the body systems to ensure that each body system is subject to review and possible revision at least every 10 years. VA updated this plan in June 2014 with additional steps designed to help ensure a smooth and timely implementation of these planned revisions. Specifically, this plan specifies the resources and processes to be used to make updates to guidance, training, and systems, and to assess the effect of proposed changes. In doing so, VA implemented our recommendations for establishing formal policies for updating its criteria at regular intervals and for developing a written implementation strategy. This progress notwithstanding, VA is still drafting proposed regulations that will update portions of its disability criteria and it is too early to tell if it will successfully implement recent revisions or sustain regular future revisions to its rating schedule. VA partially met our criterion for monitoring. Since 2009, the agency has tracked its progress completing updates of medical criteria and earnings information for different body systems. However, VA has only recently begun tracking progress against its August 2013 plan to ensure comprehensive updates by December 2016, and continuous updates every 10 years thereafter. VA partially met our criterion for demonstrated progress. VA has been conducting a systematic review of its ratings since 2009, which (as noted above) includes updating medical criteria for rating disabilities and consideration of earnings loss information. As of December 2014, VA reported it has drafted regulations covering 14 body systems, which have moved into VA's internal concurrence and review process, and is close to finishing work drafting regulations covering another body system. VA expects to issue these proposed regulations in fiscal year 2015 and final regulations in 2016, but the agency stated that further revisions may be needed depending on feedback received during the agency's concurrence process. We will continue to track VA's progress as it works to complete updates to its ratings. Managing Disability Claims Workload (SSA): Figure: Improving and Modernizing Federal Disability Programs: [Refer to PDF for image: star illustration] Managing Disability Claims Workload (SSA): Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] SSA has made a number of important steps towards managing its claims workload, improving the efficiency and capacity of its operations, and to be positioned to sustain them over the long term. However, its results have so far been mixed and the agency faces capacity challenges that may endanger its progress. Since our previous update, SSA appointed a chief strategic officer--in response to our past recommendation--responsible for coordinating agency-wide planning efforts, including those related to managing SSA's claims workload. Additionally, SSA leadership has dedicated significant effort and thought into planning and implementing efforts to reduce its claims backlogs. As such, SSA met our criterion for leadership commitment regarding its disability claims workload. Although SSA has implemented a number of measures to increase the efficiency of its claims workload, it has struggled with managing competing workloads using current staffing levels. Therefore SSA partially met our criterion for building capacity. Specifically, SSA improved capacity by: * expanding the use of IT tools to hearings and other offices, which the agency plans to use to efficiently promote consistency in claims processing and compliance with policies; * improving heath IT systems to more quickly obtain records and provide additional support to adjudicators; * fast-tracking certain claims that do not require extensive development; and: * providing additional assistance to offices that are having difficulty managing workloads for initial claims and appeals. SSA also reported gaining efficiencies at the appellate level by conducting more hearings through video-conferencing. However, resource constraints and delays in some key initiatives have the potential to counteract efficiency gains. For example, development of the Disability Case Processing System--which SSA expects will improve workflows and reduce administrative costs--is delayed and unlikely to be implemented on schedule. With respect to developing action plans, SSA partially met our criterion. To address its capacity and workload challenges, SSA is developing a human capital operating plan. In response to our recommendation, SSA is also developing a long-range strategic plan-- informed by key stakeholders--with the goal of integrating information technology, service delivery, and human capital plans. SSA anticipates releasing this plan along with the President's Budget for fiscal year 2016. While this effort is important and promising, its purpose is to establish a broad framework for improving SSA programs and it will fall to future plans to provide implementation details for any new service delivery models or operational efficiencies related to its disability programs. SSA met our criterion for monitoring, but only partially met our criterion for demonstrated progress. The agency has clear goals for claims processing and timeliness, and regularly tracks its performance. To its credit, SSA has consistently reduced the number of initial claims awaiting decision from 842,000 in fiscal year 2010 to 633,000 in fiscal year 2014. Additionally, SSA maintained its timeliness despite increased workloads for processing initial claims through fiscal year 2013--the most current year of publicly available data--exceeding its target of 109 days by two days. However, SSA's hearing wait times have increased over the past several years. This is due to SSA allocating relatively fewer resources to an increasing appeals workload. We will continue to monitor SSA's progress and whether the human capital and service delivery plans described above address these issues. Managing Disability Claims Workload (VA): Figure: Improving and Modernizing Federal Disability Programs: [Refer to PDF for image: star illustration] Managing Disability Claims Workload (VA): Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] VA has made notable progress managing its disability claims workload by taking concrete steps to build capacity, and developed action plans for addressing its backlog of claims. Nevertheless, the agency's workload has continued to increase--including at the appellate level-- and VA is still struggling to manage its appeals backlog. VA met our criterion for leadership commitment. VA leadership has made eliminating its disability claims backlog a priority goal for the agency. To this end, VA has developed plans and implemented a number of program improvements--as described below--to help address its claims and appeals backlogs. VA has taken a number of steps to build capacity; however, one key effort was short-term in nature and it is not clear whether the momentum generated by this will be sustainable over a longer period. As such, VA partially met our criterion for capacity. With respect to compensation claims, VA attributed its success in reducing its backlog in 2013 to a one-time effort to expedite claims for veterans who had waited over a year for a decision. Beyond this effort, VA has taken steps to build capacity through its people, processes and technology, including: * (people) implementing segmented claims lanes to match claims with dedicated claims processors based on their complexity or urgency; * (process) redistributing cases among offices to even out workloads; establishing the Fully Developed Claims Program to encourage submission of all evidence by veterans and their representatives; and: * (technology) implementing paperless claims processing across all regional offices to improve the efficiency and accuracy of its decisions; developing a national work queue to automatically route claims according to VA's priorities; and increasing online service options. At the appellate level, the agency reported hiring additional staff in 2013, holding more remote hearings by video, implementing checklists to ensure claims are ready to review, and triaging cases that need additional development. While such strategies can help address workload issues, claims are expected to continue to grow and ultimately increase workloads at the appellate level. As such, it remains to be seen whether capacity at both levels will be sufficient to keep pace with workloads. VA has developed plans to address its claims and appeal backlogs, but it only partially met our criterion for action plans because key aspects of the plans are tentative. VA published a plan to eliminate its backlog of claims in January 2013, addressing our prior recommendation. To date, VA has implemented several of the capacity improvements discussed in the plan, but continues to implement other efforts, such as further enhancements to its paperless claims system. VA also issued a preliminary plan in 2014 to address its appeals backlog. While this is a positive development, VA states some of the key recommendations identified in the plan will require Congressional action, while others lack timeframes for implementation. We will continue to monitor VA's planning efforts and to determine whether the agency has actionable plans. VA partially met our criterion for monitoring. VA has clear goals for processing claims and monitors them on an ongoing basis. However, VA's Inspector General recently raised concerns that VA may be overstating its progress in reducing its backlog by removing some older claims from its inventory that are still awaiting a final decision. Additionally, in its most recent (2014) Performance and Accountability Report, VA either stopped or noted intentions to stop reporting key performance measures from prior years, such as average times for processing claims and resolving appeals, thereby reducing the transparency of VA's progress. Since our 2013 update, VA has increased the timeliness of its claims decisions, but continues to struggle with its appeals backlog-- partially meeting our criterion for demonstrating progress. Notably, VA reported reducing its claims backlog by 61 percent from its peak of 611,000 in March 2013 to 239,000 in November 2014. Further, the percentage of claims that took longer than 125 days to process has declined in fiscal years 2013 and 2014. Nevertheless, according to VA officials, the average time to complete claims in 2014 was 229--well above the agency's goal of 125 days. Regarding appeals, VA officials reported that the agency is processing about 50 percent more appeals annually compared to four years ago. Nonetheless, the increase in appeals workload--commensurate with its claims decisions--has resulted in longer processing times for appealed cases. What Remains to Be Done: Continued planning, management focus, and coordination are needed to complete the work of modernizing federal disability programs: * Efforts undertaken by the administration and OMB to coordinate across federal employment programs are laudable, but limited with respect to the scope of the agencies and programs involved and their focus on people with disabilities. OMB needs a government-wide action plan that describes how federal agencies will improve coordination and set measurable goals that support employment for people with disabilities beyond the public sector. Such a plan should identify additional opportunities to build capacity and leverage existing government resources. Moreover, the administration should set and monitor employment goals for agencies and programs that support employment of individuals with disabilities beyond the federal sector. * With respect to modernizing disability criteria, SSA has demonstrated considerable progress, but will need to ensure that it has appropriate plans and maintains sufficient capacity to complete and regularly update occupational information in the future. To help ensure its success with these updates, SSA should fully implement our 2012 recommendation to develop a comprehensive and reliable cost estimate for the life cycle of the project. * VA also made progress updating its disability ratings, but has yet to finalize and implement initial revisions. VA's plans to conduct regular updates of its ratings every 10 years are relatively new and its plans to ensure sufficient capacity going forward are still in process. As such, it will take time to determine whether VA's efforts to date are sufficient. VA will need to continue to closely monitor its progress and to seek additional capacity as needed. * Regarding SSA's claims workload, increasing numbers of disability claims in light of budget constraints threaten to counteract the agency's progress. SSA must press forward with completing its long- term strategic plan, and implement the steps outlined in it--as well as those in its human capital plan--to ensure it has the capacity and resources needed to manage future workloads while making quality decisions. * Lastly, continued leadership focus is needed on VA's appeals backlog. Specifically, VA should continue to develop plans to reform and streamline its appeals process, and to accurately monitor its workload across components, including monitoring the effect that increased claims decisions have on appeals workloads. GAO Contact: For additional information about this high-risk area, contact Daniel Bertoni at (202) 512-7215 or bertonid@gao.gov. Related GAO Products: Veterans' Disability Benefits: Improvements Could Further Enhance Quality Assurance Efforts. [hyperlink, http://www.gao.gov/products/GAO-15-50]. Washington, D.C.: November 19, 2014. Social Security Disability Programs: SSA Could Take Steps to Improve Its Assessment of Continued Eligibility. [hyperlink, http://www.gao.gov/products/GAO-14-492T]. Washington, D.C.: April 9, 2014. VA Vocational Rehabilitation and Employment: Further Performance and Workload Management Improvements Are Needed. [hyperlink, http://www.gao.gov/products/GAO-14-61]. Washington, D.C.: January 14, 2014. Social Security Administration: Long-Term Strategy Needed to Address Key Management Challenges. [hyperlink, http://www.gao.gov/products/GAO-13-459]. Washington, D.C: May 29, 2013. Veterans' Disability Benefits: Timely Processing Remains a Daunting Challenge. [hyperlink, http://www.gao.gov/products/GAO-13-89]. Washington, D.C.: December 21, 2012. VA Disability Compensation: Actions Needed to Address Hurdles Facing Program Modernization. [hyperlink, http://www.gao.gov/products/GAO-12-846]. Washington, D.C.: September 10, 2012. Employment for People with Disabilities: Little Is Known about the Effectiveness of Fragmented and Overlapping Programs. [hyperlink, http://www.gao.gov/products/GAO-12-677]. Washington, D.C.: June 29, 2012. Modernizing SSA Disability Programs: Progress Made, but Key Efforts Warrant More Management Focus. [hyperlink, http://www.gao.gov/products/GAO-12-420]. Washington, D.C.: June 19, 2012. [End of section] Pension Benefit Guaranty Corporation Insurance Programs: Why Area Is High Risk: The Pension Benefit Guaranty Corporation's (PBGC) financial portfolio is one of the largest of any federal government corporation, with more than $89 billion in assets. However, PBGC's financial future is uncertain, due in part to a long-term decline in the number of traditional defined benefit plans. Through its single-employer and multiemployer insurance programs, PBGC insures the pension benefits of more than 41 million American workers and retirees who participate in nearly 24,000 private sector defined benefit plans. At the end of fiscal year 2014, PBGC's net accumulated financial deficit was $61.8 billion--an increase of over $26 billion from the end of fiscal year 2013--and PBGC estimated that its exposure to future losses for underfunded plans was $184 billion.[Footnote 230] This dramatic increase in PBGC's deficit was attributable to a crisis in the multiemployer program, the smaller of its two programs: Since 2013, the deficit in the multiemployer program, composed of about 1,400 plans, had increased by over 400 percent. Meanwhile, the financial position of the larger single-employer program, composed of about 22,300 plans, had improved in recent years, but still accounted for $19.3 billion of PBGC's overall deficit (see figure 11). We designated the single-employer program as high risk in July 2003, and added the multiemployer program in January 2009. Figure 11: PBGC's Net Financial Position of the Single-Employer and Multiemployer Programs Combined: [Refer to PDF for image: vertical bar graph] Fiscal year, at year end: 1990; Single-employer program: -$1.9 billion; Multiemployer program: $0.1 billion; Combined position: -$0.8 billion. Fiscal year, at year end: 1991; Single-employer program: -$2.5 billion; Multiemployer program: $0.2 billion; Combined position: -$2.3 billion. Fiscal year, at year end: 1992; Single-employer program: -$2.7 billion; Multiemployer program: $0.2 billion; Combined position: -$2.5 billion. Fiscal year, at year end: 1993; Single-employer program: -$2.9 billion; Multiemployer program: $0.3 billion; Combined position: -$2.6 billion. Fiscal year, at year end: 1994; Single-employer program: -$1.2 billion; Multiemployer program: $0.2 billion; Combined position: -$1.0 billion. Fiscal year, at year end: 1995; Single-employer program: -$0.3 billion; Multiemployer program: $0.2 billion; Combined position: -$0.1 billion. Fiscal year, at year end: 1996; Single-employer program: $0.9 billion; Multiemployer program: $0.1 billion; Combined position: $1.0 billion. Fiscal year, at year end: 1997; Single-employer program: $3.5 billion; Multiemployer program: $0.2 billion; Combined position: $3.7 billion. Fiscal year, at year end: 1998; Single-employer program: $5 billion; Multiemployer program: $0.3 billion; Combined position: $5.3 billion. Fiscal year, at year end: 1999; Single-employer program: $7 billion; Multiemployer program: $0.2 billion; Combined position: $7.2 billion. Fiscal year, at year end: 2000; Single-employer program: $9.7 billion; Multiemployer program: $0.3 billion; Combined position: $10.0 billion. Fiscal year, at year end: 2001; Single-employer program: $7.7 billion; Multiemployer program: $0.1 billion; Combined position: $7.8 billion. Fiscal year, at year end: 2002; Single-employer program: -$3.6 billion; Multiemployer program: $0.2 billion; Combined position: -$3.4 billion. Fiscal year, at year end: 2003; Single-employer program: -$11.2 billion; Multiemployer program: -$0.3 billion; Combined position: -$11.5 billion. Fiscal year, at year end: 2004; Single-employer program: -$23.3 billion; Multiemployer program: -$0.2 billion; Combined position: -$23.5 billion. Fiscal year, at year end: 2005; Single-employer program: -$22.8 billion; Multiemployer program: -$0.3 billion; Combined position: -$23.1 billion. Fiscal year, at year end: 2006; Single-employer program: -$18.1 billion; Multiemployer program: -$0.7 billion; Combined position: -$18.8 billion. Fiscal year, at year end: 2007; Single-employer program: -$13.1 billion; Multiemployer program: -$1 billion; Combined position: -$14.1 billion. Fiscal year, at year end: 2008; Single-employer program: -$10.7 billion; Multiemployer program: -$0.5 billion; Combined position: -$11.2 billion. Fiscal year, at year end: 2009; Single-employer program: -$21.1 billion; Multiemployer program: -$0.9 billion; Combined position: -$22.0 billion. Fiscal year, at year end: 2010; Single-employer program: -$21.6 billion; Multiemployer program: -$1.4 billion; Combined position: -$23.0 billion. Fiscal year, at year end: 2011; Single-employer program: -$23.3 billion; Multiemployer program: -$2.8 billion; Combined position: -$26.1 billion. Fiscal year, at year end: 2012; Single-employer program: -$29.1 billion; Multiemployer program: -$5.2 billion; Combined position: -$34.3 billion. Fiscal year, at year end: 2013 Single-employer program: -$27.4 billion; Multiemployer program: -$8.3 billion; Combined position: -$35.7 billion. Fiscal year, at year end: 2014 Single-employer program: -$19.3 billion; Multiemployer program: -$42.4 billion; Combined position: -$61.8 billion. Source: Pension Benefit Guaranty Corporation (PBGC). GAO-15-290. [End of figure] Various laws have been enacted to strengthen PBGC's financial position and governance. For instance, the Pension Protection Act of 2006 (PPA) strengthened pension funding requirements for plans,[Footnote 231] in 2012 the Moving Ahead for Progress in the 21st Century Act (MAP-21) included measures to increase premium rates and strengthen the PBGC board,[Footnote 232] and the Bipartisan Budget Act of 2013 increased premium rates again.[Footnote 233] More recently, the Highway and Transportation Funding Act of 2014 included a provision that has the effect of allowing companies to defer otherwise mandatory contributions to their defined benefit pension plans.[Footnote 234] To the extent that sponsors reduce contributions in the short term, they may increase plan underfunding and expose PBGC to greater risk. However, prompted by the dramatic increase in PBGC's deficit, the Multiemployer Pension Reform Act of 2014 (MPRA) was enacted in December 2014,[Footnote 235] with a number of provisions to enhance the long-term viability of the multiemployer program. What GAO Found: There is no rating for this high-risk area because addressing the issues in this area primarily involves congressional action, while the high-risk criteria and subsequent ratings were developed to reflect the status of agencies' actions and the additional steps they need to take. While PBGC faces a significant long-term challenge with its single- employer program, it faces an immediate and critical challenge with its multiemployer program. Prior to passage of MPRA, PBGC estimated that the multiemployer insurance program fund likely would be exhausted by 2022 as a result of current and projected plan insolvencies. In a 2013 report,[Footnote 236] we recommended that Congress consider comprehensive and balanced structural reforms to reinforce and stabilize the multiemployer system.[Footnote 237] MPRA's key provisions are responsive to concerns we raised in this report. Specifically, MPRA 1) provides severely underfunded plans, under certain conditions and with the approval of federal regulators, the option to reduce the retirement benefits of current retirees to avoid plan insolvency;[Footnote 238] 2) doubles the premiums paid by multiemployer plans (from $13 to $26);[Footnote 239] and 3) expands PBGC's ability to intervene when plans are in financial distress. [Footnote 240] According to PBGC officials, current estimates indicate that these changes will allow some plans to stay solvent and will reduce, by about half, the cumulative unmet need for financial assistance to multiemployer plans. However, PBGC officials also noted that the Act did not fully address the crisis in the multiemployer program and they predicted that the changes will only forestall insolvency of the program by an additional 2 years. Although the deficit for the larger single-employer program has been improving, PBGC continues to face long-standing funding challenges for that program, as well, due to an overall decline in the defined benefit pension system. While tens of thousands of companies continue to offer traditional defined benefit plans, the total number of plans have declined significantly, as has participation in those plans. Since 1985, there has been a 79 percent decline in the number of plans insured by PBGC and more than 11 million fewer workers actively participating in these plans. As a result, PBGC's premium base has been eroding over time as fewer sponsors are paying premiums for fewer participants. Additionally, the structure of PBGC's premium rates--a key component of PBGC's funding--has long been another area of concern. Despite periodic increases in premium rates, which are set by law,[Footnote 241] the level of premiums has not kept pace with the risks that PBGC insures against. Moreover, plan underfunding is the only risk factor currently considered in determining a sponsor's premium rate. Since 2011, the administration has proposed legislative reforms that would authorize the PBGC board to adjust premiums and to explore designing a more risk-based premium structure. In 2012, we recommended that Congress consider authorizing a redesign of PBGC's premium structure to allow incorporation of additional risk factors, such as consideration of a sponsor's financial health. PBGC officials stated that they have continued efforts to enhance understanding of alternative premium structures by analyzing the limitations of the current system, and by modeling various alternative risk-based options. However, no legislation has incorporated additional risk factors into PBGC's premium structure. PBGC's governance structure is another area of weakness noted in several of our past reports. In particular, we have long recommended that the composition of PBGC's board--currently made up of the Secretaries of the Treasury, Commerce, and Labor--be expanded to include additional members with diverse backgrounds who possess knowledge and expertise useful to PBGC's mission. This recommendation has not been enacted into law, but MAP-21 included provisions to improve PBGC's governance by prescribing in greater detail the working relationships between its Board of Directors and its Inspector General, General Counsel, Advisory Committee, and Director.[Footnote 242] It also called for the National Academy of Public Administration (NAPA) to review PBGC's governance structure and to report on the ideal size and composition of its board.[Footnote 243] In its September 2013 report, NAPA recommended to Congress that, if the agency is provided greater responsibility over its policies, PBGC's board should be expanded.[Footnote 244] Furthermore, we have long emphasized that PBGC requires strong and stable leadership to ensure that it can meet its future financial challenges. Yet PBGC's leadership is once again in transition. The agency's longest serving director resigned in September 2014, after serving in the position for 4 years. A successor must be appointed by the President and confirmed by the Senate.[Footnote 245] In the interim, the agency is being led by an acting director. What Remains to Be Done: Although significant and positive steps have been taken by Congress and PBGC to strengthen the agency over the past 2 years, concerns related to the multiemployer program and challenges related to PBGC's funding structure and governance persist. While changes were made with passage of MPRA, PBGC officials believe the multiemployer program still is likely to be insolvent by the year 2024. Further, the premium structure for PBGC's single-employer program continues to result in rates that do not align with the risk the agency insures against and the effectiveness of PBGC's board remains hampered by its size and composition. Moreover, PBGC continues to face the ongoing threat of losses from the termination of underfunded plans, while grappling with a steady decline in the defined benefit pension system. With each passing year, fewer employers are sponsoring defined benefit plans and the sources of funds to finance future claims are becoming increasingly inadequate. As a result, PBGC's long-term financial future remains tenuous. To improve the long-term financial stability of both PBGC's insurance programs, Congress should consider: * authorizing a redesign of PBGC's single employer program premium structure to better align rates with sponsor risk; * adopting additional changes to PBGC's governance structure--in particular, expanding the composition of its board of directors; * strengthening funding requirements for plan sponsors as the economy improves; and: * working with PBGC to develop a strategy for funding PBGC claims over the long term, as the defined benefit pension system continues to decline. GAO Contact: For additional information about this high-risk area, contact Charles A. Jeszeck at (202) 512-7215 or jeszeckc@gao.gov. Related GAO Products: Pension Plan Valuation: Views on Using Multiple Measures to Offer a More Complete Financial Picture. [hyperlink, http://www.gao.gov/products/GAO-14-264]. Washington, D.C.: September 30, 2014. Private Pensions: Timely Action Needed to Address Impending Multiemployer Plan Insolvencies. [hyperlink, http://www.gao.gov/products/GAO-13-240]. Washington, D.C.: March 28, 2013. Private Pensions: Multiemployer Plans and PBGC Face Urgent Challenges. [hyperlink, http://www.gao.gov/products/GAO-13-428T]. Washington, D.C.: March 5, 2013. Pension Benefit Guaranty Corporation: Redesigned Premium Structure Could Better Align Rates with Risk from Plan Sponsors. [hyperlink, http://www.gao.gov/products/GAO-13-58]. Washington, D.C.: November 7, 2012. Pension Benefit Guaranty Corporation: Improvements Needed to Strengthen Governance Structure and Strategic Management. [hyperlink, http://www.gao.gov/products/GAO-11-182T]. Washington, D.C.: December 1, 2010. Private Pensions: Changes Needed to Better Protect Multiemployer Pension Benefits. [hyperlink, http://www.gao.gov/products/GAO-11-79]. Washington, D.C.: October 18, 2010. [End of section] Medicare Program: Current State of the Medicare Program: Overview of Medicare's Challenges: We designated Medicare as a high-risk program in 1990 due to its size, complexity, and susceptibility to mismanagement and improper payments. Addressing Medicare's short-term and long-term challenges is vitally important, not only for the millions of aged and disabled individuals who depend upon the program for health care coverage, but also for the families of these individuals who might otherwise bear the cost of their health care, the taxpayers who finance the program, and the health care providers who depend upon receiving fair compensation for their services. The aging of the population, coupled with the growth in per capita health care costs, will magnify these challenges over time. Therefore, continued close attention will be necessary to ensure that Medicare is sustainable for generations to come. Short-Term Challenges: Medicare is a high-risk program, in part because its substantial size and scope results in the current program having wide ranging effects on beneficiaries, the health care sector, and the overall U.S. economy. In 2014, Medicare was projected to spend $603 billion and provide health care coverage to over 50 million beneficiaries. Medicare pays about two-thirds of the health care costs of beneficiaries who do not reside in institutions.[Footnote 246] Hundreds of thousands of health care providers and suppliers-- including private health plans, physicians, hospitals, skilled nursing facilities (SNF), durable medical equipment (DME) suppliers, ambulance providers, and many others receive payments from Medicare. Every year, Medicare pays over a billion claims submitted by these health care providers. The program currently accounts for about 3.5 percent of the country's gross domestic product (GDP). Medicare also has an outsize effect on the federal budget. CBO projects that in fiscal year 2014, Medicare outlays will total more than is projected to be spent on defense ($594 billion) and about double federal spending on Medicaid ($305 billion). Medicare spending will account for approximately 17 percent of the approximately $3.5 trillion in federal outlays. Consequently, Medicare must be closely monitored because even relatively small changes can have large short-term effects in the aggregate. For example, Medicare provider payment rates that are set too high unnecessarily financially burden beneficiaries--through higher premiums and cost sharing--taxpayers, and the federal budget. Payment rates that are set too low may diminish providers' willingness to treat Medicare beneficiaries and adversely affect their access to appropriate, high-quality health care. Long-Term Challenges: Medicare also poses substantial long term financial challenges. Program spending is expected to increase significantly over time due to the growth in the number of beneficiaries and the increase in per capita health care costs. CBO projects that in just 10 years (2024) Medicare spending will reach nearly $1.1 trillion--far surpassing projected defense spending of $719 billion. The Medicare Trustees 2014 report found that, under the projected baseline assumptions, Medicare's share of GDP would rise to 5.6 percent by 2040. As Medicare spending grows disproportionately to other federal spending and the economy, it will put increasing pressure on the federal budget and tend to squeeze out spending for other programs. By 2088, Medicare spending could account for 6.9 percent or more of GDP. However, the Trustees have stated that Medicare spending projections, especially those stretching out over decades, are highly uncertain and cautioned that future Medicare spending could be substantially higher than indicated by the projected baseline estimates.[Footnote 247] In their 2014 report, they noted that some Medicare cost-reduction provisions may be difficult to sustain. For example, one set of Medicare provisions affecting many types of health care providers reduces annual payment rate updates to account for economy-wide productivity growth. However, the productivity growth rates historically achieved by health care providers have been lower than the economy-wide rates. If health care providers do not realize sufficiently high productivity growth and these cost-reduction measures are not sustained, Medicare projected spending could rise to 6 percent of GDP in 2040 and 8.4 percent in 2088, according to the Trustees. Another uncertainty is whether advances in medical technology will tend to slow or accelerate Medicare spending growth. Technological advances may enhance the ability of providers to diagnose, treat, or prevent health problems. Examples include new drugs, devices, procedures, and therapies, as well as new applications of existing technologies. Although new technologies may decrease or increase health care costs,[Footnote 248] in 2013 we reported that technological change had likely been the dominant cause (accounting for 36 to 55 percent) of the increases in overall U.S. health care per capita spending over the past several decades.[Footnote 249] It should be noted, however, that a complete assessment of health care spending for new technologies should also consider the associated value for individuals, often measured by improved health functioning; increased life expectancy; or improved economic productivity. In the past few years, the growth in Medicare spending, as well as health care spending in general, has slowed. The reasons for this slowdown are not entirely clear and it is uncertain whether the effect will be transitory or longer lasting. Nonetheless, Medicare's historical trends, the aging of the population, the uncertainties associated with recent reforms and the effects of advances in medical technology, all underscore the need for continued efforts to moderate spending growth while ensuring that beneficiaries have appropriate access to high quality health care. Achieving these goals will likely remain an important perennial challenge and require a continued sharp focus on the Medicare program. Highlights of Key Legislation and Significant Reform Efforts: In March 2010, the Patient Protection and Affordable Care Act (PPACA) was enacted,[Footnote 250] which among other things, makes numerous statutory changes to Medicare. CBO estimated that PPACA would reduce Medicare spending by about $400 billion over 10 years from fiscal year 2010 to fiscal year 2019. Major savings were expected from constraining annual payment updates to certain Medicare providers, tying Medicare Advantage (MA)--Medicare's private plan alternative to the original Medicare fee-for-service (FFS) program--maximum payment amounts to near or below FFS spending, reducing payments to hospitals that serve a large number of low-income patients (reflecting the expectation that PPACA's health insurance expansion provisions would result in far fewer uninsured hospital patients), creating an Independent Payment Advisory Board to recommend changes in Medicare payment rates when spending growth exceeds specified thresholds, and modifying the high-income threshold for adjusting beneficiary Part B premiums, among other changes. Some PPACA provisions sought to establish financial incentives for providers to increase the efficiency and quality of Medicare services, or to test new ways of achieving those goals. For example, PPACA required the establishment of a national, voluntary pilot program to bundle payments for physician, hospital, and post acute-care services to improve patient care and reduce spending. Another provision modified payments to hospitals that experience patient readmissions related to certain potentially preventable conditions. Certain PPACA payment changes seek to provide a strong financial incentive for health care providers to enhance productivity, improve efficiency, or otherwise reduce their costs per service. Several of PPACA's changes seek to implement value-based purchasing of health care and transform the program into one that encourages efficiency and quality, instead of simply compensating providers for the volume of health care services. It is too early to tell the extent to which such changes may help constrain Medicare spending over the long run. Future Medicare spending may also depend on changes in the rest of the health care system. For example, provisions of PPACA are designed to increase the number of individuals with health insurance and reduce the number of uninsured. In 2013, we found that Medicare beneficiaries who had continuous health insurance coverage before enrollment in Medicare reported being in better health in the 6 years after Medicare enrollment and, in the first year of Medicare coverage, had significantly lower Medicare spending.[Footnote 251] Thus, changes that may occur outside of Medicare could influence future program spending. Additional spending uncertainty stems from concerns raised by the Trustees, CBO, and the Office of the Actuary (OACT) about whether some of the Medicare cost-containment mechanisms included in PPACA, such as the provider productivity payment adjustment, can be sustained over the long term. CBO and OACT both produced alternative projections of future spending that assume that certain cost-containment mechanisms are not fully maintained over the long-term. Our Work Suggests the Need for Continued Attention in 5 Principal Areas: (1) Payments and Provider Incentives in Original Medicare: (2) Medicare Advantage and Other Medicare Health Plans: (3) Program Design Effects on Beneficiaries, Including those eligible for Medicaid: (4) Program Management: (5) Oversight of Patient Care and Safety. (1) Payments and Provider Incentives in Original Medicare: Currently, Medicare largely rewards the volume and complexity of health care services provided to beneficiaries, rather than the value of those services. This is beginning to change, as the Centers for Medicare & Medicaid Services (CMS) has implemented broad-based reforms to payment systems in the traditional Medicare FFS program. Many reforms have introduced financial incentives into payment structures to explicitly reward quality and efficiency. Important initiatives include steps toward transitioning Medicare's FFS physician payment system from one that rewards volume of services to one in which value-- as measured by quality and cost of care--is used to determine payment. As CMS progresses to full implementation of its value-based payment system, it will be important for the agency to use reliable quality and cost measures and methodological approaches that maximize the number of physicians for whom value can be determined. Hospital Payment Adjustments. The Inpatient Prospective Payment System (IPPS) streamlines how Medicare pays hospitals and gives hospitals an incentive to economize by paying a fixed amount, set in advance. Over time, however, numerous statutory provisions have been enacted that provide, grandfather, or extend additional payments to IPPS hospitals. These changes are intended to address characteristics of the hospital market such as challenges to rural hospitals, and the need to support Medicare-participating hospitals in certain markets. However, this piecemeal approach has had the cumulative effect of most hospitals receiving modifications and add-ons to the basic payment formula, which increases Medicare spending. As a result, 30 years after the IPPS was implemented, the way Medicare currently pays hospitals may no longer ensure that the goals of the payment system--cost control, efficiency, and access--are being met. Physician Feedback. CMS has also taken steps to help improve physician performance by providing them with annual feedback reports that compare their performance to the national average. We reported that physicians find that frequent feedback enables them to improve their performance more quickly. However, with only annual feedback from CMS, physicians may be missing an opportunity to improve their performance on a more frequent basis. While CMS officials cited concerns about the time it would take to generate more frequent feedback reports, with physicians' continued adoption of advanced data reporting technology, CMS may eventually be able to generate reports more frequently. Physician Self-referral. Our work has identified opportunities for CMS to introduce additional payment method refinements and controls in Medicare FFS to encourage appropriate use of services. For example, self-referral--when a provider refers patients to entities in which the provider or the provider's family members have a financial interest--continues to be a concern in relation to the rapid growth of Medicare FFS expenditures. In recent years, we found that certain services--including diagnostic imaging, certain cancer treatments, and diagnostic pathology services--performed by self-referring groups have increased dramatically. For one particularly costly prostate cancer treatment, these services have increased even though there are multiple effective, less costly treatment options available. Until CMS takes steps to monitor physician self referral for these costly services, the Medicare FFS program and its beneficiaries will continue to be at risk for these rapid increases in expenditures. High-expenditure Part B Drugs. In 2012, we found that 55 drugs accounted for about 85 percent of all Medicare spending on Part B drugs. The number of Medicare beneficiaries who received each of these drugs in 2010 ranged from 15.2 million receiving the influenza vaccines to 660 hemophilia A patients receiving a group of biologicals with the largest average annual cost per beneficiary--$217,000. Most of the 55 drugs increased in expenditures, prices, and average annual cost per beneficiary from 2008 to 2010, and the 5 drugs with the largest increase in expenditures also had the largest increase in the number of beneficiaries receiving each drug. CMS's challenge moving forward will be to ensure that beneficiaries continue to have appropriate access to Part B drugs while controlling costs for both beneficiaries and the Medicare program. End Stage Renal Disease (ESRD) Bundled Payments. CMS expanded the items and services included in its bundled payment rate for dialysis and related items and service in 2011 to improve the efficiency of these payments. However, the calculation was based on data that were four years old, and we found that utilization of these items and services actually decreased during that time period, resulting in Medicare overpaying for dialysis care in 2011 by up to $880 million. As a result, in the American Taxpayer Relief Act of 2012 (ATRA), Congress revised the Medicare ESRD bundled payment. However, because utilization of these items and services will change over time, it is vital that their bundled payment rates are monitored periodically in order to accurately reflect the expected costs of beneficiaries' care to help ensure that any improvements in efficiency are not realized at the expense of beneficiaries' access to and quality of care. Low-volume Payment Adjustments. Medicare's payment adjustment for low- volume dialysis facilities is one of several modifications in Medicare's payment systems designed to help maintain beneficiaries' access to care. Low-volume providers in areas where other care options are limited may warrant higher payments, and CMS intended this low volume payment adjustment (LVPA) to encourage small dialysis facilities to continue operating in areas where beneficiary access might be jeopardized if such facilities closed. However, in 2013 we found that, as designed, the LVPA does not effectively achieve this goal because it does not target all relatively low-volume, high-cost facilities that are in areas where beneficiaries may lack other dialysis care options, and it targets some facilities that appeared unnecessary for ensuring access to dialysis, such as dialysis facilities located in close proximity to other facilities. (2) Medicare Advantage and Other Medicare Health Plans: Congress has taken a number of steps to introduce financial incentives to explicitly reward quality and efficiency in the MA program, but CMS has yet to take action to improve the accuracy of its payments to MA programs. For example, PPACA provided that MA plans with a quality rating of 4 or more stars--with 5 stars indicating the highest quality- -receive bonus payments, and required MA maximum payment amounts to be adjusted to near or below FFS spending. Moreover, in January 2013, Congress enacted ATRA, which increased the statutory minimum for the annual MA coding intensity adjustment in order to account for differences in diagnostic coding. CBO estimated that this change alone would save Medicare about $1.4 billion over 5 years. However, we have identified additional opportunities to make improvements to the accuracy of MA payments, such as through methodology adjustments to account for diagnostic coding differences between MA and FFS. MA Plan Payment Adjustments. Concerns remain about the discrepancy between FFS and MA payments because CMS has yet to improve the accuracy of the adjustment to account for excess payments due to differences in diagnostic coding. We have found that CMS's risk adjustment model--which uses one year's diagnoses to predict the following year's health care costs for each MA enrollee--has led to overpayments to MA organizations because of different diagnostic coding patterns between the FFS and MA programs. In 2012, we recommended that CMS take steps to improve the accuracy of its risk score adjustments by, for example, accounting for additional beneficiary characteristics such as sex, health status, and Medicaid enrollment status, as well as including the most recent data available. While CMS has implemented the statutory minimum for the annual MA coding adjustment mandated in ATRA, it has yet to update its methodology to more accurately account for differences in diagnostic coding, resulting in excess payments of at least $3.2 billion in 2013. CMS has taken steps to collect encounter data--information on the services and items furnished to enrollees--that are more comprehensive than the beneficiary diagnosis data the agency currently uses to risk adjust payments to MA organizations, and has reported that it will use these data in calculating risk adjustments. However, CMS has not fully developed plans for validating and using MA encounter data. We recommended that CMS fully validate the MA encounter data it is collecting before using these data for payment purposes. Excess Payments to Special Needs Plans. Members of Congress and others have raised concerns about the profit margins of certain plans within the MA program that serve specific populations, such as those with specific chronic conditions--known as special needs plans (SNP). Payments to MA organizations are based, in part, on the projected expenses and profits that MA organizations submit to CMS, and we found that in recent years, SNPs have reported profits much higher than they had projected. These higher-than-projected profits were due primarily to higher-than-projected revenues from Medicare. Therefore, if MA organizations had more accurately projected both their revenues and expenses, they would have, on average, been able to provide beneficiaries with additional benefits or cost-sharing reductions, and still maintain the level of profits projected. (3) Program Design Effects on Beneficiaries, Including those eligible for Medicaid: The Medicare Trustees have reported that the levels of beneficiary premiums and general revenues required to finance projected spending for supplementary medical services will impose a significant burden on Medicare beneficiaries and the U.S. economy over time. Because most Medicare beneficiaries pay their Part B premium by having it withheld from their monthly Social Security benefits, and growth in Medicare premiums and cost sharing has outpaced growth in Social Security benefits, beneficiaries and their families may increasingly need to draw on other income or resources to help pay for necessary medical care. Moving forward, it will be important to find approaches that help avert or mitigate this growing financial burden, particularly for those beneficiaries with high health care needs and few economic resources. For example, understanding how beneficiaries make medical decisions, and what information would help them identify and use providers that efficiently deliver appropriate, high-quality care, could lead to savings for both beneficiaries and taxpayers. Care for Dual-eligible Beneficiaries. Recently, Congress and CMS have placed greater emphasis on the coordination and integration of Medicare and Medicaid benefits for dual-eligible beneficiaries--those eligible for both Medicare and Medicaid--to improve health care, increase efficiencies, and realize cost savings. For example, in 2011, CMS awarded contracts of up to $1 million to 15 states to design new models of care that integrate the two programs' benefits. Later in 2011, CMS announced a financial alignment demonstration that is intended to further integrate the programs' services. CMS expects that the demonstration will decrease incentives for cost shifting and increase care coordination, resulting in improved care for beneficiaries and savings to Medicare and Medicaid by reducing costly hospital and emergency room visits. While coordination between these two programs is important to ensuring dual-eligible beneficiaries receive quality care, we have found that it may not necessarily translate into cost savings for Medicare because (1) high-users of Medicare services are not generally the same individuals who are high-users of Medicaid services, and (2) states with high Medicaid expenditures do not seem to spend less on Medicare. These results suggest that CMS's expectations regarding the extent to which integration of benefits will produce savings through lower use of costly Medicare services may be optimistic. In addition, it is uncertain whether CMS and participating states will be able to improve quality without increasing overall program spending for disabled dual- eligible beneficiaries. Dual-eligible Special Needs Plans. CMS and Congress have also taken steps to coordinate care for those enrolled in special needs plans designed to target dual-eligible beneficiaries in order to increase benefit integration and care coordination. For example, PPACA established a type of dual-eligible special needs plan (D-SNP), referred to as a Fully Integrated Dual Eligible (FIDE) SNP, which is designed to integrate program benefits for dual-eligible beneficiaries through a single managed care organization. In addition, D-SNPs that meet certain performance and quality-based standards may seek CMS approval to offer benefits beyond what other MA plans offer if such benefits would help bridge the gap between Medicare and Medicaid covered services. However, we found that FIDE-SNPs often meet criteria for high quality but relatively few high-quality FIDE-SNPs actually serve disabled dual-eligible beneficiaries or report lower costs for Medicare services. In addition, moderately better health outcomes for disabled dual-eligible beneficiaries in D-SNPs do not necessarily translate into lower levels of costly Medicare services--that is, inpatient stays, readmissions, and emergency room visits. Access to Preventive Services. Over the past several years, researchers have found that certain preventive services are effective in early diagnosis or reduced prevalence of diseases that contribute to the growth in Medicare spending. To encourage beneficiary use, PPACA removed beneficiary cost-sharing requirements for many Medicare- covered preventive services. However, the use of preventive services could be improved by providing more information to both beneficiaries and providers. Furthermore, better use of preventive services is unlikely without appropriate Medicare coverage. Low use of some recommended services may result, in part, from limitations on which beneficiaries are covered or how frequently the service is covered. Conversely, the current absence of required cost sharing for certain services that are 100 percent paid by Medicare, but are not recommended, may contribute to the inappropriate use of those services. (4) Program Management: CMS has overcome some challenges in managing the Medicare program as it implemented some program improvements in recent years, including a competitive bidding program for durable medical equipment (DME), as well as improvements to its guidance and oversight of payment contracts. However, more could be done to improve CMS's management of the Medicare program. Competitive Bidding Program. We had previously reported that Medicare sometimes overpaid for DME items relative to other payers, and CMS subsequently began implementing a competitive bidding program for DME suppliers in 2009. We found that beneficiary access and satisfaction appeared stable in early assessments, and the competitive bidding program has led to savings. Continued monitoring of the competitive bidding program experience is important to determine the full effects it may have on Medicare beneficiaries and DME suppliers. In addition, recent changes such as the program's expansion into additional competitive bidding areas and the selection of the new contract suppliers for contracts beginning in 2014 will provide significant new data to further assess the impact of the program. Guidance and Oversight of Contracts. CMS has improved its overall guidance and oversight of contracts, an area where we found pervasive internal control weaknesses in 2009 that put billions of taxpayers' dollars at risk. Improvements include adding internal controls and testing the agency's review of contract payments and enhancing its policies and procedures for tracking, investigating, and resolving contract audit and evaluation findings. In addition, we found that CMS underestimated the volume of appeals in transitioning to new claims payment contractors, which led to claims-payment delays. In some cases, CMS was able to make midcourse adjustments by incorporating lessons learned, but unintended consequences such as this highlight the need for continued attention to this effort. (5) Oversight of Patient Care and Safety: CMS has made progress in improving the health and safety of millions of Medicare beneficiaries, which represent a significant portion of the U.S. population. In 2012, CMS reported that by implementing several recommendations from the Institute of Medicine, GAO, and members of Congress, the agency helped to ensure that Medicare beneficiaries experienced less pain while coping with chronic conditions, had fewer bed sores or pressure ulcers, and maintained their independence because restraints were used less frequently. However, improvements can still be made to CMS's oversight of patient care and safety. Clinical Data Registries. We identified key requirements that HHS could adopt in order to ensure that qualified clinical data registries (CDR)--which have the potential to improve the quality and efficiency of care for all Medicare beneficiaries by collecting extensive, standardized data and providing feedback to physicians on their performance based on their peers--actually improve the quality and efficiency of care that beneficiaries receive. For example, HHS can require CDRs to demonstrate improvements in key measures of quality and efficiency for its target population. HHS can also enhance the effect of qualified CDRs on quality and efficiency by taking steps to reduce barriers to their development by promoting the use of health information technology. Vulnerable Populations. For some of the most vulnerable Medicare beneficiaries--those in nursing homes and long term care hospitals (LTCH)--significant weaknesses remain in the oversight of the quality of care. Because of the substantial vulnerabilities of this population, it is important that oversight of the quality of care delivered by LTCHs is monitored and, if shortcomings are identified, action is promptly taken. For example, CMS has found that states have had difficulties meeting some of its standards for their nursing home complaint processes. In addition, we found several limitations in the oversight of LTCHs that are cause for concern, including weaknesses that affect the availability of data to oversee the quality of care and the ability of CMS to hold both state survey agencies and accrediting organizations accountable for their survey activities. What Remains To Be Done: Congress, HHS, and CMS have taken steps to improve the fiscal integrity of Medicare, and CMS has implemented some of our recommendations, such as improving monitoring of Medicare audit contractors and increasing the efficiency and effectiveness of inspections of Medicare participating facilities. However, continued federal improvements to the oversight of Medicare are warranted. We have a number of Matters for Congressional Consideration and recommendations to HHS and CMS for addressing Medicare payments, beneficiary use of services and quality of care, and physician incentive payments and profiling. Selected Key Matters for Congressional Consideration: * Self-referring Physicians. To increase beneficiaries' awareness of providers' financial interest in a particular treatment, Congress should consider directing the Secretary of Health and Human Services to require providers who self-refer intensity-modulated radiation therapy services to disclose to their patients that they have a financial interest in the service. * Beneficiary Use of Preventive Services. To further align Medicare beneficiary use of preventive services with U.S. Preventive Task Force recommendations, Congress may wish to consider requiring beneficiaries who receive services that the Task Force recommends against to share the cost, notwithstanding that cost sharing may not be required for beneficiaries with different characteristics or under different circumstances. Selected Key Recommendations to the Department of Health and Human Services and Centers for Medicare & Medicaid Services: * Feedback on Physician Performance. As CMS implements and refines its physician feedback and Value Modifier programs, to help ensure physicians can best use the feedback to improve their performance, the Administrator of CMS should consider disseminating performance reports more frequently than the current annual distribution--for example, semiannually. * ESRD Low Volume Payment Adjustments. To ensure that future LVPA payments are made only to eligible facilities and to rectify past overpayments, the Administrator of CMS should improve the timeliness and efficacy of CMS's monitoring regarding the extent to which Medicare contractors are determining LVPA eligibility correctly and promptly redetermining eligibility when all necessary data become available. * Medicare Advantage. To help ensure appropriate payments to MA plans, the Administrator of CMS should take steps to improve the accuracy of the adjustment made for differences in diagnostic coding practices between MA and Medicare FFS. Such steps could include, for example, accounting for additional beneficiary characteristics, including the most current data available, identifying and accounting for all years of coding differences that could affect the payment year for which an adjustment is made, and incorporating the trend of the impact of coding differences on risk scores. * Medicare Advantage Encounter Data. The Administrator of CMS should establish specific plans for using MA encounter data and thoroughly assess data completeness and accuracy before using the data to risk adjust payments or for other purposes. While in general agreement, HHS did not specify a date by which CMS will develop plans for all authorized uses of encounter data and did not commit to completing data validation before using the data for risk adjustment in 2015. * Quality Care for Vulnerable Populations. To increase the accountability of D-SNPs and ensure that CMS has the information it needs to determine whether these plans are providing the services needed by dual-eligible beneficiaries, especially those who are most vulnerable, the Administrator of CMS should conduct an evaluation of the extent to which D-SNPs have provided sufficient and appropriate care to the population they serve, and report the results in a timely manner. * Oversight of Long Term Care Hospitals. In order to improve CMS's oversight of survey activities at LTCHs, the Administrator of CMS should conduct traditional validation surveys at a sample of LTCHs each fiscal year and include an LTCH disparity rate--the extent to which an accredited organization has failed to cite one or more deficiencies during its routine survey that were later identified by a state survey agency during a traditional validation survey--in its annual financial report to Congress. GAO Contact: For additional information about this high-risk area, contact Kathleen King at (202) 512-7114 or kingk@gao.gov, or James Cosgrove at (202) 512-7114 or cosgrovej@gao.gov. Related GAO Products: Medicare Advantage Organizations: Actual Expenses and Profits Compared to Projections for 2005. [hyperlink, http://www.gao.gov/products/GAO-08-827R]. Washington, D.C.: June 24, 2008. Medicare Contracting Reform: Agency Has Made Progress with Implementation, but Contractors Have Not Met All Performance Standards. [hyperlink, http://www.gao.gov/products/GAO-10-71]. Washington, D.C.: March 25, 2010. Long-Term Care Hospitals: CMS Oversight Is Limited and Should Be Strengthened. [hyperlink, http://www.gao.gov/products/GAO-11-810]. Washington, D.C.: September 15, 2011. Medicare Advantage: CMS Should Improve the Accuracy of Risk Score Adjustments for Diagnostic Coding Practices. [hyperlink, http://www.gao.gov/products/GAO-12-51]. Washington, D.C.: January 12, 2012. Medicare: Use of Preventive Services Could Be Better Aligned with Clinical Recommendations. [hyperlink, http://www.gao.gov/products/GAO-12-81]. Washington, D.C.: January 18, 2012. Medicare Advantage: Quality Bonus Payment Demonstration Undermined by High Estimated Costs and Design Shortcomings. [hyperlink, http://www.gao.gov/products/GAO-12-409R]. Washington, D.C.: March 21, 2012. Medicare: Higher Use of Advanced Imaging Services by Providers Who Self-Refer Costing Medicare Millions. [hyperlink, http://www.gao.gov/products/GAO-12-966]. Washington, D.C.: September 28, 2012. Medicare: High-Expenditure Part B Drugs. [hyperlink, http://www.gao.gov/products/GAO-13-46R]. Washington, D.C.: October 12, 2012. Medicare Physician Payment: Private-Sector Initiatives Can Help Inform CMS Quality and Efficiency Incentive Efforts. [hyperlink, http://www.gao.gov/products/GAO-13-160. Washington, D.C.: December 26, 2012.] End-Stage Renal Disease: Reduction in Drug Utilization Suggests Bundled Payment Is Too High. [hyperlink, http://www.gao.gov/products/GAO-13-190R]. Washington, D.C.: December 7, 2012. Medicare Advantage: Substantial Excess Payments Underscore Need for CMS to Improve Accuracy of Risk Score Adjustments. [hyperlink, http://www.gao.gov/products/GAO-13-206]. Washington, D.C.: January 31, 2013. Patient Protection and Affordable Care Act: Effect on Long-Term Federal Budget Outlook Largely Depends on Whether Cost Containment Sustained. [hyperlink, http://www.gao.gov/products/GAO-13-281]. Washington, D.C.: January 31, 2013. End-Stage Renal Disease: CMS Should Improve Design and Strengthen Monitoring of Low-Volume Adjustment. [hyperlink, http://www.gao.gov/products/GAO-13-287]. Washington, D.C.: March 1, 2013. Medicare: Legislative Modifications Have Resulted in Payment Adjustments for Most Hospitals. [hyperlink, http://www.gao.gov/products/GAO-13-334]. Washington, D.C: April 17, 2013. Medicare: Action Needed to Address Higher Use of Anatomic Pathology Services by Providers Who Self-Refer. [hyperlink, http://www.gao.gov/products/GAO-13-445]. Washington, D.C.: June 24, 2013. Medicare: Higher Use of Costly Prostate Cancer Treatment by Providers Who Self-Refer Warrants Scrutiny. [hyperlink, http://www.gao.gov/products/GAO-13-525]. Washington, D.C.: July 19, 2013. Medicare: Information on Highest-Expenditure Part B Drugs. [hyperlink, http://www.gao.gov/products/GAO-13-739T]. Washington, D.C.: June 28, 2013. Medicare: Continuous Insurance before Enrollment Associated with Better Health and Lower Program Spending. [hyperlink, http://www.gao.gov/products/GAO-14-53]. Washington, D.C.: December 17, 2013. Clinical Data Registries: HHS Could Improve Medicare Quality and Efficiency through Key Requirements and Oversight. [hyperlink, http://www.gao.gov/products/GAO-14-75]. Washington, D.C.: December 16, 2013. Medicare Advantage: 2011 Profits Similar to Projections for Most Plans, but Higher for Plans with Specific Eligibility Requirements. [hyperlink, http://www.gao.gov/products/GAO-14-148]. Washington, D.C.: December 19, 2013. Medicare: Second Year Update for CMS's Durable Medical Equipment Competitive Bidding Program Round 1 Rebid. [hyperlink, http://www.gao.gov/products/GAO-14-156]. Washington, D.C.: March 7, 2014. Medicare Physical Therapy: Self-Referring Providers Generally Referred More Beneficiaries but Fewer Services per Beneficiary. [hyperlink, http://www.gao.gov/products/GAO-14-270]. Washington, D.C.: April 30, 2014. Medicare: Certain Physician Feedback Reporting Practices of Private Entities Could Improve CMS's Efforts. [hyperlink, http://www.gao.gov/products/GAO-14-279]. Washington, D.C.: March 26, 2014. Disabled Dual-Eligible Beneficiaries: Integration of Medicare and Medicaid Benefits May Not Lead to Expected Medicare Savings. [hyperlink, http://www.gao.gov/products/GAO-14-523]. Washington, D.C.: August 29, 2014. Medicare Advantage: CMS Should Fully Develop Plans for Encounter Data and Assess Data Quality before Use. [hyperlink, http://www.gao.gov/products/GAO-14-571]. Washington, D.C.: July 31, 2014. [End of section] Medicare Improper Payments: Why Area Is High Risk: We designated Medicare as a high-risk program in 1990 due to its size, complexity, and susceptibility to mismanagement and improper payments. In 2014, Medicare financed health services for approximately 54 million elderly and disabled beneficiaries at a cost of $603 billion, and reported an estimated $60 billion in improper payments--payments that either were made in an incorrect amount or should not have been made at all. The Centers for Medicare & Medicaid Services (CMS), which administers Medicare for the Department of Health and Human Services (HHS), is responsible for overseeing the program and safeguarding it from loss. Medicare spending has generally grown faster than the economy and, in the coming years, continued growth in the number of Medicare beneficiaries and program spending will create increasing challenges for the federal government. We have designated Medicare as a high-risk area for many years due to its size, complexity, and susceptibility to mismanagement and improper payments. While the majority of these factors are inherent to the Medicare program's design, the agency can continue to take actions to prevent or reduce improper payments. Thus, given the importance of sustained Medicare integrity to protecting federal dollars, we are focusing this high- risk rating and assessment on CMS's efforts to reduce Medicare improper payments. The broader challenges and risks associated with the Medicare program are discussed separately. What GAO Found: Figure: Medicare Program: Medicare Improper Payments; [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] CMS has met our leadership commitment criterion and partially met each of the other criteria for removing Medicare improper payments from the High Risk List, but more needs to be done to fully meet our criteria. For example, CMS has demonstrated leadership commitment by taking actions such as strengthening provider and supplier enrollment provisions, and improving its prepayment and postpayment claims review process in the fee-for-service (FFS) program.[Footnote 252] However, all parts of the Medicare program are on the Office of Management and Budget's list of high-error programs, suggesting additional actions are needed. By implementing our open recommendations, CMS may be able to reduce improper payments and progress towards fulfilling the four outstanding criteria to remove Medicare improper payments from our high-risk list. For example, CMS could establish core elements for provider and supplier compliance programs; ensure that the database used to track Recovery Auditors' (RA) activities includes complete and accurate data; and address the identity theft risks associated with having Social Security numbers on Medicare beneficiaries' health insurance cards. Leadership Commitment: CMS has met our criterion for demonstrating strong commitment to--and top leadership support for--reducing the incidence of improper payments in the Medicare program. HHS has continued to designate "strengthened program integrity through improper payment reduction and fighting fraud" as an HHS strategic priority and, through its dedicated Center for Program Integrity, CMS has taken multiple actions to improve in this area. For example, CMS: * centralized the development and implementation of automated edits-- prepayment controls used to deny Medicare claims that should not be paid--based on a type of national policy called national coverage determinations, which will help ensure greater consistency in paying only those claims that are consistent with national policies; * awarded a contract to a Federal Bureau of Investigation-approved contractor that will enable the agency to conduct fingerprint-based criminal history checks of high-risk providers and suppliers. Capacity: CMS's ability to maintain ongoing improper payment prevention and recovery activities, and to implement recommended initiatives to further address weaknesses could be challenged in an uncertain budgetary environment. As a result, CMS partially meets our criterion of having the capacity to demonstrate progress toward reducing improper payments in the Medicare program. For example, CMS officials told us the agency was able to limit the effects of the fiscal year 2013 sequestration, which slightly reduced funding for the Medicare integrity program, but could have difficulty responding to similar changes should they occur in future years. The Medicare integrity program--along with other activities to detect, prevent, and combat factors that contribute to improper payments--is funded through the Health Care Fraud and Abuse Control (HCFAC) program. In fiscal year 2015, Congress provided more than double the prior year's discretionary Medicare integrity funding. While the funding increase will greatly help CMS implement planned initiatives to protect Medicare dollars, sustained funding will be needed to maintain advances. CMS experienced less favorable funding in prior years, including a 6 percent decline in discretionary Medicare integrity funding from fiscal year 2011 to 2014. This drop indicates an uncertain budgetary environment. This is all the more reason for CMS to take advantage of new funding and maximize the impact of effective practices already underway by implementing our recommendations. These practices include requiring contractors to share information with each other about the underlying policies and savings related to their most effective edits. Action Plan: CMS has partially met our action plan criterion. Specifically, CMS has action plans that define root causes and steps to reduce improper payments in each part of Medicare. However, it has yet to address some problems including those where we have recommended changes. HHS reports progress on corrective actions related to improper payments in its annual Agency Financial Report. For example, in its 2014 report, HHS reported on corrective actions CMS took related to administrative, documentation, authentication, and medical necessity errors in the Medicare FFS program. However, CMS has yet to implement all of the recommendations we made which could reduce improper payments, nor taken related actions authorized by the Patient Protection and Affordable Care Act (PPACA).[Footnote 253] For example CMS has not: * required surety bonds--a three-party agreement in which a company, known as a surety, agrees to compensate the bondholder if the bond purchaser fails to keep a specified promise--for certain providers and suppliers, as authorized under PPACA; * required contractors to share information with each other about the underlying policies and savings related to their most effective edits; or: * taken actions to address the identity theft risks associated with Medicare beneficiaries' health insurance cards, which display beneficiaries' Social Security numbers. Monitoring: CMS has partially met our criterion for monitoring and independently validating the effectiveness of corrective measures. For example, CMS continues to improve certain prepayment and postpayment controls. However, there are weaknesses in CMS's ability to monitor and measure the effectiveness of certain activities. For example, CMS has not developed performance measures for its contractors that investigate fraud--known as Zone Program Integrity Contractors--that we recommended would better ensure that CMS's fraud prevention activities are effective. Further, while CMS has taken steps to prevent its contractors from conducting inappropriate duplicative claims reviews, more needs to be done to monitor those activities. For example, CMS created a database to track RA activities, designed in part to prevent RAs, who conducted most of the postpayment reviews, from duplicating other contractors' reviews. However, the database was not designed to provide information on all possible duplication, and its data are unreliable because other postpayment contractors did not consistently enter information about their reviews. As a result, Medicare postpayment claims review efforts may not be as efficient and effective as they could be. Finally, we have identified challenges with HHS's ability to assess the effectiveness of the HCFAC program in combating factors that contribute to improper payments, such as fraud. Demonstrated Progress: CMS has demonstrated some progress, but the annually reported improper payment rates for Medicare remain unacceptably high. Medicare FFS, Part C, and Part D were included on the Office of Management and Budget's list of 13 high-error programs in fiscal years 2013 and 2014. In addition, while CMS's rates of improper payments for Part C (9 percent) and Part D (3.3 percent) in fiscal year 2014 met the agency's targets for that year (9 percent and 3.6 percent respectively), the estimated improper payment amounts remained high at more than $12 billion for Part C and nearly $2 billion for Part D. In addition, the rate of improper payments in Medicare FFS (12.7 percent) exceeded CMS's target rate of 9.9 percent for that year. Thus, further sustained progress is needed to reduce improper payments in Medicare. In addition, better control over payments and program integrity management--including contractor oversight--is needed before Medicare improper payments can fully meet our criterion for demonstrated progress and be removed from our high- risk list. As measured by the annually reported improper payment rates for Medicare FFS, Part C, and Part D, further sustained progress is needed. Congressional Action: To date, Congress has provided CMS with authorities through PPACA and continued discretionary funding to take action to reduce the extent of improper payments in the Medicare program. In addition, the House and Senate have held at least 13 hearings to identify additional improvements since February 2013. Going forward, continued congressional attention to addressing Medicare improper payments will be necessary to protect federal dollars. What Remains to Be Done: CMS has demonstrated effort to reduce improper payments in the Medicare program through the implementation of PPACA-authorized provider and supplier enrollment procedures and certain GAO recommendations. However, improper payment rates for Medicare FFS, Part C, and Part D remain unacceptably high. To achieve and demonstrate reductions to the amount of Medicare improper payments, CMS should fully exercise its PPACA authority related to strengthening its provider and supplier enrollment provisions and our open recommendations related to prepayment and postpayment claims review activities. It also should address program weaknesses that we've identified. In this uncertain budget environment, these actions should also help CMS maximize the effectiveness of important steps already taken and demonstrate progress towards its stated goal of reducing improper payments in the growing Medicare program. The following summarizes open recommendations and procedures authorized by PPACA that CMS should implement to make progress toward fulfilling the four outstanding criteria to remove Medicare improper payments from our high-risk list. CMS should: * require a surety bond for certain types of at-risk providers and suppliers; * publish a proposed rule for increased disclosures of prior actions taken against providers and suppliers enrolling or revalidating enrollment in Medicare, such as whether the provider or supplier has been subject to a payment suspension from a federal health care program; * establish core elements of compliance programs for providers and suppliers; * improve automated edits that identify services billed in medically unlikely amounts; * develop performance measures for the Zone Program Integrity Contractors who explicitly link their work to the agency's Medicare FFS program integrity performance measures and improper payment reduction goals; * reduce differences between contractor postpayment review requirements, when possible; * monitor the database used to track RA activities to ensure that all postpayment review contractors are submitting required data and that the data the database contains are accurate and complete; * require Medicare administrative contractors to share information about the underlying policies and savings related to their most effective edits; and: * efficiently and cost-effectively identify, design, develop, and implement an information technology solution that addresses the removal of Social Security numbers from Medicare beneficiaries' health insurance cards. GAO Contact: For additional information about this high-risk area, contact Kathleen King at (202) 512-7114 or kingk@gao.gov. Related GAO Products: Medicare Program Integrity: Increased Oversight and Guidance Could Improve Effectiveness and Efficiency of Postpayment Claims Reviews. [hyperlink, http://www.gao.gov/products/GAO-14-474]. Washington, D.C.: July 18, 2014. Medicare Fraud: Further Actions Needed to Address Fraud, Waste, and Abuse. [hyperlink, http://www.gao.gov/products/GAO-14-712T]. Washington, D.C.: June 25, 2014. Medicare: Further Action Could Improve Improper Payment Prevention and Recoupment Efforts. [hyperlink, http://www.gao.gov/products/GAO-14-619T]. Washington, D.C.: May 20, 2014. Medicare Program Integrity: Contractors Reported Generating Savings, but CMS Could Improve Its Oversight. [hyperlink, http://www.gao.gov/products/GAO-14-111]. Washington, D.C.: October 25, 2013. Health Care Fraud and Abuse Control Program: Indicators Provide Information on Program Accomplishments, but Assessing Program Effectiveness Is Difficult. [hyperlink, http://www.gao.gov/products/GAO-13-746]. Washington, D.C.: September 30, 2013. Medicare Information Technology: Centers for Medicare and Medicaid Services Needs to Pursue a Solution for Removing Social Security Numbers from Cards. [hyperlink, http://www.gao.gov/products/GAO-13-761]. Washington, D.C.: September 10, 2013. Medicare Program Integrity: Increasing Consistency of Contractor Requirements May Improve Administrative Efficiency. [hyperlink, http://www.gao.gov/products/GAO-13-522]. Washington, D.C.: July 23, 2013. Medicare Program Integrity: Few Payments in 2011 Exceeded Limits under One Kind of Prepayment Control, but Reassessing Limits Could Be Helpful. [hyperlink, http://www.gao.gov/products/GAO-13-430]. Washington, D.C.: May 9, 2013. Medicare Program Integrity: Greater Prepayment Control Efforts Could Increase Savings and Better Ensure Proper Payment. [hyperlink, http://www.gao.gov/products/GAO-13-102]. Washington, D.C.: November 13, 2012. Medicare: CMS Needs an Approach and a Reliable Cost Estimate for Removing Social Security Numbers from Medicare Cards. [hyperlink, http://www.gao.gov/products/GAO-12-831]. Washington, D.C.: August 1, 2012. [End of section] Medicaid Program: Current State of Medicaid Program: Overview of Medicaid's Challenges: We designated Medicaid as a high-risk program in 2003 due to its size, growth, diversity of programs, and concerns about the adequacy of fiscal oversight. Medicaid is one of the largest sources of funding for acute health care, long-term care, and other services for America's most vulnerable populations. This federal-state program covered an estimated 65 million low-income people in fiscal year 2014, and enrollment is growing under the Patient Protection and Affordable Care Act (PPACA). Medicaid is the second largest health program as measured by expenditures, second only to Medicare, and the largest as measured by enrollment. A significant pressure on federal and state budgets, estimated Medicaid outlays for fiscal year 2014 were $508 billion, of which $304 billion was financed by the federal government and $204 billion by the states.[Footnote 254] Medicaid allows significant flexibility for states to design and implement their programs, resulting in more than 50 distinct state- based programs. However, as a comprehensive health benefit program for vulnerable populations, each state Medicaid program, by law, must cover certain categories of individuals and provide a broad array of benefits. Populations covered include children in low-income families, and low-income individuals who are elderly, disabled, or are experiencing high medical needs. Medicaid's extensive benefit package includes coverage for acute care services, primary care services, long- term care services, and comprehensive screening and treatment services for children. Within these broad parameters, however, states administer their own programs, including making decisions regarding any health services or populations to cover beyond what are mandated by law, setting provider reimbursement rates, and operating state- specific data systems to enroll eligible beneficiaries and providers and to process and pay claims. This variability complicates oversight and has contributed to challenges in overseeing payments, financing, and access to quality care. Additional variability in state Medicaid programs also results from key Medicaid reform efforts that states may initiate. For example, under Section 1115 of the Social Security Act, the Secretary of Health and Human Services can approve waivers of traditional Medicaid requirements, and provide states with new spending authorities, for purposes of implementing Medicaid demonstration projects. The demonstrations under the law are for purposes of testing new ways to operate state programs and deliver services, and agency policy requires that the programs not increase federal costs. In the past, this authority was used by states to test, for example, whether efficiencies from managed care could help provide savings to cover otherwise ineligible populations. In recent years, many states have sought demonstrations for other purposes, such as providing long term services and supports in a managed care delivery system. Highlights of Significant Legislation and Key Reform Efforts: Medicaid enrollment and spending are growing under PPACA. The most significant change to Medicaid under PPACA is the option for states to expand Medicaid eligibility to non-Medicare eligible individuals under age 65--non-disabled adults without children, for example--with incomes up to 133 percent of the federal poverty level.[Footnote 255] States that choose to expand Medicaid receive 100 percent federal funding for this newly eligible population through 2016, phasing to 90 percent federal funding for 2020 and subsequent years. As of June 2014, 27 states elected to expand Medicaid eligibility under PPACA. CMS projects that federal spending for Medicaid will rise on average 7 percent per year between 2013 and 2020, as states expand coverage under the provisions of the PPACA (see figure 12). Figure 12: Growth Trends in Federal Spending by Eligibility Groups: [Refer to PDF for image: stacked line graph] Fiscal year: 2006; Aged: $37.745 million; Blind/Disabled: $72.060 million; Children: $30.212 million; Adults: $20.631 million. Fiscal year: 2007; Aged: $37.778 million; Blind/Disabled: $76.596 million; Children: $32.269 million; Adults: $21.707 million. Fiscal year: 2008; Aged: $40.341 million; Blind/Disabled: $81.354 million; Children: $33.821 million; Adults: $23.692 million. Fiscal year: 2009; Aged: $48.848 million; Blind/Disabled: $102.446 million; Children: $43.339 million; Adults: $31.896 million. Fiscal year: 2010; Aged: $50.466 million; Blind/Disabled: $110.983 million; Children: $47.731 million; Adults: $36.348 million. Fiscal year: 2011; Aged: $49.602 million; Blind/Disabled: $109.582 million; Children: $47.528 million; Adults: $38.025 million. Fiscal year: 2012; Aged: $45.640 million; Blind/Disabled: $96.156 million; Children: $44.591 million; Adults: $34.490 million. Fiscal year: 2013; Aged: $48.214 million; Blind/Disabled: $101.691 million; Children: $47.571 million; Adults: $36.906 million. Projected: Fiscal year: 2014; Aged: $51.125 million; Blind/Disabled: $109.334 million; Children: $53.522 million; Adults: $44.649 million; Newly Eligible Adults: $16.878 million. Fiscal year: 2015; Aged: $53.841 million; Blind/Disabled: $111.883 million; Children: $54.848 million; Adults: $47.500 million; Newly Eligible Adults: $31.141 million. Fiscal year: 2016; Aged: $57.658 million; Blind/Disabled: $116.868 million; Children: $58.218 million; Adults: $51.219 million; Newly Eligible Adults: $39.549 million. Fiscal year: 2017; Aged: $62.319 million; Blind/Disabled: $123.887 million; Children: $62.324 million; Adults: $54.942 million; Newly Eligible Adults: $42.625 million. Fiscal year: 2018; Aged: $67.611 million; Blind/Disabled: $131.814 million; Children: $66.696 million; Adults: $59.217 million; Newly Eligible Adults: $45.402 million. Fiscal year: 2019; Aged: $73.213 million; Blind/Disabled: $139.810 million; Children: $71.311 million; Adults: $63.670 million; Newly Eligible Adults: $48.013 million. Fiscal year: 2020; Aged: $79.196 million; Blind/Disabled: $148.201 million; Children: $76.252 million; Adults: $67.412 million; Newly Eligible Adults: $49.633 million. Fiscal year: 2021; Aged: $85.573 million; Blind/Disabled: $157.080 million; Children: $81.489 million; Adults: $71.834 million; Newly Eligible Adults: $52.210 million. Fiscal year: 2022; Aged: $92.384 million; Blind/Disabled: $166.402 million; Children: $87.104 million; Adults: $76.527 million; Newly Eligible Adults: $55.212 million. Source: 2013 Actuarial Report on the Financial Outlook for Medicaid (data not published). GAO-15-290. [End of figure] PPACA put a number of other mechanisms in place that will also affect the Medicaid program, including requiring state Medicaid programs to coordinate their eligibility and enrollment systems with state health insurance exchanges; reducing the funding available to pay hospitals that serve high proportions of low-income, uninsured populations; expanding options for providing home and community based long-term care services; and requiring new program integrity measures aimed at reducing waste, fraud, and abuse.[Footnote 256] Our Work Suggests the Need for Continued Attention in Six Principal Areas: The effects of unprecedented changes recently made to the Medicaid program will continue to emerge in the coming years and are likely to exacerbate the challenges and shortcomings that already exist in federal oversight and management of the program. A key challenge to federal oversight is the lack of accurate, reliable, and timely data at the federal level needed to oversee the diverse and complex state Medicaid programs. The need for data for oversight becomes even more important in light of the need to track new spending for newly eligible individuals for whom the states will receive 100 percent federal matching funds for several years. Our work to date illustrates the challenges and the need for improved federal oversight of Medicaid in six areas. (1) Monitoring and Measurement of Access to Quality Care: National survey data have suggested that access reported by Medicaid beneficiaries is comparable to that of individuals with private health insurance in many areas, but that Medicaid beneficiaries do face particular challenges in accessing certain types of care.[Footnote 257] Access to appropriate care has been a concern because of the needs and vulnerability of the individuals covered by Medicaid, including children, the elderly, and the disabled. Access to oral and mental health services. State Medicaid programs have struggled to ensure that beneficiaries, particularly children, receive appropriate oral health and mental health services when needed. High rates of dental diseases remain prevalent across the nation, especially in vulnerable and underserved populations. Medicaid beneficiaries, children in particular, have showed increases in the use of dental services but still visited the dentist less often than privately insured children. These visits are essential to preventing future high cost dental services. Medicaid children may also not be receiving appropriate mental health treatment and services. Access to providers of mental health services is not solely a problem for Medicaid children; however, children on Medicaid have additional issues regarding receipt of appropriate mental health services. For example, national survey data indicate concerns that children on Medicaid may be inappropriately prescribed psychotropic drugs and are not receiving needed mental health services, such as counseling and therapy. Access to preventive health services. Preventive health services can serve as a mechanism to promote better health and avoid high cost medical treatments in the future. The higher prevalence of some health conditions among Medicaid beneficiaries nationally that can be identified and managed by preventive services suggests that more can and should be done to ensure Medicaid beneficiaries receive these services. * States are required to provide preventive services for children through Early and Periodic Screening, Diagnostic, and Treatment (EPSDT) services. However, national data suggest that receipt of these services is below established goals, states have not properly reported the extent to which these services are provided as required, and data are lacking on whether treatments, to address conditions identified through screenings and checkups, are actually provided. * Federal law historically has not required states to cover preventive services for adults in Medicaid, and coverage of these services and access to them has varied across the states. PPACA required states to cover certain recommended preventive services for newly eligible adults in states that expand coverage under the law; preventive services for adults in Medicaid continue to be an optional benefit otherwise. For adults in Medicaid, PPACA provides incentives for states to cover recommended preventive services. Proper monitoring will require effective data systems. (2) Financing Structure and Transparency, Including Financing of the Program During Economic Downturns and Data Needed to Understand State Funding Sources: Medicaid financing is a joint responsibility of the federal government and the states. The federal government shares in the costs of state Medicaid payments using a Federal Medical Assistance Percentage (FMAP), a statutory formula based in part on each state's per capita income. States with lower per capita incomes receive higher matching rates. States are responsible for financing the non-federal share of their programs, and can use state general funds as well as other sources, such as taxes on health care providers and transfers of funds from local governments. Financing Structure. During economic downturns, states typically experienced increased Medicaid enrollment while their own revenues declined. Our work has found that past efforts to provide states with assistance during economic downturns--by increasing the FMAP formula-- were not as responsive to states' Medicaid needs as they could have been. In response to a mandate by Congress, we developed a prototype formula, which offers an automatic timely and targeted option for providing states with temporary assistance during national economic downturns.[Footnote 258] Transparency of State Funding Sources. States have increasingly relied on funds from sources other than state general funds to finance the non-federal share of their programs, such as health care provider taxes and funds transferred from local governments and local government health care providers. Although such sources are allowed under certain circumstances, the increased reliance on these sources has implications for federal spending and beneficiary access. Such sources can create incentives for states to overpay providers that contribute funds to the state for the non-federal share in order to reduce state obligations, and can result in cost shifts to the federal government. Also, it is unclear whether increased federal funding improves beneficiary access. CMS does not collect accurate and complete data on state sources of funds to finance the Medicaid program, which makes it difficult for CMS and federal policymakers to oversee the program and assess the need for and make changes. For example, it is difficult to determine whether increased reliance on providers and local government to fund the non-federal share primarily serves to provide fiscal relief to the state by increasing federal funding, or whether the increase in federal funding results in an increase in net payments to providers that in turn improves beneficiary access. (3) Spending Transparency and Payment Oversight, Including Understanding Spending Trends and Oversight of Payments to Institutional Providers: Under broad federal requirements, each state designs and operates its Medicaid program, including setting fee-for-service payment rates and paying qualified health care providers for covered services provided to Medicaid beneficiaries. The federal government shares in the cost of state payments. CMS is responsible for ensuring that state Medicaid payments are consistent with federal requirements, including requirements that Medicaid payments be economical and efficient. To oversee the program, CMS needs information on state spending as well as on payments states make to individual providers. Spending transparency. CMS's two primary data sets--the CMS-64, which aggregates states' expenditures, and the Medicaid Statistical Information System (MSIS), which is designed to report individual beneficiary claims data--have the potential to offer a robust view of payments and overall spending in the Medicaid program; however, their usefulness is limited because of issues with timeliness, completeness, and accuracy of the data. We identified inconsistent CMS guidance and state practices that resulted in differences between these two data sets that could not be quantified. We have also identified gaps in the data, for example, the lack of reporting of large supplemental payments that states often make. With timely, complete, and accurate data sets, CMS oversight would be enhanced, allowing for monitoring aggregate spending trends, per beneficiary spending growth, comparison of differences in provider payment levels, and cross-state comparisons of spending. Such capabilities would be useful and are needed to ensure the fiscal integrity of the program, facilitate efforts to manage program costs, and provide information needed for decision- making by CMS and Congress regarding program changes. Oversight of Medicaid Payments to Institutional Providers. Over the years, we and others have reported on payments that states have made to some institutional providers, such as hospitals and nursing facilities, which have raised questions. In particular, concerns have been raised about states making large supplemental Medicaid payments-- payments in addition to the fee-for-service payments made to providers for services they provided--often to government providers, such as local government and state operated hospitals and other health care facilities. States' supplemental payments that result in total Medicaid payments well in excess of a provider's costs raise questions about whether payments are consistent with the statutory requirement that payments be economical and efficient, and are actually for covered Medicaid services. Concerns have also been raised about higher regular, claims-based payments made to government facilities. (4) Managed Care Payment Oversight, Including Need for Better Data and Assurance that Payments are Actuarially Sound: Two thirds of Medicaid beneficiaries receive some of their services in a managed care delivery system, in which the state makes payments to managed care organizations (MCOs) for each beneficiary they enroll and cover. Total payments in fiscal year 2014 were an estimated $169 billion. The federal government provides federal funding for state payments made to MCOs for Medicaid beneficiaries enrolled. The MCOs bear some or all of the risk for the costs of providing or paying for contractually agreed-upon health care services for enrollees. Federal law requires that states collect encounter data--information on the services and treatments provided to enrollees--from MCOs and submit these data to CMS. States are also required to submit information on the methodology for determining actuarial soundness of MCO payment rates, including a description of the data used. CMS cannot ensure the quality of the data used to set MCO payment rates or whether states' rates are appropriate, and this lack of assurance places billions of federal and state dollars at risk for misspending. (5) Budget Neutrality of and Expansion of Federal Liability for New Costs in Large Medicaid Demonstrations: Section 1115 of the Social Security Act authorizes the Secretary of HHS to waive certain federal Medicaid requirements and allow costs that would not otherwise be eligible for federal matching funds for experimental, pilot, or demonstration projects that are likely to assist in promoting Medicaid objectives. The demonstrations provide a way for states to test and evaluate new approaches for delivering Medicaid services. In fiscal year 2014, an estimated $89 billion in federal funds was spent under these demonstrations. By policy, demonstrations should be budget neutral to the federal government; they must not increase federal costs. However, HHS has approved demonstration spending limits that were significantly higher than what was supported in the approval documentation. Budget Neutrality of Medicaid Demonstrations. Federal spending on Medicaid demonstrations could be reduced by billions of dollars if HHS were required to improve the process for reviewing, approving, and making transparent the basis for spending limits approved for Medicaid demonstrations. However, HHS continues to approve demonstrations that are not budget neutral.[Footnote 259] In 2013 Arkansas became the first state HHS approved to test whether providing premium assistance to purchase private coverage offered on the health insurance exchange will improve access for newly eligible Medicaid beneficiaries. HHS approved a spending limit for the demonstration that was based, in part, on hypothetical costs--significantly higher payment amounts the state assumed it would have to make to providers if it expanded coverage under the traditional Medicaid program. We estimated that, by including these costs, the 3-year, nearly $4 billion spending limit that HHS approved for the state's demonstration was approximately $778 million more than what the spending limit would have been if it was based on the state's actual payment rates for services under the traditional Medicaid program. Additional flexibility granted to Arkansas and 11 other states to increase the spending limit if costs proved higher than expected sets another precedent, further eroding the integrity of HHS's process. If, as it did with Arkansas, HHS allows states to use an approach to expanding Medicaid that is expected to cost more under expansion than the existing Medicaid program with fewer cost controls in place, there could be significant cost implications for the federal government. Our concerns with HHS's process and criteria are long-standing. In 2013 we reported that because HHS did not follow its budget neutrality policy in the approval of four state demonstrations, an estimated $32 billion with an estimated federal share of about $21 billion in excess spending was approved. Billions of dollars were approved through expenditure authorities for new payments beyond what states could have made under traditional Medicaid requirements. (6) Growing Expenditures for Long-Term Services and High Expenditure Beneficiaries: Medicaid is the nation's primary payer for long-term services and supports--with an estimated $126 billion in long term care expenditures in fiscal year 2014. The elderly and disabled are also among the highest cost Medicaid beneficiaries. Monitoring of Long Term Care Services Provided in the Community. While more than half of Medicaid long term care spending is for beneficiaries residing in institutions, spending has increased for services provided in the home and community based settings. In fiscal year 2011 about 45 percent of long term care spending was for Home and Community Based Services (HCBS), up from 32 percent in 2002. Transitioning thousands of beneficiaries from institutions to community settings will take time. Proper monitoring of these new programs and federal guidance and direction to states will prove essential. While community based long term care can improve beneficiary quality of life, better data and monitoring are needed to ensure that the services provided do not have a detrimental effect on health outcomes, and to ensure skilled providers are providing services commensurate with payments they receive. Eligibility for Nursing Home Care. Federal law includes provisions to discourage individuals from reducing their countable assets in order to establish financial eligibility for Medicaid nursing home coverage. However, methods exist through which individuals, sometimes with the help of attorneys, can reduce their countable assets and qualify for Medicaid nursing home coverage, for example, by transferring them to family members. Our recent work in selected states showed that some applicants had significant total resources--both countable and not countable--but most did not. Given the complexities involved in identifying applicants transferring assets, it may be reasonable for states to adhere to a risk-based approach and focus their eligibility determination efforts on applicants who appear to be more likely to have assets or to have transferred assets that would make them ineligible. High Expenditure Beneficiaries. Research on Medicaid has demonstrated that a small percentage of beneficiaries account for a disproportionately large share of Medicaid expenditures. Understanding states' expenditures for high-expenditure populations--both those dually eligible for Medicare and Medicaid, and those who are Medicaid- only--could enhance efforts to manage Medicaid expenditures. Emerging Issues: Under PPACA, states may choose to expand Medicaid to new adult populations and those that do so receive significant increases in federal funding. States in future years may also apply to waive certain health insurance exchange requirements, using a new demonstration authority established under PPACA. This, coupled with the demographic trends of an aging population, will create additional challenges and risks for overseeing the Medicaid program. Increased federal spending. Given the federal government is responsible for 100 percent of the costs of new beneficiaries eligible for Medicaid for several years as a result of the PPACA expansion, it is important that CMS have timely and accurate data to understand the basis for states' claims for federal reimbursement for new enrollees. Expanded demonstration authority. PPACA establishes a new type of waiver, state innovation waivers, which HHS may approve beginning in 2017. States may apply to waive certain health insurance exchange requirements established under PPACA and may seek approval of such a waiver in combination with a section 1115 demonstration. In addition to meeting other statutory requirements, state innovation waivers may not be approved unless it is determined they will not increase the federal deficit. Access to Care. The enrollment of a new demographic of individuals in Medicaid as a result of PPACA may change the demand for services, as well as require changes to the number and types of providers available under the Medicaid program. States and CMS will need to ensure that new beneficiaries, many of whom are likely to be enrolled in managed care, have access to providers with capacity to deliver necessary services. Increased Demand for Long-Term Care and Changes in Care Delivery. The continued trend of providing long-term care services in home and community settings, coupled with PPACA provisions providing states with more flexibility to provide HCBS and expanded benefits to those receiving HCBS, will increase the need for guidance and monitoring of these services. Ensuring appropriate eligibility for services--and receipt of quality services in the most appropriate location--will be important. What Remains To Be Done: We have a number of Matters for Congressional Consideration and recommendations to HHS and CMS for addressing some of these issues related to financing, payment oversight, demonstration spending, and access-related issues. Selected Key Matters for Congressional Consideration: * Medicaid Financing: To ensure that federal funding efficiently and effectively responds to the countercyclical nature of the Medicaid program, Congress may wish to consider enacting an FMAP formula that is targeted for variable state Medicaid needs and provides automatic, timely, and temporary increased FMAP assistance in response to national economic downturns. * Supplemental Payment Oversight: To improve the transparency of and accountability for certain high-risk Medicaid payments that annually total tens of billions of dollars, Congress may wish to consider requiring CMS to improve reporting of and guidance related to certain supplemental payments and to require states to submit annual independent audits of such payments. * Medicaid Demonstration Approval Process: To improve the fiscal integrity of Medicaid, Congress may wish to consider requiring increased attention to fiscal responsibility in the approval of Section 1115 Medicaid demonstrations by requiring the Secretary of HHS to improve the demonstration review process through steps such as (1) clarifying criteria for reviewing and approving states' proposed spending limits, (2) better ensuring that valid methods are used to demonstrate budget neutrality, and (3) documenting and making public material explaining the basis for any approvals. Selected Key Recommendations to the Department of Health and Human Services and Centers for Medicare & Medicaid Services: * Medicaid Demonstration Approval Process: To improve the transparency of the process for reviewing and approving spending limits for Section 1115 Medicaid demonstrations, we recommended that the Secretary of Health and Human Services update the agency's written budget neutrality policy to reflect actual criteria and processes used to develop and approve demonstration spending limits, and ensure the policy is readily available to state Medicaid directors and others. * Monitoring Children's Access to Quality Care: To improve oversight of children's receipt of needed services in Medicaid and CHIP, we recommended that the Administrator of CMS establish a plan to review information reported on children's receipt of services, ensure identified problems are corrected, and work with states on improving reporting for children in managed care and fee-for-service and for capturing information on children's receipt of needed treatment services, that is, treatments for which they are referred. GAO Contact: For additional information about this high-risk area, contact Katherine Iritani at (202) 512-7114 or iritanik@gao.gov, or Carolyn Yocom at (202) 512-7114 or yocomc@gao.gov. Related GAO Products: Medicaid Demonstrations: HHS's Approval Process for Arkansas's Medicaid Expansion Waiver Raises Cost Concerns. [hyperlink, http://www.gao.gov/products/GAO-14-689R]. Washington, D.C.: August 8, 2014. Medicaid Financing: States' Increased Reliance on Funds from Health Care Providers and Local Governments Warrants Improved CMS Data Collection. [hyperlink, http://www.gao.gov/products/GAO-14-627]. Washington, D.C.: July 29, 2014. Medicaid: Completed and Preliminary Work Indicates That Transparency around State Financing Methods and Payments to Providers Is Still Needed for Oversight. [hyperlink, http://www.gao.gov/products/GAO-14-817T]. Washington, D.C.: July 29, 2014. Medicaid: Assessment of Variation among States in Per-Enrollee Spending. Washington, D.C.: June 16, 2014. Medicaid Payment: Comparisons of Selected Services under Fee-for- Service, Managed Care, and Private Insurance. [hyperlink, http://www.gao.gov/products/GAO-14-533]. Washington, D.C.: July 15, 2014. Medicaid: Financial Characteristics of Approved Applicants and Methods Used to Reduce Assets to Qualify for Nursing Home Coverage. [hyperlink, http://www.gao.gov/products/GAO-14-473]. Washington, D.C.: May 22, 2014. Medicaid Program Integrity: Increased Oversight Needed to Ensure Integrity of Growing Managed Care Expenditures. [hyperlink, http://www.gao.gov/products/GAO-14-341]. Washington, D.C.: May 19, 2014. Medicaid: Demographics and Service Usage of Certain High-Expenditure Beneficiaries. [hyperlink, http://www.gao.gov/products/GAO-14-176]. Washington, D.C.: February 19, 2014. Medicaid: CMS Should Ensure That States Clearly Report Overpayments. [hyperlink, http://www.gao.gov/products/GAO-14-25]. Washington, D.C.: December 6, 2013. Medicaid: Use of Claims Data for Analysis of Provider Payment Rates. [hyperlink, http://www.gao.gov/products/GAO-14-56R]. Washington, D.C.: January 6, 2014. Medicaid Demonstration Waivers: Approval Process Raises Cost Concerns and Lacks Transparency. [hyperlink, http://www.gao.gov/products/GAO-13-384]. Washington, D.C.: June 25, 2013. Medicaid: States' Use of Managed Care. [hyperlink, http://www.gao.gov/products/GAO-12-872R]. Washington, D.C.: August 17, 2012. Medicaid: Alternative Measures Could Be Used to Allocate Funding More Equitably. [hyperlink, http://www.gao.gov/products/GAO-13-434]. Washington, D.C.: May 10, 2013. Medicaid: Data Sets Provide Inconsistent Picture of Expenditures. [hyperlink, http://www.gao.gov/products/GAO-13-47]. Washington, D.C.: October 29, 2012. Medicaid: Additional Enrollment and Expenditure Data for the Transitional Medical Assistance Program. [hyperlink, http://www.gao.gov/products/GAO-13-454R]. Washington, D.C.: March 15, 2013. Medicaid: Enrollment and Expenditures for Qualified Individual and Transitional Medical Assistance Programs. [hyperlink, http://www.gao.gov/products/GAO-13-177R]. Washington, D.C.: December 12, 2012. Medicaid Managed Care: Use of Limited Benefit Plans to Provide Mental Health Services and Efforts to Coordinate Care. [hyperlink, http://www.gao.gov/products/GAO-13-780]. Washington, D.C.: September 30, 2013. Medicaid: More Transparency of and Accountability for Supplemental Payments Are Needed. [hyperlink, http://www.gao.gov/products/GAO-13-48]. Washington, D.C.: November 26, 2012. Children's Mental Health: Concerns Remain about Appropriate Services for Children in Medicaid and Foster Care. [hyperlink, http://www.gao.gov/products/GAO-13-15]. Washington, D.C.: December 10, 2012. Medicaid: States Made Multiple Program Changes, and Beneficiaries Generally Reported Access Comparable to Private Insurance. [hyperlink, http://www.gao.gov/products/GAO-13-55]. Washington, D.C.: November 15, 2012. Medicaid: Federal Oversight of Payments and Program Integrity Needs Improvement. [hyperlink, http://www.gao.gov/products/GAO-12-674T]. Washington, D.C.: April 25, 2012. Medicaid: States Reported Billions More in Supplemental Payments in Recent Years. [hyperlink, http://www.gao.gov/products/GAO-12-694]. Washington, D.C.: Jul 20, 2012. Medicaid: States' Plans to Pursue New and Revised Options for Home-and Community-Based Services. [hyperlink, http://www.gao.gov/products/GAO-12-649]. Washington, D.C.: June 13, 2012. [End of section] Medicaid Improper Payments: Why Area Is High Risk: We designated Medicaid as a high-risk program in 2003 in part due to concerns about the adequacy of the fiscal oversight that is necessary to prevent inappropriate program spending. This federal and state program covered acute health care, long-term care, and other services for a projected 65 million low-income people in fiscal year 2014; it is one of the largest sources of funding for medical and health- related services for America's most vulnerable populations. Medicaid consists of over 50 distinct state-based programs. Using the Federal Medical Assistance Percentage, the federal government matches state expenditures for most Medicaid services. The program is a significant expenditure for the federal government and states, with total projected expenditures of $508 billion in fiscal year 2014. The size and diversity of the Medicaid program make it particularly vulnerable to improper payments--including payments made for people not eligible for Medicaid or made for services not actually provided. Improper payments are a significant cost, with the federal share estimated at $17.5 billion in fiscal year 2014. While states have the first-line responsibility for preventing improper payments, the Centers for Medicare & Medicaid Services (CMS) in the Department of Health and Human Services (HHS) has an important role in overseeing and supporting state efforts to reduce and recover improper payments. This high-risk assessment focuses solely on CMS's efforts to prevent and reduce improper payments. Medicaid vulnerabilities include more than improper payments, and the program underwent broader transformative changes in 2014 as a result of the Patient Protection and Affordable Care Act (PPACA). We discuss the broader challenges and risks associated with aspects of the Medicaid program other than improper payments separately (see page 366). What GAO Found: Figure: Medicaid Program: Medicaid Improper Payments; [Refer to PDF for image: star illustration] Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] CMS has demonstrated some leadership commitment to reducing improper payments and has issued guidance to improve corrective actions taken by states. However, the overall improper payment rate increased to 6.7 percent in fiscal year 2014, compared to 5.8 percent in fiscal year 2013. CMS continues to face persistent challenges in reducing improper payments that will require additional leadership commitment and attention to capacity, action plans, monitoring, and demonstrated progress. For example, CMS needs continued leadership commitment to ensure that ongoing efforts--such as working with states to identify and collect improper payments--benefit from reliable data systems that effectively monitor the costs and benefits of actions taken to reduce improper payments. CMS also needs to address emerging areas where fundamental gaps in oversight capacity exist. For example, many Medicaid beneficiaries receive services under managed care, and states' use of managed care is expected to increase significantly over the next 5 years, yet CMS and states lack effective program integrity systems for care delivered by managed care organizations (MCO). Similarly, in 2012, approximately 13 percent of Medicaid enrollees had private health insurance and the number of Medicaid enrollees who also have private health insurance is expected to increase with the expansion of Medicaid. While the private insurer should pay before Medicaid does, there are challenges with ensuring this happens, and CMS has not implemented a robust ongoing effort to collect and share information about states' initiatives to identify Medicaid enrollees with private insurance. CMS continues to make the reduction of Medicaid improper payments a priority, but remaining gaps in oversight resulted in the agency partially meeting five key criteria for reducing improper payments. The program continues to grow in size and spending and, in 2022, is expected to cover as many as 18 million additional individuals as a result of PPACA. The federal government is responsible for more than 90 percent of the costs of newly eligible individuals, making it important that CMS effectively lead and assist states in reducing improper payments. Despite agency actions, gaps in oversight remain that will challenge CMS's ability to reduce the improper payment rate. * Leadership commitment. CMS partially met the criteria for leadership commitment, due to remaining weaknesses in the oversight of improper payments. CMS established an entity to focus on program integrity, which provides training and technical assistance to states on approaches to preventing improper payments and guidance to states on program integrity issues. However, additional leadership is needed to address remaining weaknesses in federal oversight, including ensuring complete, reliable, and timely data to support agency oversight and program integrity efforts. While CMS is currently undertaking a national effort to implement an enhanced claims data system to support, among other actions, program integrity efforts, the implementation is still ongoing, and it is uncertain when the system will be fully functional for use by CMS and the states. In the interim, other actions can and should be taken to support and guide states' efforts to prevent improper payments. These include, for example, taking steps to ensure that program integrity efforts are cost effective. * Capacity. CMS partially met the criteria for capacity. Although the agency has implemented various initiatives to enhance the resources dedicated to Medicaid program integrity, increased coordination with state program integrity efforts could expand oversight of the program to areas that are currently lacking. For example, while many of the newly enrolled Medicaid beneficiaries from PPACA will receive services through Medicaid managed care contracts, we found in May 2014 that the federal government and states are not well-positioned to identify improper payments made to MCOs. Expanded oversight is needed to ensure that MCOs are taking appropriate actions to identify and prevent improper payments. In addition, we found in November 2012 that although CMS's comprehensive reviews yield considerable information about states' program integrity activities, the agency did not deploy its audit resources to focus on states with identified vulnerabilities. * Action plan. CMS has taken steps to develop action plans to address the improper payments, but only partially met the criteria for action plans due to missing action plans that the agency is legally required to provide to the Congress. As required by law, in July 2014, CMS issued its Comprehensive Medicaid Integrity Plan for fiscal years 2014- 2018, a 5-year plan for ensuring the integrity of the Medicaid program by combating fraud, waste, and abuse. In addition, in July 2013, CMS issued guidance to states to clarify that all identified nonpayment errors--such as certain coding errors that could have but did not result in a payment error--should be included in state corrective action plans, and in August 2013, the agency updated website guidance and the manual used by states to clarify information states should include in corrective action plans. However, CMS is not in compliance with other required reporting on Medicaid improper payments. The agency is required to report to Congress annually on the use and effectiveness of the funds appropriated for the Medicaid Integrity Program--a program established to protect against Medicaid fraud, waste, and abuse, including improper payments--but there have been delays, and the agency had not, as of December 2014, reported for fiscal years 2013 and 2014. * Monitoring. While CMS has taken steps to improve its monitoring of improper payments, the agency only partially met the criteria for monitoring because of insufficient data. In 2013, CMS eliminated duplication between improper payment reviews conducted by review contractors at the federal level and reviews conducted by audit contractors in each state. In addition, CMS has indefinitely suspended annual state program integrity assessments, which we found to be duplicative and prone to error. However, despite these improvements in its approaches to conducting audits of Medicaid payments, the expenditure and audit activity data collected by CMS make it difficult for the agency to accurately calculate the return on investments made. As a result, it is not clear whether CMS is targeting resources to the most effective audit activities or whether CMS has the capability of using this information to determine which audit activities should be adjusted or discontinued. * Demonstrated progress. CMS partially met the criteria for demonstrated progress. Although the agency has taken actions to improve the detection of improper payments, expanded oversight is needed. In December 2013, the agency launched a new process for collecting, storing, and delivering Medicaid provider termination notifications for all state-submitted Medicaid terminations and Medicare revocations. In 2013, the agency also developed a new and more accurate methodology for calculating improper payments and updated its guidance to states to improve their corrective action plans to address errors that resulted in improper payments. However, CMS needs to improve its oversight of MCOs and provide states with additional support for managed care oversight. What Remains to Be Done: CMS has taken positive steps to improve the improper payment rate for Medicaid in recent years, including implementing certain recommendations we had previously made. However, as described above, there are several areas where CMS needs to take action to address issues and recommendations that have not been fully implemented, including improving reporting of key data so that they provide reliable and complete data needed for ensuring effective oversight; implementing effective program integrity processes for managed care; ensuring clear reporting of overpayment recoveries; and refocusing efforts on approaches that are cost-effective. While these and other CMS actions are underway, it is too soon to assess their effectiveness in reducing improper payments. In addition, responsibility for program integrity activities is spread across multiple state and federal entities, resulting in fragmentation. Careful coordination is necessary to ensure maximum program coverage and avoid unnecessary duplication of program integrity efforts. As a result, and in light of the projected growth in program spending and gaps in oversight, Medicaid improper payments remain high-risk, and CMS needs to take additional actions to address gaps in oversight. GAO Contact: For additional information about this high-risk area, contact Carolyn Yocom at (202) 512-7114 or yocomc@gao.gov. Related GAO Products: Medicaid: Additional Federal Action Needed to Further Improve Third- Party Liability Efforts. [hyperlink, http://www.gao.gov/products/GAO-15-208]. Washington, D.C.: January 28, 2015. Medicaid Program Integrity: Increased Oversight Needed to Ensure Integrity of Growing Managed Care Expenditures. [hyperlink, http://www.gao.gov/products/GAO-14-341]. Washington, D.C.: May 19, 2014. Medicaid: CMS Should Ensure That States Clearly Report Overpayments. [hyperlink, http://www.gao.gov/products/GAO-14-25]. Washington, D.C.: December 6, 2013. Medicaid: Enhancements Needed for Improper Payments Reporting and Related Corrective Action Monitoring. [hyperlink, http://www.gao.gov/products/GAO-13-229]. Washington, D.C.: March 29, 2013. Medicaid Integrity Program: CMS Should Take Steps to Eliminate Duplication and Improve Efficiency. [hyperlink, http://www.gao.gov/products/GAO-13-50]. Washington, D.C.: November 13, 2012. National Medicaid Audit Program: CMS Should Improve Reporting and Focus on Audit Collaboration with States. [hyperlink, http://www.gao.gov/products/GAO-12-627]. Washington, D.C.: June 14, 2012. [End of section] National Flood Insurance Program: Why Area Is High Risk: The National Flood Insurance Program (NFIP) is a key component of the federal government's efforts to limit the damage and financial impact of floods. However, it likely will not generate sufficient revenues to repay the billions of dollars borrowed from the Department of the Treasury (Treasury) to cover claims from the 2005 and 2012 hurricanes or potential claims related to future catastrophic losses. This lack of sufficient revenue highlights what have been structural weaknesses in how the program is funded. While Congress and the Federal Emergency Management Agency (FEMA)--the agency within the Department of Homeland Security (DHS) responsible for managing NFIP--intended that NFIP be funded with premiums collected from policyholders and not with tax dollars, the program was, by design, not actuarially sound. As of December 31, 2014, FEMA owed the Treasury $23 billion, up from $20 billion as of November 2012. FEMA made a $1 billion principal repayment at the end of December 2014--FEMA's first such payment since 2010. The Biggert-Waters Flood Insurance Reform Act of 2012 (Biggert-Waters Act) contained provisions to help strengthen the financial solvency of the program, including phasing out almost all discounted insurance premiums (for example, subsidized premiums). However, the extent to which its changes would have reduced NFIP's financial exposure is unclear. In July 2013, we reported that FEMA was starting to implement some of the required changes. However, on March 21, 2014, the Homeowner Flood Insurance Affordability Act of 2014 (HFIAA) was enacted. HFIAA reinstated certain premium subsidies and slowed down certain premium rate increases that had been included in the Biggert- Waters Act. Aspects of HFIAA were intended to address affordability concerns for certain property owners, but may also increase NFIP's long-term financial burden on taxpayers. Further, weaknesses in NFIP management and operations, including weaknesses in contractor oversight and an outdated policy and claims management system, have also placed the program at risk. As a result of its substantial financial exposure and management and operations challenges, the program has been on our High-Risk List since 2006. What GAO Found: Figure: National Flood Insurance Program: [Refer to PDF for image: star illustration] Leadership Commitment: Partially Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. No Criteria have been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] FEMA has partially met all five criteria for removing NFIP from the high-risk list. FEMA leadership has shown a commitment to taking a number of actions to implement our recommendations. However, the recent enactment of HFIAA and limitations in FEMA's oversight of contractors has created capacity challenges for FEMA in addressing the financial exposure created by NFIP as well as improving program administration. FEMA has developed corrective action plans for implementing our recommendations, but it has not yet developed a comprehensive plan to address all the issues that have placed NFIP on our high-risk list. For example, FEMA has a process in place to monitor progress in taking actions to implement our recommendations related to NFIP. But, broader monitoring of the effectiveness and sustainability of its actions would help ensure that appropriate corrective actions are being taken. While FEMA has demonstrated progress towards improving NFIP's financial stability and program efficiency, these efforts are not complete. With respect to financial stability, FEMA has initiated actions to improve the accuracy of full- risk rates, but does not have all the necessary information to appropriately revise premium rates for previously subsidized properties. FEMA has demonstrated progress in improving areas of the program's operations, such as continuity planning. But, important actions, such as modernizing its policy and claims management system, remain to be completed. The losses already generated by NFIP, as well as the potential for future losses, have created substantial financial exposure for the federal government. In addition, weaknesses in management and program operations create risks that funds allocated to NFIP and premiums paid to the program are not being used efficiently or effectively. FEMA leadership has shown a commitment to taking a number of actions to implement our recommendations. These recommendations are designed to improve both the program's financial stability and operations. However, the 2014 enactment of HFIAA has presented administrative challenges for FEMA leadership and also impacted the program's capacity to address the financial exposure created by NFIP. For example, HFIAA reinstates certain premium subsidies and slowed down some premium rate increases that had been included in the Biggert- Waters Act, requiring FEMA to refund premiums to certain policyholders. In addition, the Biggert-Waters Act requires that FEMA establish a reserve fund to be available for meeting the expected future obligations of NFIP, and HFIAA includes an annual surcharge for all policies ($25 for most policies) to be added to the reserve fund. However, FEMA stated in its December 2014 annual report to Congress that it would be unlikely that the required reserve fund balance (approximately $13 billion) would be achieved in the next 20 years. FEMA's analysis also concluded that, under the current NFIP operating environment, the agency will be unable to repay its debt within the 10- year time frame designated in Biggert-Waters. While FEMA has begun taking some actions to improve its capacity to administer NFIP, it is unclear how the resources required to implement both the Biggert-Waters Act and HFIAA will affect its ability to continue and complete these efforts. For example, the acts require FEMA to complete multiple studies and take a number of actions within the next several years. This would require resources FEMA would normally have committed to other efforts. We have also recently reported on weaknesses in FEMA's oversight of contractors that could limit FEMA's ability to effectively and efficiently implement NFIP. In a January 2014 report where we reviewed the three largest NFIP contractors, we reported that while FEMA had made progress in improving its processes for monitoring NFIP contracts and had largely followed its procedures, it did not develop a quality assurance surveillance plan for one of the three contractors we reviewed--a best practice and a key requirement identified in regulations and guidance. In 2010 and 2011, FEMA identified persistent issues with the contractor's deliverables, including quality and timeliness, and faced challenges in resolving those issues. This might have been avoided if a quality assurance surveillance plan had been developed and used. In addition, for two of the three contracts, FEMA staff did not enter performance evaluations in the Contractor Performance Assessment Reporting System, a database DHS uses to record assessments of the performance of government contractors. We recommended that FEMA take a number of actions to improve the monitoring and reporting of contractor performance. In December 2014, we found that FEMA did not validate that its contractor fully implemented changes and system checks or verify the changes in vendors' software before certain premium rate changes became effective in October 2013. As a result, incorrect rates were charged to certain policyholders. We recommended that FEMA institute controls to validate the implementation of data system changes and track their progress toward completion in its contractor monitoring reports. FEMA agreed to implement these recommendations. While FEMA has developed plans for addressing all of the recommendations from our individual reports, it has not developed a comprehensive plan to address all the issues that have placed NFIP on our high-risk list. While addressing our recommendations is part of such a plan, a comprehensive plan also defines the root causes, identifies effective solutions, and provides for substantially completing corrective measures near term. According to a DHS official, the individual action plans collectively represent their plan for addressing these issues, as the recommendations cover steps needed to improve the program's financial stability as well as its administration. The official added that DHS had developed more comprehensive plans for other high-risk areas that had been helpful, and may consider doing so for NFIP. Such a plan could help FEMA ensure that all important issues, and all aspects of those issues, are addressed. FEMA has a process in place to monitor progress in taking actions to implement our recommendations related to NFIP. For example, the status of efforts to address the recommendations is regularly discussed both within the Flood Insurance and Mitigation Administration (FIMA), which administers NFIP within FEMA, and, at the DHS level, according to a DHS official. However, it does not have a specific process for independently validating the effectiveness or sustainability of those actions. According to a DHS official, once a recommendation related to NFIP is implemented, the effects of the actions taken to do so are not tracked separately, but instead regular reviews of the effectiveness of the entire program are conducted. Additional monitoring of the effectiveness and sustainability of its specific actions taken to address our recommendations would help ensure that appropriate corrective actions are being taken. FEMA has demonstrated progress toward improving NFIP's financial stability and program operations; however, these efforts are not complete. With respect to financial stability, FEMA has initiated actions to improve the accuracy of full-risk rates, but does not have all the necessary information to appropriately revise premium rates for previously subsidized properties. We reported in 2013 that FEMA generally lacks information needed to apply full-risk rates to certain subsidized properties. Also, data constraints limit FEMA's ability to estimate the aggregate cost of subsidies. While HFIAA reinstated certain subsidies, provisions under both the Biggert-Waters Act and HFIAA changed the implementation of subsidies and decreased the size of subsidies by annually increasing subsidized rates. In 2013, we recommended that FEMA develop and implement a plan to obtain flood risk information needed to determine full-risk rates for properties with previously subsidized rates. As of December 2014, FEMA officials said that they are evaluating different approaches for obtaining flood risk information without requiring policyholders to incur the costs of obtaining property-specific information required to determine full risk rates. FEMA has demonstrated progress in improving areas of the program's operations, such as continuity planning. However, some important actions, such as modernizing its information technology systems-- including those for financial reporting and its policy and claims management system--remain to be completed. In 2011, we recommended that FEMA develop guidance and a related plan for continuing operations during federal disasters to help ensure consistent day-to- day operations when staff are deployed to disaster sites or reassigned to work on disaster-related issues. As part of the development of FIMA's 2012 continuity plan, FIMA has identified critical staff as well as the key operations that need to continue when staff are deployed in response to a federal disaster and how operations will continue during such periods. In 2011, in our review of FEMA's financial management we reported that staff faced multiple challenges in their day-to-day operations due to limitations in the systems they must use to perform these operations. In this same report, we also noted that FEMA faces challenges modernizing NFIP's insurance policy and claims management system. After 7 years and $40 million, FEMA ultimately canceled its latest effort (NextGen) in November 2009 because the system did not meet user expectations. As a result, the agency continues to rely on an ineffective and inefficient 30-year old system. FEMA had since established a steering committee tasked with overseeing FEMA's next attempt to modernize its policy and claims processing system. In addition, while FEMA has begun implementing some changes to its acquisition management practices, it remains to be seen if it will help FEMA avoid some of the problems that led to NextGen's failure. In late-November 2014, FEMA officials told us that the agency is in the acquisition stage for a new system called "Phoenix" that will serve as the new information technology system for all of NFIP. It will replace NextGen and NFIP's current financial and reporting system. FEMA hopes to award the contract to begin development and implementation in fiscal year 2016 or 2017. What Remains to Be Done: While FEMA leadership has displayed a commitment to addressing the challenges that have placed NFIP on the high-risk list and has made progress in a number of areas, FEMA needs to initiate or complete additional actions. As previously discussed, HFIAA, enacted in March 2014 in part to address affordability concerns for property owners, amended the Biggert-Waters Act and created challenges for FEMA in addressing the financial exposure created by the program by lengthening the phase out of subsidized premiums for certain properties. In addition, FEMA is unlikely to generate sufficient revenue to cover future catastrophic losses or repay billions of dollars borrowed from Treasury. Congress should continue to consider changes to the program that further address the competing goals of financial solvency and affordability. To improve its capacity for administering NFIP, FEMA should implement recent recommendations from our 2014 reports intended to improve contractor oversight. Further, while FEMA has plans for addressing and tracking progress on our specific recommendations, it has yet to address many of them and has not developed a comprehensive plan for removing NFIP from the high-risk list. In addition, while FEMA has a process in place to monitor progress in taking actions to implement our recommendations related to the NFIP, broader monitoring of the effectiveness and sustainability of its actions would help ensure that appropriate corrective actions are being taken. As a step towards improving the financial stability of the program, FEMA should develop and implement a plan to obtain flood risk information needed to determine full-risk rates for properties with previously subsidized rates. While FEMA has taken steps, such as establishing a steering committee to oversee the next modernization of its claims and policy management, it needs to complete its efforts to establish a new information technology system for NFIP. By completing all actions discussed previously, FEMA will likely improve its ability to address the financial exposure of the program and help ensure that the funds allocated to NFIP and premiums paid to the program are used effectively. GAO Contact: For additional information about this high-risk area, contact Alicia Puente Cackley at (202) 512-8678 or cackleya@gao.gov. Related GAO Products: Flood Insurance: Forgone Premiums Cannot Be Measured and FEMA Should Validate and Monitor Data System Changes. [hyperlink, http://www.gao.gov/products/GAO-15-111]. Washington, D.C.: December 11, 2014. Overview of GAO's Past Work on the National Flood Insurance Program. [hyperlink, http://www.gao.gov/products/GAO-14-297R]. Washington, D.C.: April 9, 2014. Flood Insurance: Strategies for Increasing Private Sector Involvement. [hyperlink, http://www.gao.gov/products/GAO-14-127]. Washington, D.C.: January 22, 2014. National Flood Insurance Program: Progress Made on Contract Management but Monitoring and Reporting Could Be Improved. [hyperlink, http://www.gao.gov/products/GAO-14-160]. Washington, D.C.: January 15, 2014. National Flood Insurance Program: Continued Attention Needed to Address Challenges. [hyperlink, http://www.gao.gov/products/GAO-13-858T]. Washington, D.C.: September 18, 2013. Flood Insurance: More Information Needed on Subsidized Properties. [hyperlink, http://www.gao.gov/products/GAO-13-607]. Washington, D.C.: July 3, 2013. Flood Insurance: Implications of Changing Coverage Limits and Expanding Coverage. [hyperlink, http://www.gao.gov/products/GAO-13-568]. Washington, D.C.: July 3, 2013. FEMA: Action Needed to Improve Administration of the National Flood Insurance Program. [hyperlink, http://www.gao.gov/products/GAO-11-297]. Washington, D.C.: June 9, 2011. [End of section] Appendix I: High-Risk Program History: A summary of areas removed from our High Risk List over the past 26 years is shown in figure 13. The areas on our 2015 High Risk List, and the year each was designated as high risk, are shown in table 9. Figure 13: Areas Removed from High Risk List, 1990-2015: [Refer to PDF for image: list] Federal Transit Administration Grant Management: 1990-1995; Pension Benefit Guaranty Corporation: 1990-1995; Resolution Trust Corporation: 1990-1995; State Department Management of Overseas Real Property: 1990-1995; Farm Loan Programs: 1990-2001; Superfund Programs: 1990-2001; Asset Forfeiture Programs: 1990-2003; Student Financial Aid Programs: 1990-2005; Bank Insurance Fund: 1991-1995; Customs Service Financial Management: 1991-1999; HUD Single-Family Mortgage Insurance and Rental Housing Assistance Programs: 1994-2007; National Weather Service Modernization: 1995-2001; FAA Air Traffic Control Modernization: 1995-2009; IRS Business Systems Modernization: 1995-2013; The 2000 Census: 1996-2001; The Year 2000 Computing Challenge: 1996-2001; Supplemental Security Income: 1996-2003; FAA Financial Management: 1999-2005; Forest Service Financial Management: 1999-2005; U.S. Postal Service’s Transformations Efforts and Long-Term Outlook: 2000-2007; DOD Personnel Security Clearance Program: 2004-2011; Management of Interagency Contracting: 2004-2013; 2010 Census: 2008-2011. Source: GAO. GAO-15-290. [End of figure] Table 9: Year That Areas on GAO's 2015 High Risk List Were Designated High Risk: Area: 1. Medicare Program; Year designated high risk: 1990. Area: 2. DOD Supply Chain Management; Year designated high risk: 1990. Area: 3. DOD Weapon Systems Acquisition; Year designated high risk: 1990. Area: 4. DOE's Contract Management for the National Nuclear Security Administration and Office of Environmental Management; Year designated high risk: 1990. Area: 5. NASA Acquisition Management; Year designated high risk: 1990. Area: 6. Enforcement of Tax Laws; Year designated high risk: 1990. Area: 7. DOD Contract Management; Year designated high risk: 1992. Area: 8. DOD Financial Management; Year designated high risk: 1995. Area: 9. DOD Business Systems Modernization; Year designated high risk: 1995. Area: 10. Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information[A]; Year designated high risk: 1997. Area: 11. DOD Support Infrastructure Management; Year designated high risk: 1997. Area: 12. Strategic Human Capital Management; Year designated high risk: 2001. Area: 13. Medicaid Program; Year designated high risk: 2003. Area: 14. Managing Federal Real Property; Year designated high risk: 2003. Area: 15. Improving and Modernizing Federal Disability Programs; Year designated high risk: 2003. Area: 16. Strengthening Department of Homeland Security Management Functions; Year designated high risk: 2003. Area: 17. Pension Benefit Guaranty Corporation Insurance Programs; Year designated high risk: 2003. Area: 18. Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland; Year designated high risk: 2005. Area: 19. DOD Approach to Business Transformation; Year designated high risk: 2005. Area: 20. National Flood Insurance Program; Year designated high risk: 2006. Area: 21. Funding the Nation's Surface Transportation System; Year designated high risk: 2007. Area: 22. Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests; Year designated high risk: 2007. Area: 23. Improving Federal Oversight of Food Safety; Year designated high risk: 2007. Area: 24. Modernizing the U.S. Financial Regulatory System and Federal Role in Housing Finance; Year designated high risk: 2009. Area: 25. Protecting Public Health through Enhanced Oversight of Medical Products; Year designated high risk: 2009. Area: 26. Transforming EPA's Processes for Assessing and Controlling Toxic Chemicals; Year designated high risk: 2009. Area: 27. Restructuring the U.S. Postal Service to Achieve Sustainable Financial Viability; Year designated high risk: 2009. Area: 28. Management of Federal Oil and Gas Resources; Year designated high risk: 2011. Area: 29. Limiting the Federal Government's Fiscal Exposure by Better Managing Climate Change Risks; Year designated high risk: 2013. Area: 30. Mitigating Gaps in Weather Satellite Data; Year designated high risk: 2013. Area: 31. Managing Risks and Improving VA Health Care; Year designated high risk: 2015. Area: 32. Improving the Management of IT Acquisitions and Operations; Year designated high risk: 2015. Source: GAO. GAO-15-290. [A] In our prior reports we refer to Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information as Protecting the Federal Government's Information Systems and the Nation's Cyber Critical Infrastructures. [End of table] [End of section] Appendix II: GAO's 2015 High Risk List: The areas on our 2015 High Risk List are shown in table 10. Table 10: GAO's 2015 High Risk List: Strengthening the Foundation for Efficiency and Effectiveness: * Limiting the Federal Government's Fiscal Exposure by Better Managing Climate Change Risks; * Management of Federal Oil and Gas Resources; * Modernizing the U.S. Financial Regulatory System and; * the Federal Role in Housing Finance[A]; * Restructuring the U.S. Postal Service to Achieve Sustainable Financial Viability[A]; * Funding the Nation; * 's Surface Transportation System[A]; * Strategic Human Capital Management; * Managing Federal Real Property; * Improving the Management of IT Acquisitions and Operations (new). Transforming DOD Program Management: * DOD Approach to Business Transformation; * DOD Business Systems Modernization; * DOD Support Infrastructure Management[A]; * DOD Financial Management; * DOD Supply Chain Management; * DOD Weapon Systems Acquisition. Ensuring Public Safety and Security: * Mitigating Gaps in Weather Satellite Data; * Strengthening Department of Homeland Security Management Functions; * Establishing Effective Mechanisms for Sharing and Managing Terrorism- Related Information to Protect the Homeland; * Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information[A]; * Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests[A]; * Improving Federal Oversight of Food Safety[A]; * Protecting Public Health through Enhanced Oversight of Medical Products; * Transforming EPA's Processes for Assessing and Controlling Toxic Chemicals[A]. Managing Federal Contracting More Effectively: * DOD Contract Management; * DOE's Contract Management for the National Nuclear Security Administration and Office of Environmental Management; * NASA Acquisition Management. Assessing the Efficiency and Effectiveness of Tax Law Administration: * Enforcement of Tax Laws[A]. Modernizing and Safeguarding Insurance and Benefit Programs: * Managing Risks and Improving VA Health Care (new); * Improving and Modernizing Federal Disability Programs; * Pension Benefit Guaranty Corporation Insurance Programs[A]; * Medicare Program[A]; * Medicaid Program[A]; * National Flood Insurance Program[A]. Source: GAO. GAO-15-290. [A] Legislation is likely to be necessary in order to effectively address this high-risk area. [End of table] [End of section] GAO Related Products: The following GAO reports reflect our High-Risk Series reports issued since 2000. For additional GAO related products issued specific to each of the 32 high-risk areas on our updated list, see our High Risk List website, [hyperlink, http://www.gao.gov/highrisk/]. High Risk Series: An Update. [hyperlink, http://www.gao.gov/products/GAO-13-283]. Washington, D.C.: Feb. 14, 2013. High Risk Series: An Update. [hyperlink, http://www.gao.gov/products/GAO-11-278]. Washington, D.C.: Feb. 16, 2011. High Risk Series: An Update. [hyperlink, http://www.gao.gov/products/GAO-09-271]. Washington, D.C.: Jan. 22, 2009. High Risk Series: An Update. [hyperlink, http://www.gao.gov/products/GAO-07-310]. Washington, D.C.: Jan. 31, 2007. High Risk Series: An Update. [hyperlink, http://www.gao.gov/products/GAO-05-207]. Washington, D.C.: Jan. 1, 2005. High Risk Series: An Update. [hyperlink, http://www.gao.gov/products/GAO-03-119]. Washington, D.C.: Jan. 1, 2003. High Risk Series: An Update. [hyperlink, http://www.gao.gov/products/GAO-01-263]. Washington, D.C.: Jan. 1, 2001. Determining Performance and Accountability Challenges and High Risks. [hyperlink, http://www.gao.gov/products/GAO-01-159SP]. Washington, D.C.: Nov. 1, 2000. [End of section] Footnotes: [1] For a complete list of all 32 high-risk areas, see appendix II. [2] For more information on the history of the high-risk program, see the background and appendix I. [3] GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-13-283] (Washington, D.C.: February 2013). [4] GAO, Determining Performance and Accountability Challenges and High Risks, [hyperlink, http://www.gao.gov/products/GAO-01-159SP] (Washington, D.C.: November 2000). [5] The National Academy of Public Administration is an independent, nonprofit, and nonpartisan organization established to assist government leaders in building more effective, efficient, accountable, and transparent organizations. [6] GAO, Defense Contracting: Early Attention in the Acquisition Process Needed to Enhance Competition, [hyperlink, http://www.gao.gov/products/GAO-14-395] (Washington, D.C.: May 5, 2014). [7] NASA's Associate Administrator oversees the agency's Office of Evaluation, which includes divisions responsible for cost analysis and independent program evaluation, respectively. [8] Pub. L. No. 113-283 (Dec. 18, 2014). [9] Title III, E-Government Act of 2002, Pub. L. No. 107-347 (Dec. 17, 2002). [10] Pub. L. No. 113-246 (Dec. 18, 2014). [11] Sec. 4, Pub. L. No. 113-277 (Dec. 18, 2014). [12] Pub. L. No. 113-282 (Dec. 18, 2014). [13] Pub. L. No. 113-274 (Dec. 18, 2014). [14] [hyperlink, http://www.gao.gov/products/GAO-01-159SP]. [15] GAO, Information Technology: Critical Factors Underlying Successful Major Acquisitions, [hyperlink, http://www.gao.gov/products/GAO-12-7] (Washington, D.C.: Oct. 21, 2011). [16] GAO, Information Technology: Agencies Need to Establish and Implement Incremental Development Policies, [hyperlink, http://www.gao.gov/products/GAO-14-361] (Washington, D.C.: May 1, 2014). [17] Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, § 831(a) (Dec. 19, 2014). [18] GAO, Information Technology: Additional Executive Review Sessions Needed to Address Troubled Projects, [hyperlink, http://www.gao.gov/products/GAO-13-524] (Washington, D.C.: June 13, 2013). [19] GAO, Healthcare.gov: Ineffective Planning and Oversight Practices Underscore the Need for Improved Contract Management, [hyperlink, http://www.gao.gov/products/GAO-14-694] (Washington, D.C.: July 30, 2014). [20] GAO, Healthcare.gov: Actions Needed to Address Weaknesses in Information Security and Privacy Controls, [hyperlink, http://www.gao.gov/products/GAO-14-730] (Washington, D.C.: Sept. 16, 2014). [21] GAO, USDA Systems Modernization: Management and Oversight Improvements Are Needed, [hyperlink, http://www.gao.gov/products/GAO-11-586] (Washington, D.C.: July 20, 2011). [22] GAO, DOD Financial Management: Reported Status of Department of Defense's Enterprise Resource Planning Systems, [hyperlink, http://www.gao.gov/products/GAO-12-565R] (Washington, D.C.: Mar. 30, 2012). [23] GAO, DOD Financial Management: Implementation Weaknesses in Army and Air Force Business Systems Could Jeopardize DOD's Auditability Goals, [hyperlink, http://www.gao.gov/products/GAO-12-134] (Washington, D.C.: Feb. 28, 2012). [24] GAO, Electronic Health Records: Long History of Management Challenges Raises Concerns about VA's and DOD's New Approach to Sharing Health Information, [hyperlink, http://www.gao.gov/products/GAO-13-413T] (Washington, D.C.: Feb. 27, 2013). [25] GAO, Air Traffic Control Modernization: Management Challenges Associated with Program Costs and Schedules Could Hinder NextGen Implementation, [hyperlink, http://www.gao.gov/products/GAO-12-223] (Washington, D.C.: Feb. 16, 2012). [26] GAO, Information Technology: Management Improvements Are Essential to VA's Second Effort to Replace Its Outpatient Scheduling System, [hyperlink, http://www.gao.gov/products/GAO-10-579] (Washington, D.C.: May 27, 2010). [27] [hyperlink, http://www.gao.gov/products/GAO-14-361]. [28] GAO, IT Dashboard: Agencies Are Managing Investment Risk, but Related Ratings Need to Be More Accurate and Available, [hyperlink, http://www.gao.gov/products/GAO-14-64] (Washington, D.C.: Dec. 12, 2013). [29] [hyperlink, http://www.gao.gov/products/GAO-14-64]. [30] The 27 agencies are the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; U.S. Army Corps of Engineers, Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, National Archives and Records Administration, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Smithsonian Institution, Social Security Administration, and U.S. Agency for International Development. [31] According to the analytical perspectives associated with the President's fiscal year 2015 budget request, the remainder is classified Department of Defense IT investments. [32] GAO, Information Technology: Agencies Need to Strengthen Oversight of Multibillion Dollar Investments in Operations and Maintenance, [hyperlink, http://www.gao.gov/products/GAO-14-66] (Washington, D.C.: Nov. 6, 2013), and Information Technology: Agencies Need to Strengthen Oversight of Billions of Dollars in Operations and Maintenance Investments, [hyperlink, http://www.gao.gov/products/GAO-13-87] (Washington, D.C.: Oct.16, 2012). [33] GAO, Federal Software Licenses: Better Management Needed to Achieve Significant Savings Government-Wide, [hyperlink, http://www.gao.gov/products/GAO-14-413] (Washington, D.C.: May 22, 2014). [34] According to OMB, commodity IT includes services such as IT infrastructure (data centers, networks, desktop computers and mobile devices); enterprise IT systems (e-mail, collaboration tools, identity and access management, security, and web infrastructure); and business systems (finance, human resources, and other administrative functions). [35] GAO, Information Technology: Additional OMB and Agency Actions Are Needed to Achieve Portfolio Savings, [hyperlink, http://www.gao.gov/products/GAO-14-65] (Washington, D.C.: Nov. 6, 2013). [36] GAO, Data Center Consolidation: Reporting Can Be Improved to Reflect Substantial Planned Savings, [hyperlink, http://www.gao.gov/products/GAO-14-713] (Washington, D.C.: Sept. 25, 2014). [37] Unless otherwise noted, the provisions apply to the agencies covered by the Chief Financial Officers Act of 1990. 31 U.S.C. § 901(b). [38] In our prior high-risk reports this area was referred to as DOD Personnel Security Clearance Reform. In this report, we refer to this high-risk area as Personnel Security Clearance Reform to reflect that our monitoring efforts are government-wide and not exclusive to DOD. [39] Pub. L. No. 111-148, 124 Stat. 119 (Mar. 23, 2010), as amended by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029 (Mar. 30, 2010). In this report, references to "PPACA" include amendments made by the Health Care and Education Reconciliation Act. [40] In 2014, we found that the DOD data that are included in the totals reported by the Director of National Intelligence to Congress likely overstate the total number of DOD employees eligible to access classified information and that DOD's data may be inaccurate. Specifically, we found that the number of DOD employees who were eligible to access classified information exceeded the total number of DOD employees in five components. See GAO, Personnel Security Clearances: Additional Guidance and Oversight Needed at DHS and DOD to Ensure Consistent Application of Revocation Process, [hyperlink, http://www.gao.gov/products/GAO-14-640] (Washington, D.C.: Sept. 8, 2014). In that report, DOD concurred with our recommendation that to help ensure accurate reporting to Congress, the agency review and analyze discrepancies in the total number of federal civilian employees eligible to access classified information. [41] Pub. L. No. 108-458, §3001 (2004) (codified in relevant part at 50 U.S.C. § 3341). [42] Suitability standards and determinations pertain to evaluating the character and conduct of individuals for federal employment. [43] The Government Performance and Results Act was amended by the GPRA Modernization Act of 2010, Pub. L. No. 111-352 (2011), which requires OMB to coordinate with agencies to develop Cross Agency Priority Goals. These are outcome-oriented goals covering a limited number of crosscutting policy areas, as well as goals to improve management across the federal government. These goals are intended to cover areas where increased cross-agency collaboration is needed to improve progress towards shared, complex policy or management objectives. [44] The National Defense Authorization Act for Fiscal Year 2014 required us to report on security clearance quality efforts by June 24, 2014. Pub. L. No. 113-66, § 907(e) (2013). GAO was also requested by the Chairmen and Ranking Members of the House Subcommittee on the Efficiency and Effectiveness of Federal Programs and the Federal Workforce and the House Subcommittee on Financial and Contracting Oversight to evaluate the quality of security clearance background investigations. We provided a briefing to congressional staff on June 24, 2014 and will issue a final report in March 2015. [45] GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-13-283] (Washington, D.C.: February 2013). [46] GAO, Information Technology: Consistently Applying Best Practices Could Help IRS Improve the Reliability of Reported Cost and Schedule Information, [hyperlink, http://www.gao.gov/products/GAO-13-401] (Washington, D.C.: Apr. 17, 2013); and GAO, Information Technology: IRS Needs to Improve the Reliability and Transparency of Reported Investment Information, [hyperlink, http://www.gao.gov/products/GAO-14-298] (Washington, D.C.: Apr. 2, 2014). We also have another review underway for which we expect to issue a report in February 2015. [47] Pub. L. No. 111-148, 124 Stat. 119 (March 23, 2010), as amended by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029 (March 30, 2010). [48] See for example, GAO, Financial Audit: IRS's Fiscal Years 2014 and 2013 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-15-173] (Washington, D.C.: Nov. 12, 2014) [49] Melillo, Jerry M., Terese (T.C.) Richmond, and Gary W. Yohe, eds., Climate Change Impacts in the United States: The Third National Climate Assessment, U.S. Global Change Research Program (Washington, D.C.: U.S. Government Printing Office, May 2014). USGCRP coordinates and integrates the activities of 13 federal agencies that conduct research on changes in the global environment and their implications for society. USGCRP began as a presidential initiative in 1989 and was codified in the Global Change Research Act of 1990 (Pub. L. No. 101- 606, § 103 (1990)). USGCRP-participating agencies are the Departments of Agriculture, Commerce, Defense, Energy, Interior, Health and Human Services, State, and Transportation; the U.S. Agency for International Development; the Environmental Protection Agency; the National Aeronautics and Space Administration; the National Science Foundation; and the Smithsonian Institution. [50] NRC is the principal operating agency of the National Academy of Sciences and the National Academy of Engineering. NRC, Committee on America's Climate Choices, America's Climate Choices (Washington, D.C.: 2011). See also NRC, Climate Change: Evidence, Impacts, and Choices. Answers to common questions about the science of climate change (Washington, D.C.: 2012). For more information about NRC's recent reports on climate change, click here. [51] The National Academies, Committee on Increasing National Resilience to Hazards and Disasters; Committee on Science, Engineering, and Public Policy; Disaster Resilience: A National Imperative (Washington, D.C.: 2012). [52] GAO, Climate Change: Future Federal Adaptation Efforts Could Better Support Local Infrastructure Decision Makers, [hyperlink, http://www.gao.gov/products/GAO-13-242] (Washington, D.C.: Apr. 12, 2013). [53] NRC, Panel on Adapting to the Impacts of Climate Change, America's Climate Choices: Adapting to the Impacts of Climate Change (Washington, D.C.: 2010). [54] In the atmosphere, greenhouse gases absorb and reemit radiation within the thermal infrared range of the electromagnetic spectrum. This is the fundamental cause of the greenhouse effect, or the warming of Earth's atmosphere. In order of their prevalence by volume, the primary greenhouse gases are water vapor, carbon dioxide, methane, nitrous oxide, and ozone. [55] The focus of this high-risk area may evolve over time to the extent that federal climate change programs and policies change. [56] More information on the June 2013 Climate Action Plan can be found here. [57] GAO, Climate Change Adaptation: Strategic Federal Planning Could Help Government Officials Make More Informed Decisions, [hyperlink, http://www.gao.gov/products/GAO-10-113] (Washington, D.C.: Oct. 7, 2009). [58] GAO, Climate Change: Improvements Needed to Clarify National Priorities and Better Align Them with Federal Funding Decisions, [hyperlink, http://www.gao.gov/products/GAO-11-317] (Washington, D.C.: May 20, 2011). [59] [hyperlink, http://www.gao.gov/products/GAO-11-317]. [60] [hyperlink, http://www.gao.gov/products/GAO-10-113]. CEQ coordinates federal environmental efforts and the development of environmental policies and initiatives. The Office of Science and Technology Policy was established by statute in 1976 to serve as a source of scientific and technological analysis and judgment for the President with respect to major policies, plans, and programs of the federal government, among other things. [61] [hyperlink, http://www.gao.gov/products/GAO-11-317]. [62] GAO, Ocean Acidification: Federal Response Under Way, but Actions Needed to Understand and Address Potential Impacts, [hyperlink, http://www.gao.gov/products/GAO-14-736] (Washington, D.C.: Sept. 12, 2014). Scientists estimate that the oceans have absorbed approximately 30 percent of the carbon dioxide emitted by humans over the past 200 years. This increased uptake of atmospheric carbon dioxide is resulting in chemical changes in the oceans, including a decrease in the average pH of surface ocean waters and a reduction in the availability of minerals needed by many marine organisms to build shells and skeletons. Collectively referred to as ocean acidification, these chemical changes may pose risks for some marine species and ecosystems, as well as for the human communities that rely upon them for food and commerce. [63] For more information on the interagency ocean acidification research and monitoring plan, click here. [64] Click here for more information on the President's June 2013 Climate Action Plan, the November 2013 Executive Order 13653 on Preparing the United States for the Impacts of Climate Change, and other federal climate change resilience efforts. [65] To access agency climate change adaptation plans, click here. [66] GAO, Climate Change Adaptation: DOD Can Improve Infrastructure Planning and Processes to Better Account for Potential Impacts, [hyperlink, http://www.gao.gov/products/GAO-14-446] (Washington, D.C.: May 30, 2014). [67] [hyperlink, http://www.gao.gov/products/GAO-14-446]. [68] [hyperlink, http://www.gao.gov/products/GAO-14-446]. [69] [hyperlink, http://www.gao.gov/products/GAO-13-242]. [70] GAO, Climate Change: Energy Infrastructure Risks and Adaptation Efforts, [hyperlink, http://www.gao.gov/products/GAO-14-74] (Washington, D.C.: Jan. 31, 2014), and Climate Change: Federal Efforts Under Way to Assess Water Infrastructure Vulnerabilities and Address Adaptation Challenges, [hyperlink, http://www.gao.gov/products/GAO-14-23] (Washington, D.C.: Nov. 14, 2013). [71] DOD's Unified Facilities Criteria also establish design standards for military construction projects on DOD installations. [72] GAO, Climate Change: Various Adaptation Efforts Are Under Way at Key Natural Resource Management Agencies, [hyperlink, http://www.gao.gov/products/GAO-13-253] (Washington, D.C.: May 31, 2013). [73] Click here to access a summary of wildland fire management issues and related reports on our Key Issues website. See also Congressional Research Service, Wildfire Management: Federal Funding and Related Statistics, R43077 (Mar. 5, 2014). [74] GAO, Climate Change: Agencies Should Develop Guidance for Addressing the Effects on Federal Land and Water Resources, [hyperlink, http://www.gao.gov/products/GAO-07-863] (Washington, D.C.: Aug. 7, 2007). [75] [hyperlink, http://www.gao.gov/products/GAO-13-253]. [76] Pub. L. No. 91-190 (1970), codified as amended at 42 U.S.C. §§ 4321-4347 (2014). Under NEPA, federal agencies must assess the effects of major federal actions--such as those they propose to carry out or to permit--that significantly affect the environment. NEPA has two principal purposes: (1) to ensure that an agency carefully considers detailed information concerning significant environmental impacts, and (2) to ensure that this information will be made available to the public. For more information on CEQ's climate-related NEPA guidance, click here. The 2010 draft guidance was not applicable to federal land and resource management actions, but the 2014 draft guidance no longer maintains the distinction between land and resource management actions and other types of actions. [77] [hyperlink, http://www.gao.gov/products/GAO-13-242]. [78] The potential losses generated by the National Flood Insurance Program have created substantial financial exposure for the federal government and U.S. taxpayers. While Congress and FEMA intended that the National Flood Insurance Program be funded with premiums collected from policyholders and not with tax dollars, the program was, by design, not actuarially sound. For more information, see the National Flood Insurance Program section of this High-Risk report. [79] Federal crop insurance program costs grew significantly during the period 2003 through 2012. For fiscal years 2003 through 2007, federal crop insurance costs averaged $3.4 billion a year, but for fiscal years 2008 through 2012, the crop insurance program cost an average of $8.4 billion a year. Program expansion and rising crop prices have led to increasing subsidy values and higher claims payments. For more details, see GAO, Crop Insurance: Considerations in Reducing Federal Premium Subsidies, [hyperlink, http://www.gao.gov/products/GAO-14-700] (Washington, D.C.: Aug. 8, 2014). [80] GAO, Climate Change: Financial Risks to Federal and Private Insurers in Coming Decades Are Potentially Significant, [hyperlink, http://www.gao.gov/products/GAO-07-285] (Washington, D.C.: Mar. 16, 2007). [81] Pub. L. No 112-141, div. F, tit. II, subtit. A 126 Stat. 405, 916 (2012). [82] GAO, Climate Change: Better Management of Exposure to Potential Future Losses Is Needed for Federal Flood and Crop Insurance, [hyperlink, http://www.gao.gov/products/GAO-15-28] (Washington, D.C.: Oct. 29, 2014). [83] GAO, FEMA: Action Needed to Improve Administration of the National Flood Insurance Program, [hyperlink, http://www.gao.gov/products/GAO-11-297] (Washington, D.C.: June 9, 2011). [84] For more information about FEMA's challenges related to flood maps, see GAO, FEMA Flood Maps: Some Standards and Processes in Place to Promote Map Accuracy and Outreach, but Opportunities Exist to Address Implementation Challenges, [hyperlink, http://www.gao.gov/products/GAO-11-17] (Washington, D.C.: Dec. 2, 2010). [85] [hyperlink, http://www.gao.gov/products/GAO-11-297] also contained two other related matters for congressional consideration: (1) allowing the National Flood Insurance Program to charge full-risk premium rates to all property owners and providing assistance to some categories of owners to pay those premiums; and (2) clarifying and expanding FEMA's ability to increase premiums or discontinue coverage for owners of certain repetitive loss properties. [86] Pub. L. No 112-141, div. F, tit. II, subtit. A, § 100216(b)(3), 126 Stat. 405, 927 (2012) (codified at 42 U.S.C. 4101b(b)(3)). [87] Pub. L. No 112-141, tit. II, subtit. A, § 100215(d) (2012). [88] For more information, see the National Flood Insurance Program section of this High-Risk report. [89] [hyperlink, http://www.gao.gov/products/GAO-15-28]. [90] [hyperlink, http://www.gao.gov/products/GAO-15-28]. [91] [hyperlink, http://www.gao.gov/products/GAO-15-28]. [92] [hyperlink, http://www.gao.gov/products/GAO-10-113]. [93] Click here for more information on Landscape Conservation Cooperatives. [94] [hyperlink, http://www.gao.gov/products/GAO-13-253]. [95] [hyperlink, http://www.gao.gov/products/GAO-14-446]. [96] [hyperlink, http://www.gao.gov/products/GAO-14-736] [97] Budget Issues: Opportunities to Reduce Federal Fiscal Exposures Through Greater Resilience to Climate Change and Extreme Weather, [hyperlink, http://www.gao.gov/products/GAO-14-504T] (Washington, D.C.: July 29, 2014). [98] [hyperlink, http://www.gao.gov/products/GAO-13-242]. [99] GAO, Climate Change: USDA's Ongoing Efforts Can Be Enhanced with Better Metrics and More Relevant Information for Farmers, [hyperlink, http://www.gao.gov/products/GAO-14-755] (Washington, D.C.: Sept. 16, 2014). [100] Melillo, Jerry M., Terese (T.C.) Richmond, and Gary W. Yohe, Eds., Climate Change Impacts in the United States: The Third National Climate Assessment, USGCRP (Washington, D.C.: May 2014). [101] Click here for more information on USDA Climate Hubs. [102] [hyperlink, http://www.gao.gov/products/GAO-14-755]. [103] [hyperlink, http://www.gao.gov/products/GAO-14-74]. [104] [hyperlink, http://www.gao.gov/products/GAO-14-74]. [105] Click here for information on the June 2013 Climate Action Plan and here for information on USGCRP's strategic plan. For more information on the Third National Climate Assessment, click here. The climate resilience toolkit is accessible here and provides resources and a framework for understanding and addressing the climate issues that impact people and their communities. [106] GAO, Disaster Resilience: Actions are Underway, but Federal Fiscal Exposure Highlights the Need for Continued Attention to Longstanding Challenges, [hyperlink, http://www.gao.gov/products/GAO-14-603T] (Washington, D.C.: May 14, 2014). [107] The Disaster Relief Appropriations Act of 2013 (Pub. L. No. 113- 2, div. A, 127 Stat. 4 (2013)) appropriated approximately $50 billion for expenses related to the consequences of Superstorm Sandy. The majority of appropriation accounts that received funding were subject to a reduction of 5 percent of their budgetary resources. In addition, another law increased the borrowing authority for the National Flood Insurance Program by $9.7 billion. Pub. L. No. 113-1, 127 Stat. 3 (2013). [108] [hyperlink, http://www.gao.gov/products/GAO-15-28]. [109] GAO, Emergency Preparedness: Opportunities Exist to Strengthen Interagency Assessments and Accountability for Closing Capability Gaps, [hyperlink, http://www.gao.gov/products/GAO-15-20] (Washington, D.C.: Dec. 4, 2014). See also Managing Preparedness Grants and Assessing National Capabilities: Continuing Challenges Impede FEMA's Progress, [hyperlink, http://www.gao.gov/products/GAO-12-526T] (Washington, D.C.: Mar. 20, 2012) and Disaster Response: Criteria for Developing and Validating Effective Response Plans, [hyperlink, http://www.gao.gov/products/GAO-10-969T] (Washington, D.C.: Sept. 22, 2010). [110] GAO, Federal Disaster Assistance: Improved Criteria Needed to Assess a Jurisdiction's Capability to Respond and Recover on Its Own, [hyperlink, http://www.gao.gov/products/GAO-12-838] (Washington, D.C.: Sept. 12, 2012). [111] Since September 11, 2001, the federal government has provided billions of dollars to state and local governments for planning, equipment, and training to enhance the capabilities of first responders to respond to both smaller-scale natural disasters and terrorist attacks. However, the federal financial assistance provided in the last several years has not been guided by a clear risk-based strategic plan that outlines the role of federal, state, and local governments in identifying, enhancing, maintaining, and financing critical first responder capabilities for emergencies. See GAO, 21st Century Challenges: Reexamining the Base of the Federal Government, [hyperlink, http://www.gao.gov/products/GAO-05-325SP] (Washington, D.C.: Feb. 1, 2005). [112] GAO, Federal Disaster Assistance: What Should The Policy Be?, PAD-80-39 (Washington, D.C.: June 16, 1980). [113] GAO, Extreme Weather Events: Limiting Federal Fiscal Exposure and Increasing the Nation's Resilience, [hyperlink, http://www.gao.gov/products/GAO-14-364T] (Washington, D.C.: Feb. 12, 2014); Fiscal Exposures: Improving Cost Recognition in the Federal Budget, [hyperlink, http://www.gao.gov/products/GAO-14-28] (Washington, D.C.: Oct. 29, 2013); and Budget Issues: Budgeting for Federal Insurance Programs, GAO/T-AIMD-98-147 (Washington, D.C.: Apr. 23, 1998). [114] GAO, Disaster Cost Estimates: FEMA Can Improve Its Learning from Past Experience and Management of Disaster-Related Resources, [hyperlink, http://www.gao.gov/products/GAO-08-301] (Washington, D.C.: Feb 22, 2008). See also, Supplemental Appropriations: Opportunities Exist to Increase Transparency and Provide Additional Controls, [hyperlink, http://www.gao.gov/products/GAO-08-314 (Washington, D.C.: Jan. 31, 2008). [115] [hyperlink, http://www.gao.gov/products/GAO-15-28]. [116] [hyperlink, http://www.gao.gov/products/GAO-14-603T]. [117] This task force was established by Executive Order 13632: Establishing the Hurricane Sandy Rebuilding Task Force, Dec. 7, 2012. [118] The Consolidated and Further Continuing Appropriations for Fiscal Year 2015 prohibits any appropriated funds from being used to implement a new Federal Flood Risk Management Standard until the Administration solicits and considers input from Governors, mayors, and other stakeholders. Pub. L. No. 113-235, div. E, tit. VII, § 750 (2014). [119] According to a July 2014 White House statement, FEMA will release new guidance for state hazard mitigation plans that call upon states to consider climate variability as part of their requirement to address the probability of future events in state planning efforts, in an effort to rebuild stronger and safer after natural disasters and ensure that states prepare for the impacts of climate change. Office of the Press Secretary, Fact Sheet: Taking Action to Support State, Local, and Tribal Leaders as They Prepare Communities for the Impacts of Climate Change, (Washington, D.C.: July 16, 2014), accessed August 1, 2014, at [hyperlink, http://www.whitehouse.gov/the-press- office/2014/07/16/fact-sheet-taking-action-support-state-local-and- tribal-leaders-they-pre]. [120] FEMA's Hazard Mitigation Assistance programs include the Hazard Mitigation Grant Program, which assists in implementing long-term hazard mitigation measures following a major disaster; the Pre- Disaster Mitigation Program, which provides funds for hazard mitigation planning and projects on an annual basis, and the Flood Mitigation Assistance Program, which provides funds for projects to reduce risk of flood damage to buildings that are insured under the National Flood Insurance Program on an annual basis. [121] The Task Force on Climate Preparedness and Resilience was established by Executive Order 13653 and was composed of state, local, and tribal leaders. The task force was created to advise the President and an interagency council on how the federal government can support state, local, and tribal preparedness for and resilience to climate change, among other things. Click here for more information on the task force. [122] See GAO, Financial Regulation: A Framework for Crafting and Assessing Proposals to Modernize the Outdated U.S. Financial Regulatory System, [hyperlink, http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: Jan. 22, 2009), and Financial Regulation: A Framework for Crafting and Assessing Proposals to Modernize the Outdated U.S. Financial Regulatory System, [hyperlink, http://www.gao.gov/products/GAO-09-216] (Washington, D.C.: Jan. 8, 2009). [123] The Federal Reserve also announced its intention to act next year to grant banking entities an additional 1-year extension of the conformance period until July 21, 2017, to conform ownership interests in and relationships with legacy covered funds. [124] The GPRA Modernization Act of 2010 requires the Office of Management and Budget to coordinate with agencies to establish outcome- oriented, federal government priority goals (known as cross-agency priority, or CAP, goals) with annual performance goals along with quarterly performance targets and milestones. See GAO, Managing for Results: OMB Should Strengthen Reviews of Cross-Agency Goals, [hyperlink, http://www.gao.gov/products/GAO-14-526] (Washington, D.C.: June 10, 2014). [125] GAO, Bureau of Prisons: Management of New Prison Activations Can Be Improved, [hyperlink, http://www.gao.gov/products/GAO-14-709] (Washington, D.C.: Aug. 22, 2014). [126] GAO, Telecommunications: GSA Needs to Share and Prioritize Lessons Learned to Avoid Future Transition Delays, [hyperlink, http://www.gao.gov/products/GAO-14-63] (Washington, D.C.: Dec. 5, 2013). [127] The high-risk areas in this report for which we found skills gaps to be a contributing factor were (1) Management of Oil and Gas Reserves; (2) DOD Approach to Business Transformation; (3) DOD Business Systems Modernization; (4) Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information; (5) DOD Financial Management; (6) Strengthening the Department of Homeland Security Management Functions; (7) Protecting Public Health through Enhanced Oversight of Medical Products; (8) Transforming EPA's Processes for Assessing and Controlling Toxic Chemicals; (9) DOD Contract Management; (10) DOE's Contract Management for the National Nuclear Security Administration and Office of Environmental Management; (11) NASA Acquisition Management; (12) Enforcement of Tax Laws; and (13) Managing Risks and Improving VA Health Care. [128] Homeland Security Cybersecurity Workforce Assessment Act, enacted as part of the Border Patrol Agent Pay Reform Act of 2014, Pub. L. No. 113-277, § 4, 128 Stat. 2995, 3008-3010 (Dec. 18, 2014); Cybersecurity Workforce Assessment Act, Pub. L. No. 113-246, 128 Stat. 2880 (Dec. 18, 2014). [129] GAO, Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination, [hyperlink, http://www.gao.gov/products/GAO-12-8] (Washington, D.C.: Nov. 29, 2011). [130] GAO, Oil and Gas: Interior Has Begun to Address Hiring and Retention Challenges but Needs to Do More, [hyperlink, http://www.gao.gov/products/GAO-14-205] (Washington, D.C.: Jan. 31, 2014). [131] As reported, Congress initially authorized the special pay authority for use during fiscal years 2012 and 2013. Subsequently, the authority was extended through fiscal year 2015. [132] For an example of our work discussing DHS' human capital management, see GAO, Department of Homeland Security: Progress Made; Significant Work Remains in Addressing High-Risk Areas, [hyperlink, http://www.gao.gov/products/GAO-14-532T] (Washington, D.C.: May 7, 2014). [133] GAO, Human Capital: DOD Should Fully Develop Its Civilian Strategic Workforce Plan to Aid Decision Makers, [hyperlink, http://www.gao.gov/products/GAO-14-565] (Washington, D.C.: Jul. 9, 2014). [134] GAO, Federal Workforce: OPM and Agencies Need to Strengthen Efforts to Identify and Close Mission-Critical Skills Gaps, [hyperlink, http://www.gao.gov/products/GAO-15-223] (Washington, D.C.: January 30, 2015). [135] GAO, Human Capital: Strategies to Help Agencies Meet Their Missions in an Era of Highly Constrained Resources, [hyperlink, http://www.gao.gov/products/GAO-14-168] (Washington, D.C.: May 7, 2014). [136] GAO, Rail Safety: Improved Human Capital Planning Could Address Emerging Safety Oversight Challenges, [hyperlink, http://www.gao.gov/products/GAO-14-85] (Washington, D.C.: December 9, 2013) [137] DOD's business functions include: financial management, acquisition, defense security enterprise, installations and environment, logistics, human resources and healthcare management, security cooperation, and enterprise information technology infrastructure. [138] The Planning, Performance, and Assessment Directorate was previously named the Planning and Performance Management Directorate, but was renamed in 2014. The Directorate oversees the strategic planning of DOD's business operations and conducts enterprise-wide performance management activities. [139] In a federated enterprise architecture, member architectures (e.g., Air Force, Army, and Navy) conform to an overarching corporate or parent architecture and utilize a common vocabulary. This approach aims to provide governance across all business systems, functions, and activities within the department and improve visibility across DOD's respective efforts. [140] [hyperlink, http://www.gao.gov/products/GAO-14-486]. [141] [hyperlink, http://www.gao.gov/products/GAO-14-486]. [142] These portfolios are documented in functional strategies, which define business outcomes, priorities, measures, and standards for a given functional area within DOD. The functional areas are acquisition; defense security enterprise; enterprise IT infrastructure; financial management; human resources management and health management; installations and environment; logistics and materiel readiness; and security cooperation. [143] [hyperlink, http://www.gao.gov/products/GAO-14-309]. [144] [hyperlink, http://www.gao.gov/products/GAO-13-98]. [145] The dashboard aims to provide transparency for these investments to aid public monitoring of government operations. It is to do so by reporting, among other things, how agency chief information officers rate investment risk. [146] [hyperlink, http://www.gao.gov/products/GAO-14-361]. [147] Excess infrastructure is property under the control of a federal agency that the head of the agency determines is not required to meet the agency's needs or responsibilities. 40 U.S.C § 102(3). DOD disposes of the majority of its excess infrastructure in two ways. First, DOD can demolish, sell, or otherwise dispose of individual facilities on its installations when the facilities are determined to be excess or surplus. Second, DOD can close entire bases under the Base Realignment and Closure process. In addition, according to DOD officials, DOD's joint basing initiative is its primary vehicle for consolidating base support services: DOD expected to eliminate duplicate base support services where bases are adjacent to or in close proximity to one another. [148] The policy requires that agencies not increase the size of domestic real estate inventory, for space predominately used for offices and warehouses or offset any growth with corresponding reductions. Office of Management and Budget, Implementation of OMB Memorandum M-12-12 Section 3: Freeze the Footprint (Mar. 14, 2012). [149] Pub. L. No. 111-84, § 1108(a)(1), (Oct. 28, 2009), codified as amended at 10 U.S.C. § 115b(e). [150] The National Defense Authorization Act for Fiscal Year 2012 requires the Secretary of Defense to prescribe professional certification and credential standards for financial management positions within the Department of Defense. Pub. L. No. 112-81, § 1051, (Dec. 31, 2011), codified at 10 U.S.C. § 1599d. [151] GCSS-Army was initiated in December 2003 and is intended to provide all active Army, National Guard, and Army Reserve tactical units with the capability to track supplies, spare parts, and organizational equipment. The system is also intended to track unit maintenance, total cost of ownership, and other financial transactions related to logistics for all Army units--about 160,000 users. [152] General Fund Enterprise Business System, Logistics Modernization Program, Navy Enterprise Resource Planning, and Defense Enterprise Accounting and Management System. [153] SBR is the only financial statement predominantly derived from an entity's budgetary accounts in accordance with budgetary accounting rules, which are incorporated into generally accepted accounting principles for the federal government. SBR is designed to provide information on authorized budgeted spending authority and links to the Budget of the United States Government, including budgetary resources, availability of budgetary resources, and how obligated resources have been used. Budgetary resources include the amount available to enter into new obligations and to liquidate them. Budgetary resources are made up of new budget authority (including direct spending authority provided in existing statute and obligation limitations) and unobligated balances of budget authority provided in previous years. [154] Beginning in fiscal year 2015, DOD components will undergo examinations of component SBAs. Unlike the SBR, which reflects multiple-year budget activity, the SBA will reflect the balances and associated activity related only to funding approved on or after October 1, 2014. As a result, the SBAs will exclude unobligated and unexpended amounts carried over from prior years' funding as well as information on the status and use of such funding in subsequent years (e.g., obligations incurred, outlays). [155] Pub. L. No. 112-39, § 1005(a), codified at 10 U.S.C. § 2222 note. [156] The six DOD agencies that received unmodified opinions are U.S. Army Corps of Engineers - Civil Works, Defense Finance and Accounting Service, Defense Contract Audit Agency, Defense Commissary Agency, Defense Health Agency - Contract Resource Management, and Military Retirement Fund. [157] Medicare-Eligible Retiree Health Care Fund. [158] Pub. L. No. 113-66 § 1003, codified at 10 U.S.C. § 2222 note. [159] See NDAA for Fiscal Year 2010 and NDAA for Fiscal Year 2012. [160] DEAMS was initiated in August 2003 and is intended to provide the Air Force with the entire spectrum of financial management capabilities, including collections, commitments and obligations, cost accounting, general ledger, funds control, receipt and acceptance, accounts payable and disbursement, billing, and financial reporting for the general fund. [161] DEAMS, the General Fund Enterprise Business System, the Logistics Modernization Program, and Navy ERP. [162] The five risk management guiding principles include; (1) identifying risks that could prevent it from achieving its goals, (2) assessing the magnitude of those risks, (3) developing risk mitigation plans, (4) implementing mitigating actions to address the risks, and (5) monitoring the effectiveness of those mitigating actions. [163] House Armed Services Committee Panel on Defense Financial Management and Auditability Reform, Findings and Recommendations (Washington, D.C.: Jan. 24, 2012). [164] In December 2008 we, DOD, and the Office of Management and Budget discussed a set of cost growth metrics and goals to evaluate DOD's progress on improving program performance for purposes of our high-risk report. These metrics were designed to capture total cost- growth performance over 1-and 5-year periods as well as from the original program estimate on a percentage basis as opposed to dollar amount to control for the differences in the amount of funding among programs. DOD no longer supports the use of these metrics. We continue to believe that the current metrics have value. [165] In our 2013 high-risk update, we reported that the gap could span from 17 to 53 months or more, depending on how long the current satellites last and whether there are any delays in launching or operating the new one. More recently, NOAA officials reported that the gap could be as short as 3 months because of the relatively strong performance of the current satellite and their plan to reduce the expected length of the next satellite's on-orbit checkout period. However, we believe that the gap could occur sooner and last longer than NOAA anticipates if the launch is delayed, the on-orbit checkout takes longer than anticipated, or space debris causes the current satellite to fail early. [166] GAO, Department of Homeland Security: Progress Made and Work Remaining in Implementing Homeland Security Missions 10 Years after 9/11, [hyperlink, http://www.gao.gov/products/GAO-11-881] (Washington, D.C.: Sept. 7, 2011). This report addressed DHS's progress in implementing its homeland security missions since it began operations, work remaining, and issues affecting implementation efforts. Drawing from more than 1,000 GAO reports and congressional testimony issued related to DHS programs and operations, and approximately 1,500 recommendations made to strengthen mission and management implementation, this report addressed progress and remaining challenges in such areas as border security and immigration, transportation security, and emergency management, among others. [167] DHS, Secretary of Homeland Security, Strengthening Departmental Unity of Effort, Memorandum for DHS Leadership (Washington, D.C.: Apr. 22, 2014). [168] Although the March 2014 revisions we made to the actions and outcomes in most management areas were minor, there were more significant revisions to the now 8 financial management actions and outcomes that prevent their comparison across years. Excluding these 8 actions and outcomes, as well as the 4 nonfinancial management actions and outcomes for which the department had already earned the highest possible rating of "fully addressed," DHS had the opportunity to increase its ratings in 18 of 30 nonfinancial management actions and outcomes that were not fully addressed in our 2013 high-risk update. Of these 18 actions and outcomes, DHS increased its ratings in 10 over the last 2 years. [169] A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, but is important enough to merit attention by those charged with governance. [170] As previously discussed, in March 2014, we updated the actions and outcomes in collaboration with DHS to reduce overlap and ensure their continued relevance and appropriateness. These updates resulted in a reduction from nine to eight total financial management actions and outcomes. [171] The Information Sharing Environment was established in accordance with section 1016 of the Intelligence Reform and Terrorism Prevention Act of 2004 (Intelligence Reform Act), as amended. See Pub. L. No. 108-458, § 1016, 118 Stat. 3638, 3664-70 (2004) (codified as amended at 6 U.S.C. § 485). See also 6 U.S.C. § 482 (requiring the establishment of procedures for the sharing of homeland security information). [172] Intelligence, terrorism, homeland security, law enforcement, and other information is collectively referred to as terrorism-related information in the context of this section. [173] The Office of the Program Manager for the Environment is situated within and funded through amounts appropriated to ODNI. Additional agencies and departments also participate in the Environment, including Air Force Intelligence, Central Intelligence Agency, Department of Commerce, Department of Energy, Department of Health and Human Services, Department of Interior, Department of Transportation, Department of Treasury, National Counterterrorism Center, National Geospatial Intelligence Agency, and National Reconnaissance Office. [174] In December 2012, the President signed the National Strategy for Information Sharing and Safeguarding (National Strategy) which provides guidance on the implementation of policies, standards and technologies that promote secure and responsible national security information sharing. This document builds on the 2010 National Security Strategy and the 2007 National Strategy for Information Sharing. The National Strategy identifies priority objectives, which have been incorporated into the Environment Implementation Plan. [175] The Policy Committee is the national decision-making body for high-level, cross-cutting information sharing and safeguarding policy matters. The Policy Committee is co-chaired by the Program Manager for the Information Sharing Environment and a member of the National Security Council Staff. Membership of the committee includes representatives for each of the five key departments. [176] An enterprise architecture, or modernization blueprint, is intended to provide a clear and comprehensive picture of an entity, whether it is an organization (e.g., federal department or agency) or a functional or mission area that cuts across more than one organization (e.g., financial management). This picture consists of snapshots of the enterprise's current and target operational and technological environments, and contains a road map for transitioning from the current to the target environment. [177] GAO, Information Sharing Environment: Better Road Map Needed to Guide Implementation and Investments, [hyperlink, http://www.gao.gov/products/GAO-11-455] (Washington, D.C.: July 21, 2011). [178] [hyperlink, http://www.gao.gov/products/GAO-11-455]. [179] GAO, Information Sharing: DHS Has Demonstrated Leadership and Progress, but Additional Actions Could Help Sustain and Strengthen Efforts, [hyperlink, http://www.gao.gov/products/GAO-12-809] (Washington, D.C.: September 18, 2012). [180] Under a federated approach, the architecture consists of a family of coherent but distinct member architectures that conform to an overarching corporate or parent architecture approach. As such, member architectures (e.g., component, subordinate, or subsidiary architectures) are substantially autonomous, but they also inherit certain rules, policies, procedures, and services from the parent architectures. [181] The annual Environment Performance Assessment Questionnaire (PAQ) surveys the federal agencies involved in the Environment to gain an understanding of the overall state of information sharing among and between federal agencies. [182] The federal Chief Information Officer Council is the principal interagency forum to improve agency practices on such matters as the design, modernization, use, sharing, and performance of agency information resources. [183] [hyperlink, http://www.gao.gov/products/GAO-11-455]. [184] GAO, Combating Terrorism: Evaluation of Selected Characteristics in National Strategies Related to Terrorism, [hyperlink, http://www.gao.gov/products/GAO-04-408T] (Washington, D.C.: Feb. 3, 2004). [185] The Information Sharing Environment Annual Report to Congress examines the extent to which the mandate in the Intelligence Reform and Terrorism Prevention Act of 2004, as amended, to establish an information sharing environment, and for the sharing of terrorism- related information in general, is being implemented. See 6 U.S.C. § 485(h). [186] In general, fusion centers serve as the focal point within the state and local environment for the receipt, analysis, gathering, and sharing of threat-related information between the federal government and state, local, tribal, territorial and private sector partners. [187] GAO, Information Sharing: DHS Is Assessing Fusion Center Capabilities and Results, but Needs to More Accurately Account For Federal Funding Provided to Centers, [hyperlink, http://www.gao.gov/products/GAO-15-155] (Washington, D.C.: Nov. 4, 2014). [188] GAO, Information Sharing: Agencies Could Better Coordinate to Reduce Overlap in Field-Based Activities, [hyperlink, http://www.gao.gov/products/GAO-13-471] (Washington, D.C.: April 4, 2013). [189] Critical infrastructure includes systems and assets so vital to the United States that their incapacity or destruction would have a debilitating impact on national security. These critical infrastructures are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems. [190] A breach of data refers to an unauthorized or unintentional exposure, disclosure, or loss of sensitive information. [191] In 2010, DHS was assigned OMB's operational cybersecurity responsibilities by OMB Memorandum M-10-28 (July 6, 2010). [192] The 2002 FISMA was enacted as Title III, E-Government Act of 2002, Pub. L. No. 107-347(Dec. 17, 2002). The 2014 Federal Information Security Modernization Act superseded the 2002 FISMA on December 18, 2014, Pub. L. No. 113-283 (Dec. 18, 2014). [193] Pub. L. No. 113-246 (Dec. 18, 2014) and Sec, 4, Pub. L. No. 113- 277 (Dec, 18, 2014). [194] Pub. L. No. 113-282 (Dec. 18, 2014). [195] Pub. L. No. 113-274 (Dec. 18, 2014). [196] GAO, Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination, [hyperlink, http://www.gao.gov/products/GAO-12-8] (Washington, D.C.: Nov. 29, 2011). [197] Subsequent references to FISMA relate to FISMA 2002, unless noted otherwise. Cyberscope is an interactive data collection tool that has the capability to receive data feeds on a recurring basis to assess the security posture of a federal agency's information infrastructure. [198] GAO, Federal Information Security: Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness, GAO -13-776 (Washington, D.C.: Sept. 26, 2013). [199] CyberStat reviews are in-depth sessions with national security staff, OMB, DHS, and an agency to discuss that agency's cybersecurity posture and discuss opportunities for collaboration. [200] These totals represent both paper-based and cyber-related incidents reported by federal agencies. [201] We did not receive a fiscal year 2014 annual financial report from the Department of Housing and Urban Development (HUD). The report will not be available until March 2015. The 24 major departments and agencies are the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration, and U.S. Agency for International Development. A material weakness is a deficiency, or combination of deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis. [202] We did not receive a fiscal year 2014 annual financial report from HUD. The report will not be available until March 2015. [203] GAO, IT Supply Chain: National Security-Related Agencies Need to Better Address Risks, [hyperlink, http://www.gao.gov/products/GAO-12-361] (Washington, D.C.: Mar. 23, 2012). [204] Building and access control systems are computers that monitor and control building operations such as elevators, electrical power, and heating, ventilation, and air conditioning. GAO, Federal Facility Cybersecurity: DHS and GSA Should Address Cyber Risk to Building and Access Control Systems, [hyperlink, http://www.gao.gov/products/GAO-15-6] (Washington D.C.: Dec. 12, 2014). [205] GAO, Maritime Critical Infrastructure Protection: DHS Needs to Better Address Port Cybersecurity, [hyperlink, http://www.gao.gov/products/GAO-14-459] (Washington, D.C.: June 5, 2014). [206] GAO, Critical Infrastructure Protection: More Comprehensive Planning Would Enhance the Cybersecurity of Public Safety Entities' Emerging Technology, [hyperlink, http://www.gao.gov/products/GAO-14-125] (Washington, D.C.: Jan. 28, 2014). [207] GAO, Communications Networks: Outcome-Based Measures Would Assist DHS in Assessing Effectiveness of Cybersecurity Efforts, [hyperlink, http://www.gao.gov/products/GAO-13-275] (Washington, D.C.: Apr. 3, 2013). [208] GAO, Information Security: Agencies Need to Improve Oversight of Contractor Controls, [hyperlink, http://www.gao.gov/products/GAO-14-612] (Washington, D.C.: Aug. 8, 2014). [209] GAO, Information Security: Agencies Need to Improve Cyber Incident Response Practices, [hyperlink, http://www.gao.gov/products/GAO-14-354] (Washington, D.C.: Apr. 30, 2014). [210] GAO, Information Security: Additional Oversight Needed to Improve Programs as Small Agencies, [hyperlink, http://www.gao.gov/products/GAO-14-344] (Washington, D.C.: June 25, 2014). [211] GAO, Privacy: Federal Law Should Be Updated to Address Changing Technology Landscape, [hyperlink, http://www.gao.gov/products/GAO-12-961T] (Washington, D.C.: July 31, 2012). [212] GAO, Healthcare.Gov: Actions Needed to Address Weaknesses in Information Security and Privacy Controls, [hyperlink, http://www.gao.gov/products/GAO-14-730] (Washington, D.C. Sept. 16, 2014). [213] GAO, Information Security: Additional Oversight Needed to Improve Programs at Small Agencies, [hyperlink, http://www.gao.gov/products/GAO-14-344] (Washington, D.C.: June 25, 2014). [214] GAO, Computer Matching Act: OMB and Selected Agencies Need to Ensure Consistent Implementation, [hyperlink, http://www.gao.gov/products/GAO-14-44] (Washington, D.C.: Jan.13, 2014). [215] GAO, Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent, [hyperlink, http://www.gao.gov/products/GAO-14-34] (Washington, D.C.: Dec. 9, 2013). [216] GAO, Mobile Device Location Data: Additional Federal Actions Could Help Protect Consumer Privacy, [hyperlink, http://www.gao.gov/products/GAO-12-903], (Washington, D.C.: Sept. 11, 2012). [217] GAO, Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace, [hyperlink, http://www.gao.gov/products/GAO-13-663] (Washington, D.C.: Sept. 25, 2013). [218] FISMA 2014. [219] In addition, as a result of 2008 Farm Bill provisions amending the Federal Meat Inspection Act, regulatory responsibility for catfish inspection will fall to FSIS once it issues final regulations for a mandatory catfish examination and inspection program. In May 2012, we suggested that Congress consider repealing these provisions of the 2008 Farm Bill. However, the 2014 Farm Bill instead modified these provisions to require the Secretary of Agriculture to enter into a memorandum of understanding (MOU) with the Commissioner of FDA that would ensure that inspection of catfish conducted by FSIS and FDA are not duplicative. We maintain that such an MOU does not address the fundamental problem, which is that FSIS's catfish program, if implemented, would result in duplication of activities and an inefficient use of taxpayer funds. Duplication would result if facilities that process both catfish and other seafood were inspected by both FSIS and FDA. [220] Pub. L. No. 111-352, 124 Stat. 3866 (2011). GPRAMA amended provisions of the Government Performance and Results Act of 1993 (GPRA), Pub. L. No. 103-62, 107 Stat. 285. [221] FDA officials said they thought the FSWG's last meeting was in April 2011, but they could not provide an exact date. The last item posted under "recent actions" on the FSWG's website is its December 2011 Progress Report. [222] Pub. L. No. 111-353, 124 Stat. 3885 (2011). [223] JWST is now estimated to cost $8.8 billion--which is a 78 percent increase over its fiscal year 2009 baseline. We excluded JWST cost and schedule growth from the calculations of the portfolio because including its cost and schedule growth masks any changes in the rest of the portfolio, as the magnitude of JWST, in terms of both schedule and cost growth, is larger than the other projects in the portfolio that are in implementation. [224] GAO, Best Practices: Using a Knowledge-Based Approach to Improve Weapon Acquisition, [hyperlink, http://www.gao.gov/products/GAO-04- 386SP (Washington, D.C.: Jan. 2004) and Best Practices: Better Matching of Needs and Resources Will Lead to Better Weapon System Outcomes, [hyperlink, http://www.gao.gov/products/GAO-01-288 (Washington, D.C.: Mar. 8, 2001). [225] In our 2012 report, we identified 45 federal programs that supported employment for people with disabilities. GAO, Employment for People with Disabilities: Little is Known about the Effectiveness of Fragmented and Overlapping Programs, [hyperlink, http://www.gao.gov/products/GAO-12-667 (Washington, D.C.: June 29, 2012). [226] SSA's Disability Insurance and Supplemental Security Income programs together paid $193.4 billion in benefits in fiscal year 2014, while VA paid $49.2 billion in disability compensation benefits in fiscal year 2013. Benefits paid under these programs have grown and are expected to continue growing for the foreseeable future. In particular, SSA's Disability Insurance Trust Fund is predicted to be depleted in 2016, due in part to a growing population of beneficiaries. [227] Affirmative Action and Nondiscrimination Obligations of Contractors and Subcontractors Regarding Individuals with Disabilities, 78 Fed. Reg. 58,682 (Sept. 24, 2013). [228] Exec. Order No. 13,163, 65 Fed. Reg. 46,563 (July 28, 2000). [229] Exec. Order No. 13,548, 75 Fed. Reg. 45,039 (July 30, 2010). [230] At the end of fiscal year 2014, PBGC estimated that its loss exposure in its single-employer program for reasonably possible plan terminations was about $167 billion and that its loss exposure in its multiemployer program for reasonably possible plans requiring future financial assistance was about $17 billion. [231] Pub. L. No. 109-280, 120 Stat. 780. In response to the recession, these provisions were substantially softened--initially, in 2008, by phasing in PPA's changes, and then, in 2010, through changes in how minimum contributions are calculated. Worker, Retiree, and Employer Recovery Act of 2008, Pub. L. No. 110-458, §§ 101, 102, 121 and 122, 122 Stat. 5092, 5093-5103, and 5113-14 and Preservation of Access to Care for Medicare Beneficiaries and Pension Relief Act of 2010, Pub. L. No. 111-192, tit. II, 124 Stat.1280, 1283-1306. [232] Pub. L. No. 112-141, §§ 40211-40242, 126 Stat. 405, 846-864. [233] Pub. L. No. 113-67, § 703, 127 Stat. 1165, 1190-92. [234] Pub. L. No. 113-159, § 2003, 128 Stat. 1838, 1849-51. [235] Pub. L. No. 113-235, div. O, 128 Stat. -----, -----(passed as part of the Consolidated and Further Continuing Appropriations Act, 2015). [236] Private Pensions: Timely Action Needed to Address Impending Multiemployer Plan Insolvencies, [hyperlink, http://www.gao.gov/products/GAO-13-240 (Washington, D.C.: March 2013). [237] In a 2010 report, we also made several recommendations to PBGC regarding the multiemployer program. In response, PBGC took steps to improve its oversight of multiemployer plans. Agency officials reported that they began sharing more information on these plans with other agencies, and that they strengthened their monitoring by, among other things, re-assigning attorneys to work primarily on multiemployer plan matters, awarding an audit services contract to develop nonfinancial assistance to plans, and authorizing additional positions to oversee financial assistance for troubled plans. Private Pensions: Changes Needed to Better Protect Multiemployer Pension Benefits. [hyperlink, http://www.gao.gov/products/GAO-11-79. Washington, D.C.: October 18, 2010. [238] § 201(a)(6) and (b)(5) (to be codified at 29 U.S.C. § 1085(e)(9) and 26 U.S.C. § 432(e)(9), respectively). Benefits may not be reduced to less than 110 percent of monthly benefit guaranteed by PBGC. Benefit reductions are further limited for retirees over 75 and no benefits based on disability may be suspended. The Department of the Treasury, in consultation with the Department of Labor and PBGC, must approve any proposal to suspend benefits. [239] § 131(a)(1) (to be codified at 29 U.S.C. § 1306(a)(3)(A)(vi)). In addition to raising premiums for multiemployer plans, MPRA requires PBGC to analyze the effect of the most recent premium increases on the multiemployer program deficit. If current premiums are not sufficient to meet current and future obligations of the program, PBGC must propose to Congress a schedule of revised premiums. § 131(c). [240] § 121(a) (to be codified at 29 U.S.C. § 1411(e)). [241] 29 U.S.C. §§ 1306 and 1307. [242] § 40231(a) and (d), 126 Stat. 853-54 and 855, respectively. [243] § 40231(f), 126 Stat. 855 -56. [244] National Academy of Public Administration, The Governance Structure of the Pension Benefit Guaranty Corporation: An Independent Review (Washington, D.C.: Sept. 2013). [245] 29 U.S.C. § 1302(a). [246] The remaining one-third of these health care costs are financed by beneficiaries' direct spending, private supplements--such as Medigap--and other public sources. [247] In reporting the results of our audit of the U.S. government's fiscal years 2013 and 2012 consolidated financial statements, we noted that significant uncertainties, primarily related to the achievement of these projected reductions in Medicare cost growth reflected in the 2013, 2012, 2011, and 2010 Statements of Social Insurance, prevented us from expressing an opinion on those statements as well as on the 2013 and 2012 Statements of Changes in Social Insurance Amounts. See Financial Audit: U.S. Government's Fiscal Years 2013 and 2012 Consolidated Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-14-319R (Washington, D.C.: February 27, 2014). Our audit of the U.S. Government's Fiscal Year 2014 consolidated financial statements is currently in progress. [248] In general, a technological change that enables providers to treat a previously untreatable disease will increase health care spending, while expanding disease management or shifting disease management to prevention or cure can lead to either increased or decreased health care spending. However, the introduction of new treatments and technologies may result in increased health care spending due to the possibility that health complications may arise from a new treatment, or that patients survive one disease long enough and eventually are diagnosed with an additional disease with additional treatment costs. [249] Patient Protection and Affordable Care Act: Effect on Long-Term Federal Budget Outlook Largely Depends on Whether Cost Containment Sustained, [hyperlink, http://www.gao.gov/products/GAO-13-281 (Washington, D.C.: January 31, 2013). [250] Pub. L. No. 111-148, 124 Stat. 119 (2010), as amended by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111- 152, 124 Stat. 1029 (2010). In this report, references to "PPACA" include amendments made by the Health Care and Education Reconciliation Act of 2010. [251] Medicare: Continuous Insurance before Enrollment Associated with Better Health and Lower Program Spending, [hyperlink, http://www.gao.gov/products/GAO-14-53 (Washington, D.C.: December 17, 2013). [252] Medicare consists of four parts. Parts A and B are known as Medicare FFS. Part A covers hospital and other inpatient stays and Part B covers hospital outpatient, physician, and other services. Part C, also known as Medicare Advantage, is the private plan alternative to Medicare FFS under which beneficiaries receive benefits through private health plans. Part D is the outpatient prescription drug benefit. [253] In addition to provisions to expand health insurance coverage, PPACA provided CMS with certain authorities to combat fraud, waste, and abuse in Medicare. See, for example, Pub. L. No. 111-148, § 6402, 124 Stat. 119, 753 (2010). [254] Centers for Medicare & Medicaid Services, Office of the Actuary, 2013 Actuarial Report on the Financial Outlook for Medicaid (Washington, D.C.: 2013). [255] PPACA also provides for a 5 percent income disregard when calculating modified adjusted gross income for determining Medicaid eligibility, which effectively increases this income level to 138 percent of the FPL. FPL refers to federal poverty guidelines issued by the Department of Health and Human Services each year in the Federal Register. [256] The challenges and risks associated with Medicaid improper payments are discussed separately below. [257] In calendar years 2008 and 2009, less than 4 percent of beneficiaries who had Medicaid coverage for a full year reported difficulty obtaining medical care, which was similar to individuals with full-year private insurance. [258] [hyperlink, http://www.gao.gov/products/GAO-12-38. [259] A federal review team led by CMS and including representatives from other HHS agencies, HHS Secretarial offices, and the Office of Management and Budget (OMB) reviews state Medicaid demonstrations. While OMB is part of the federal review team, it defers approval of demonstrations to HHS. CMS's Office of Actuary provides nationwide data on projected Medicaid cost growth, but is not part of the federal review team. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]