This is the accessible text file for GAO report number GAO-05-207 entitled 'High-Risk Series: An Update' which was released on January 25, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. January 2005: HIGH-RISK SERIES: An Update: GAO-05-207: GAO Highlights: Highlights of GAO-05-207, a report to Congress on GAO’s High-Risk Series: Why Area Is High Risk: GAO’s audits and evaluations identify federal programs and operations that, in some cases, are high risk due to their greater vulnerabilities to fraud, waste, abuse, and mismanagement. Increasingly, GAO also is identifying high-risk areas to focus on the need for broad-based transformations to address major economy, efficiency, or effectiveness challenges. Since 1990, GAO has periodically reported on government operations that it has designated as high risk. In this 2005 update for the 109th Congress, GAO presents the status of high-risk areas identified in 2003 and new high-risk areas warranting attention by the Congress and the administration. Lasting solutions to high-risk problems offer the potential to save billions of dollars, dramatically improve service to the American public, strengthen public confidence and trust in the performance and accountability of our national government, and ensure the ability of government to deliver on its promises. What GAO Found: In January 2003, GAO identified 25 high-risk areas; in July 2003, a 26th high-risk area was added to the list. Since then, progress has been made in all areas, although the nature and significance of progress varies by area. Federal departments and agencies, as well as the Congress, have shown a continuing commitment to addressing high- risk challenges and have taken various steps to help correct several of the problems’ root causes. GAO has determined that sufficient progress has been made to remove the high-risk designation from three areas: student financial aid programs, FAA financial management, and Forest Service financial management. Also, four areas related to IRS have been consolidated into two areas. This year, GAO is designating four new high-risk areas. The first new area is establishing appropriate and effective information-sharing mechanisms to improve homeland security. Federal policy creates specific requirements for information-sharing efforts, including the development of processes and procedures for collaboration between federal, state, and local governments and the private sector. This area has received increased attention but the federal government still faces formidable challenges sharing information among stakeholders in an appropriate and timely manner to minimize risk. The second and third new areas are, respectively, DOD’s approach to business transformation and its personnel security clearance program. GAO has reported on inefficiencies and inadequate transparency and accountability across DOD’s major business areas, resulting in billions of dollars of wasted resources. Senior leaders have shown commitment to business transformation through individual initiatives in acquisition reform, business modernization, and financial management, among others, but little tangible evidence of actual improvement has been seen in DOD’s business operations to date. DOD needs to take stronger steps to achieve and sustain business reform on a departmentwide basis. Further, delays by DOD in completing background investigations and adjudications can affect the entire government because DOD performs this function for hundreds of thousands of industry personnel from 22 federal agencies, as well as its own service members, federal civilian employees, and industry personnel. OPM is to assume DOD’s personnel security investigative function, but this change alone will not reduce the shortages of investigative personnel. The fourth area is management of interagency contracting. Interagency contracts can leverage the government’s buying power and provide a simplified and expedited method of procurement. But several factors can pose risks, including the rapid growth of dollars involved combined with the limited expertise of some of agencies in using these contracts and recent problems related to their management. Various improvement efforts have been initiated to address this area, but improved policies and processes, and their effective implementation, are needed to ensure that interagency contracting achieves its full potential in the most effective and efficient manner. What Remains to Be Done: This report contains GAO’s views on what remains to be done for each high-risk area to bring about lasting solutions. Perseverance by the administration in implementing GAO’s recommended solutions and continued oversight and action by the Congress are both essential. www.gao.gov/cgi-bin/getrpt?GAO-05-207. To view the full product, including the scope and methodology, click on the link above. For more information, contact George H. Stalcup at (202) 512-9490 or stalcupg@gao.gov. GAO's 2005 High-Risk List: 2005 High-Risk Areas: Addressing Challenges In Broad-based Transformations: * Strategic Human Capital Management[A]. * U.S. Postal Service Transformation Efforts and Long-Term Outlook[A]. * Managing Federal Real Property[A]. * Protecting the Federal Government's Information Systems and the Nation's Critical Infrastructures. * Implementing and Transforming the Department of Homeland Security. * Establishing Appropriate And Effective Information-Sharing Mechanisms to Improve Homeland Security. * DOD Approach to Business Transformation[A]. * DOD Business Systems Modernization. * DOD Personnel Security Clearance Program. * DOD Support Infrastructure Management. * DOD Financial Management. * DOD Supply Chain Management (formerly Inventory Management). * DOD Weapon Systems Acquisition. 2005 High-Risk Areas: Managing Federal Contracting More Effectively: * DOD Contract Management. * DOE Contract Management. * NASA Contract Management. * Management of Interagency Contracting. 2005 High-Risk Areas: Assessing the Efficiency and Effectiveness of Tax Law Administration. * Enforcement of Tax Laws[A, B]. * IRS Business Systems Modernization[C]. 2005 High-Risk Areas: Modernizing and Safeguarding Insurance and Benefit Programs: * Modernizing Federal Disability Programs[A]. * Pension Benefit Guaranty Corporation Single- Employer Insurance Program[A]. * Medicare Program[A]. * Medicaid Program[A]. * HUD Single-Family Mortgage Insurance and Rental Housing Assistance Programs. 2005 High-Risk Areas: Other: * FAA Air Traffic Control Modernization. Source: GAO. [A] Legislation is likely to be necessary, as a supplement to actions by the executive branch, in order to effectively address this high-risk area. [B] Two high-risk areas--Collection of Unpaid Taxes and Earned Income Credit Noncompliance--have been consolidated to make this area. [C] The IRS Financial Management high-risk area has been incorporated into this high-risk area. [End of table] Contents: Transmittal Letter: Historical Perspective: High-Risk Designations Removed: Student Financial Aid Programs: FAA Financial Management: Forest Service Financial Management: New High-Risk Areas: Establishing Appropriate and Effective Information-Sharing Mechanisms to Improve Homeland Security: DOD Approach to Business Transformation: DOD Personnel Security Clearance Program: Management of Interagency Contracting: Emerging Areas: Progress Being Made in Other High-Risk Areas: High-Risk Areas Consolidated: Collection of Unpaid Taxes and Earned Income Credit Noncompliance: IRS Business Systems Modernization and IRS Financial Management: Highlights for Each High-Risk Area: Transmittal Letter: January 2005: The President of the Senate: The Speaker of the House of Representatives: Since 1990, GAO has periodically reported on government operations that it identifies as "high risk." This effort, which is supported by the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Government Reform, has brought a much needed focus to problems that are impeding effective government and costing the government billions of dollars each year. To help, GAO has made hundreds of recommendations to improve these high-risk operations. Moreover, GAO's focus on high-risk problems contributed to the Congress enacting a series of governmentwide reforms to address critical human capital challenges, strengthen financial management, improve information technology practices, and instill a more results-oriented government. GAO's high-risk status reports are provided at the start of each new Congress. This update should help the Congress and executive branch in carrying out their responsibilities while improving the government's performance and enhancing its accountability for the benefit of the American people. It summarizes progress made in correcting high-risk problems, actions under way, and further actions that GAO believes are needed. In this update, GAO has determined that sufficient progress has been made to remove the high-risk designation from three areas, and has designated four new areas as high risk. In addition, several prior high-risk areas have been consolidated or modified. GAO's high-risk program has increasingly focused on those major programs and operations that need urgent attention and transformation in order to ensure that our national government functions in the most economical, efficient, and effective manner possible. Further, the Bush Administration has looked to GAO's program in shaping governmentwide initiatives such as the President's Management Agenda, which has at its base many of the areas GAO had previously designated as high risk. As in prior GAO high-risk update reports, federal programs and operations are also emphasized when they are at high risk because of their greater vulnerabilities to fraud, waste, abuse, and mismanagement. In addition, some of these high-risk agencies, programs, or policies are in need of transformation, and several will require action by both the executive branch and the Congress. Our objective for the high-risk list is to bring "light" to these areas as well as "heat" to prompt needed "actions." Copies of this update are being sent to the President, the congressional leadership, other Members of the Congress, the Director of the Office of Management and Budget, and the heads of major departments and agencies. Signed by: David M. Walker: Comptroller General of the United States: [End of section] Historical Perspective: In 1990, GAO began a program to report on government operations that we identified as "high risk." Since then, generally coinciding with the start of each new Congress, we have periodically reported on the status of progress to address high-risk areas and updated our high-risk list. Our most recent high-risk update was in January 2003.[Footnote 1] Overall, our high-risk program has served to identify and help resolve serious weaknesses in areas that involve substantial resources and provide critical services to the public. Since our program began, the government has taken high-risk problems seriously and has made long- needed progress toward correcting them. In some cases, progress has been sufficient for us to remove the high-risk designation. The overall changes to our high-risk list over the past 15 years are shown in table 1. Areas removed from the high-risk list over that same period are shown in table 2. The areas on GAO's 2005 high-risk list and the year each was designated as high risk are shown in table 3. Table 1: Overall Changes to GAO's High-Risk List, 1990 to 2005: Changes, 1990-2005: Original high-risk list in 1990; Number of areas: 14. Changes, 1990-2005: High-risk areas added since 1990; Number of areas: 29. Changes, 1990-2005: High-risk areas removed since 1990; Number of areas: 16. Changes, 1990-2005: High-risk areas consolidated since 1990; Number of areas: 2. Changes, 1990-2005: High-risk list in 2005; Number of areas: 25. Source: GAO. [End of table] Table 2: Areas Removed from GAO's High-Risk List, 1990 to 2005: Area: Federal Transit Administration Grant Management; Year removed: 1995; Year designated high risk: 1990. Area: Pension Benefit Guaranty Corporation; Year removed: 1995; Year designated high risk: 1990. Area: Resolution Trust Corporation; Year removed: 1995; Year designated high risk: 1990. Area: State Department Management of Overseas Real Property; Year removed: 1995; Year designated high risk: 1990. Area: Bank Insurance Fund; Year removed: 1995; Year designated high risk: 1991. Area: Customs Service Financial Management; Year removed: 1999; Year designated high risk: 1991. Area: Farm Loan Programs; Year removed: 2001; Year designated high risk: 1990. Area: Superfund Program; Year removed: 2001; Year designated high risk: 1990. Area: National Weather Service Modernization; Year removed: 2001; Year designated high risk: 1995. Area: The 2000 Census; Year removed: 2001; Year designated high risk: 1997. Area: The Year 2000 Computing Challenge; Year removed: 2001; Year designated high risk: 1997. Area: Asset Forfeiture Programs; Year removed: 2003; Year designated high risk: 1990. Area: Supplemental Security Income; Year removed: 2003; Year designated high risk: 1997. Area: Student Financial Aid Programs; Year removed: 2005; Year designated high risk: 1990. Area: Federal Aviation Administration Financial Management; Year removed: 2005; Year designated high risk: 1999. Area: Forest Service Financial Management; Year removed: 2005; Year designated high risk: 1999. Source: GAO. [End of table] Table 3: The Year that Areas on GAO's 2005 High-Risk List Were Designated as High Risk: Area: Medicare Program; Year designated high risk: 1990. Area: DOD Supply Chain Management; Year designated high risk: 1990[A]. Area: DOD Weapon Systems Acquisition; Year designated high risk: 1990. Area: DOE Contract Management; Year designated high risk: 1990. Area: NASA Contract Management; Year designated high risk: 1990. Area: Enforcement of Tax Laws; Year designated high risk: 1990[B]. Area: DOD Contract Management; Year designated high risk: 1992. Area: HUD Single-Family Mortgage Insurance and Rental Housing Assistance Programs; Year designated high risk: 1994. Area: DOD Financial Management; Year designated high risk: 1995. Area: DOD Business Systems Modernization; Year designated high risk: 1995. Area: IRS Business Systems Modernization; Year designated high risk: 1995[C]. Area: FAA Air Traffic Control Modernization; Year designated high risk: 1995. Area: Protecting the Federal Government's Information Systems and the Nation's Critical Infrastructures; Year designated high risk: 1997. Area: DOD Support Infrastructure Management; Year designated high risk: 1997. Area: Strategic Human Capital Management; Year designated high risk: 2001. Area: U.S. Postal Service Transformation Efforts and Long-Term Outlook; Year designated high risk: 2001. Area: Medicaid Program; Year designated high risk: 2003. Area: Managing Federal Real Property; Year designated high risk: 2003. Area: Modernizing Federal Disability Programs; Year designated high risk: 2003. Area: Implementing and Transforming the Department of Homeland Security; Year designated high risk: 2003. Area: Pension Benefit Guaranty Corporation Single-Employer Insurance Program; Year designated high risk: 2003. Area: Establishing Appropriate and Effective Information-Sharing Mechanisms to Improve Homeland Security; Year designated high risk: 2005. Area: DOD Approach to Business Transformation; Year designated high risk: 2005. Area: DOD Personnel Security Clearance Program; Year designated high risk: 2005. Area: Management of Interagency Contracting; Year designated high risk: 2005. Source: GAO. [A] This area was formerly entitled DOD Inventory Management. [B] One of the two high-risk areas that were consolidated to make this area--Collection of Unpaid Taxes--was designated high risk in 1990. The other area--Earned Income Credit Noncompliance--was designated high risk in 1995. [C] IRS Financial Management has been incorporated into the IRS Business Systems Modernization high-risk area. Both areas were initially designated as high risk in 1995. [End of table] Eight of the 16 areas removed from the list over the years were among the 14 programs and operations we determined to be high risk at the outset of our efforts to monitor such programs. These results demonstrate that the sustained attention and commitment by the Congress and agencies to resolve serious, long-standing high-risk problems have paid off, as root causes of the government's exposure for half of our original high-risk list have been successfully addressed. Historically, high-risk areas have been so designated because of traditional vulnerabilities related to their greater susceptibility to fraud, waste, abuse, and mismanagement. As our high-risk program has evolved, we have increasingly used the high-risk designation to draw attention to areas associated with broad-based transformations needed to achieve greater economy, efficiency, effectiveness, accountability, and sustainability of selected key government programs and operations. Perseverance by the executive branch is needed in implementing our recommended solutions for addressing these high-risk areas. Continued congressional oversight and, in some cases, additional legislative action will also be key to achieving progress, particularly in addressing challenges in broad-based transformations. To determine which federal government programs and functions should be designated high risk, we used our guidance document, Determining Performance and Accountability Challenges and High Risks.[Footnote 2] In determining whether a government program or operation is high risk, we consider whether it involves national significance or a management function that is key to performance and accountability. We also consider whether the risk is: * an inherent problem, such as may arise when the nature of a program creates susceptibility to fraud, waste, and abuse, or: * a systemic problem, such as may arise when the programmatic; management support; or financial systems, policies, and procedures established by an agency to carry out a program are ineffective, creating a material weakness. Further, we consider qualitative factors, such as whether the risk: * involves public health or safety, service delivery, national security, national defense, economic growth, or privacy or citizens' rights, or: * could result in significantly impaired service; program failure; injury or loss of life; or significantly reduced economy, efficiency, or effectiveness. Before making a high-risk designation, we also consider the corrective measures an agency may have planned or under way to resolve a material control weakness and the status and effectiveness of these actions. When legislative and agency actions, including those in response to our recommendations, result in significant and sustainable progress toward resolving a high-risk problem, we remove the high-risk designation. Key determinants here include a demonstrated strong commitment to and top leadership support for addressing problems, the capacity to do so, a corrective action plan, and demonstrated progress in implementing corrective measures. The next section discusses how we applied our criteria in determining what areas to remove and to add since our last update in January 2003. [End of section] High-Risk Designations Removed: For this 2005 high-risk update, we determined that three high-risk areas warranted removal from the list. They are the Department of Education's (Education) Student Financial Aid Programs, Federal Aviation Administration (FAA) Financial Management, and the Department of Agriculture's (USDA) Forest Service Financial Management. We will, however, continue to monitor these programs, as appropriate, to ensure that the improvements we have noted are sustained. Student Financial Aid Programs: In 1990, we designated student financial aid programs as high risk. Since then, in previous high-risk updates, we reported various problems, including poor financial management and weak internal controls, fragmented and inefficient information systems, and inadequate attention to program integrity as evidenced by high default rates and the numbers of ineligible students participating in the programs. In 1998, the Congress established Education's Office of Federal Student Aid (FSA) as the government's first performance-based organization, thus giving it greater flexibility to better address long-standing management weaknesses with student aid programs. In 2001, Education created a team of senior managers dedicated to addressing key financial and management problems throughout the agency, and in 2002, the Secretary of Education made removal from GAO's high-risk list a specific goal and listed it as a performance measure in Education's strategic plan. We reported in 2003 that Education had made important progress, but that it was too early to determine whether improvements would be sustained and that additional steps needed to be taken in several areas. Since 2003, as discussed below, Education has sustained improvements in the financial management of student financial aid programs and taken additional steps to address our concerns about systems integration, reporting on defaulted loans, and human capital management. Furthermore, the agency has met many of our criteria for removing the high-risk designation. Education has demonstrated a strong commitment to addressing risks; developed and implemented corrective action plans; and, through its annual planning and reporting processes, monitored the effectiveness and sustainability of its corrective measures. Thus, while FSA needs to continue its progress and take additional steps to fully address some of our recommendations, we are removing the high- risk designation from student financial aid programs. FSA has sustained improvements to address its financial management and internal control weaknesses. FSA received an unqualified, or "clean," opinion on its financial statements for fiscal years 2002, 2003, and 2004. In addition, the auditors indicated progress in addressing previously identified internal control weaknesses, with no material weaknesses[Footnote 3] reported in FSA's fiscal year 2003 and 2004 audits. However, the auditors reported that FSA should continue to further strengthen these internal controls, which are related to the calculation and reporting of the loan liability activity and subsidy estimates as well as its information systems controls. FSA has also established processes to address several previously reported internal control weaknesses that made FSA vulnerable to improper payments in its grant and loan programs. For example, FSA has taken steps to better ensure that grants are not awarded to ineligible students and has implemented a process to identify and investigate schools for possible fraudulent activities or eligibility-related violations. Further, FSA addressed concerns we raised about students who were underreporting family income, by working with the Office of Management and Budget and the Department of the Treasury to draft legislation that would permit use of tax information to verify income reported on student aid applications. FSA has taken further actions toward integrating its many disparate information systems. FSA has developed an integration strategy that focuses on achieving a seamless information exchange environment whereby users--students, educational institutions, and lenders--would benefit from simplified access to the agency's financial aid processes and more consistent and accurate data across its programs. FSA also has made progress toward establishing an enterprise architecture for guiding its systems integration efforts and has begun three efforts for reengineering its information-processing environment, which would consolidate and integrate most of its systems and move it closer to a seamless information exchange environment. FSA also included action steps for achieving default management goals in its annual plan and has taken steps to help reduce the student loan default rate. In 2003, FSA created a work group that identified over 60 default prevention and management initiatives and established a new organizational unit to focus on mitigating and reducing the risk of loss to the taxpayer from student obligations. FSA added information to its exit-counseling guide to help increase borrowers' awareness of the benefits of repaying their loans through electronic debiting accounts and prepayment options. In 2003, FSA reported a cohort default rate of 5.4 percent for 2001, and defaulted loans as a percentage of total outstanding loans declined from 9.4 percent in 2001 to 7.6 percent in 2003. FSA is taking steps to address its human capital challenges. It developed a comprehensive human capital strategy that includes many of the practices of leading organizations and has addressed many of the issues we previously raised. For example, FSA identified challenges that it will likely face in coming years, such as likely retirements, and discussed recognized weaknesses, such as the need to develop the skills of staff and maintain the focus of the agency's leadership on human capital issues. FSA has also prepared a succession plan that addresses some of our concerns about the pending retirement of senior employees in key positions across the agency. Additionally, FSA has established several approaches to support staff development by revising its Skills Catalog, which should enable staff to independently plan their professional development; introducing online learning tools; offering a wide variety of internal courses; and providing funds for external courses. FAA Financial Management: We first designated FAA financial management as high risk in 1999 because the agency lacked accountability for billions of dollars in assets and expenditures due to serious weaknesses in its financial reporting, property, and cost accounting systems. These problems continued through fiscal year 2001, when FAA's financial management system required 850 adjustments totaling $41 billion in order to prepare FAA's annual financial statements. In addition, at that time, FAA could not accurately and routinely account for property totaling a reported $11.7 billion, and lacked the cost information necessary for decision making as well as to adequately account for its activities and major projects, such as the air traffic control modernization program. Also, while FAA received an unqualified audit opinion on its fiscal year 2001 financial statements, the auditor's report cited a material internal control weakness related to FAA's lack of accountability for its property and several other internal control weaknesses related to financial management issues. At the time of our January 2003 high-risk report, FAA had made significant progress in addressing its financial management weaknesses, most importantly through ongoing efforts to develop a new financial management system called Delphi, including an integrated property accounting system, as well as initiatives to develop a new cost accounting system. However, these new systems were still under development and not yet operational. Therefore, it had yet to be seen whether the new systems would resolve the long-standing financial management issues that had resulted in our designation of FAA financial management as high risk. As a result, we retained FAA financial management as a high-risk area, while noting that significant progress was being made. FAA management has continued to make progress since our January 2003 high-risk report. Subsequent auditors' reports on FAA's financial statements for fiscal years 2002 and 2003 were unqualified, but continued to cite internal control weaknesses, although less severe than in prior years, related to FAA's then existing financial management systems. In fiscal year 2004, FAA implemented its new Delphi general ledger system, including an integrated property accounting system. FAA management was able to prepare financial statements for the fiscal year ended September 30, 2004, using these new systems, and FAA's auditors gave FAA an unqualified opinion on these financial statements. While the auditors reported several internal control weaknesses related to the implementation of the new financial management systems, none of these were considered to be material weaknesses, and FAA management, in responding to the auditor's report, indicated their full commitment to addressing these issues. While the cost accounting system is still under development, progress has been made. The cost accounting interface with Delphi was completed in fiscal year 2004, and the labor distribution interface is expected to be completed in fiscal year 2005. For the first time, some cost accounting data, while not available on a monthly basis, was available shortly after the fiscal year end for the 12 months ended September 30, 2004. FAA management has demonstrated its commitment to the full implementation of this system, devoting significant planning and resources to its completion and the monitoring of its implementation progress. While it is important that FAA management continue to place a high priority on the cost system and, more importantly, ultimately to use cost information routinely in FAA decision making, FAA's progress in improving financial management overall since our January 2003 high-risk update has been sufficient for us to remove the high-risk designation for FAA financial management. Forest Service Financial Management: We first designated USDA's Forest Service financial management as high risk in 1999 because the agency lacked accountability over billions of dollars in its two major assets--fund balance with the Department of the Treasury (Treasury) and property, plant, and equipment. Since the Forest Service is a major component of USDA, the lack of accountability over these two major assets contributed to disclaimers of opinions on USDA's consolidated financial statements. In addition, the Forest Service continued to have material weaknesses in its accounting and reporting of accounts receivable and accounts payable. This precluded the agency from knowing costs it had incurred and amounts owed to others throughout the year. These problems were further exacerbated by problems with the Forest Service's partial implementation of its new financial accounting system. This system was unable to produce certain critical budgetary and accounting reports that track obligations, assets, liabilities, revenues, and costs. Thus, these financial reporting weaknesses hampered management's ability to effectively manage operations, monitor revenue and spending levels, and make informed decisions about future funding needs. The Forest Service's long-standing financial management deficiencies were also evident in the repeated negative opinions on its financial statements, including adverse opinions in fiscal years 1991, 1992, and 1995. Due to the severity of its accounting and reporting deficiencies, the Forest Service did not prepare financial statements for fiscal year 1996, but chose instead to focus on trying to resolve these problems. However, the Forest Service's pervasive material internal control weaknesses continued to plague the agency. In our 2001 high-risk update, we reported that the USDA Office of Inspector General (IG) was unable to determine the accuracy of the Forest Service's reported $3.1 billion in net property, plant, and equipment, which represented 51 percent of the agency's assets. We also reported that the IG was unable to verify fund balances with Treasury totaling $2.6 billion because the reconciliation of agency records with Treasury records had not been completed. Because of the severity of these and other deficiencies, the IG disclaimed from issuing opinions on the Forest Service's financial statements for fiscal years 1997 through 2001. In addition, we noted that the Forest Service's autonomous field structure hampered efforts to correct these accounting and financial reporting deficiencies. We also reported that the Forest Service had implemented its new accounting system agencywide. However, the system depended on and received data from feeder systems that were poorly documented, operationally complex, deficient in appropriate control processes, and costly to maintain. In our 2003 high-risk report, while we highlighted that the Forest Service continued to have long-standing material control weaknesses, including weaknesses in its fund balance with Treasury and in property, plant, and equipment, we reported that the Forest Service had made progress toward achieving accountability by receiving its first unqualified opinion on its fiscal year 2002 financial statements. Although the Forest Service had reached an important milestone, it had not yet proved it could sustain this outcome, and had not reached the end goal of routinely producing timely, accurate, and useful financial information. As a result, we retained Forest Service financial management as a high-risk area. In the past 2 years, the Forest Service has made additional progress, especially with respect to addressing several long-standing material internal control deficiencies. Based on our criteria for removing a high-risk designation, which includes a demonstrated strong commitment, corrective action plan, and progress in addressing deficiencies, we believe the Forest Service's overall improvement in financial management since our January 2003 high-risk update has been sufficient for us to remove Forest Service financial management from the high-risk list at this time. The Forest Service has resolved material deficiencies related to its fund balance with Treasury and in property, plant, and equipment, thus increasing accountability over its billions of dollars in assets, and USDA and the Forest Service received unqualified opinions on their fiscal year 2004 financial statements. This does not mean that the Forest Service has no remaining challenges. For example, while we recognized its clean opinion for fiscal year 2002 in our last update, subsequently, in fiscal year 2003, these financial statements had to be restated to correct material errors. The Forest Service also received a clean opinion for fiscal year 2003, but these financial statements had to be restated in fiscal year 2004 to again correct material misstatements. Frequent restatements to correct errors can undermine public trust and confidence in both the entity and all responsible parties. Further, the Forest Service continues to have material internal control weaknesses related to financial reporting and information technology security, and its financial management systems do not yet substantially comply with the Federal Financial Management Improvement Act of 1996. However, the Forest Service has demonstrated a strong commitment to efforts under way or planned, that, if effectively implemented, should help to resolve many of its remaining financial management problems and move it toward sustainable financial management business processes. These efforts are designed to address internal control and noncompliance issues identified in audit reports, as well as organizational issues. For example, during fiscal year 2004, the Forest Service began reengineering and consolidating its finance, accounting, and budget processes. We believe these efforts, if implemented effectively, will provide stronger financial management, sustain positive audit results, and ensure compliance with federal financial reporting standards. Yet, it is important that USDA and Forest Service officials continue to place a high priority on addressing its remaining financial management problems, and we will continue to monitor their progress. [End of section] New High-Risk Areas: GAO's use of the high-risk designation to draw attention to the challenges associated with the economy, efficiency, and effectiveness of government programs and operations in need of broad-based transformation has led to important progress. We will also continue to identify high-risk areas based on the more traditional focus on fraud, waste, abuse, and mismanagement. Our focus will continue to be on identifying the root causes behind vulnerabilities, as well as actions needed on the part of the agencies involved and, if appropriate, the Congress. For 2005, we have designated the following four new areas as high risk: Establishing Appropriate and Effective Information-Sharing Mechanisms to Improve Homeland Security, Department of Defense (DOD) Approach to Business Transformation, DOD Personnel Security Clearance Program, and Management of Interagency Contracting. Establishing Appropriate and Effective Information-Sharing Mechanisms to Improve Homeland Security: Information is a crucial tool in fighting terrorism, and the timely dissemination of that information to the appropriate government agency is absolutely critical to maintaining the security of our nation. The ability to share security-related information can unify the efforts of federal, state, and local government agencies, as well as the private sector as appropriate, in preventing or minimizing terrorist attacks. The 9/11 terrorist attacks heightened the need for comprehensive information sharing. Prior to that time, the overall management of information-sharing activities among government agencies and between the public and private sectors lacked priority, proper organization, coordination, and facilitation. As a result, the existing national mechanisms for collecting threat information, conducting risk analyses, and disseminating warnings were at an inadequate state of development for protecting the United States from coordinated terrorist attacks. Information sharing for securing the homeland is a governmentwide effort involving multiple federal agencies, including but not limited to the Office of Management and Budget (OMB); the Departments of Homeland Security (DHS), Justice, State, and Defense; and the Central Intelligence Agency. Over the past several years, GAO has identified potential information-sharing barriers, critical success factors, and other key management issues that should be considered, including the processes, procedures, and systems to facilitate information sharing among and between government entities and the private sector. Establishing an effective two-way exchange of information to detect, prevent, and mitigate potential terrorist attacks requires an extraordinary level of cooperation and perseverance among federal, state, and local governments and the private sector to establish timely, effective, and useful communications. Since 1998, GAO has recommended the development of a comprehensive plan for information sharing to support critical infrastructure protection efforts. The key components of this recommendation can be applied to broader homeland security and intelligence-sharing efforts, including clearly delineating the roles and responsibilities of federal and nonfederal entities, defining interim objectives and milestones, setting time frames for achieving objectives, and establishing performance measures. In the absence of comprehensive information-sharing plans, many aspects of homeland security information sharing remain ineffective and fragmented. Accordingly, we are designating information sharing for homeland security as a governmentwide high-risk area because this area, while receiving increased attention, still faces significant challenges. Since 2002, legislation,[Footnote 4] various national strategies, and executive orders have specified actions to improve information sharing for homeland security. * The Homeland Security Act of 2002 (P.L. 107-296) included the following specific mechanisms intended to improve two-way information sharing: * The Critical Infrastructure Information Act of 2002 required the establishment of uniform procedures for the receipt, care, and storage of critical infrastructure information that is voluntarily submitted to the federal government. In February 2004, DHS issued an interim rule for comment. * The Homeland Security Information Sharing Act required procedures for facilitating homeland security information sharing and established authorities to share different types of information, such as grand jury information; electronic, wire, and oral interception information; and foreign intelligence information. In July 2003, the President assigned these functions to the Secretary of Homeland Security,[Footnote 5] but no deadline was established for developing information-sharing procedures. * In 2002 and 2003, the National Strategy for Homeland Security and its implementing strategies, the National Strategy to Secure Cyberspace and the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, also highlighted federal actions to promote two-way information sharing mechanisms.[Footnote 6] * In September 2003, Homeland Security Presidential Directive (HSPD) 6 called for the establishment of a terrorist screening center to develop, integrate, and maintain thorough, accurate, and current information about individuals known or appropriately suspected to be or to have been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism.[Footnote 7] * Issued in December 2003, HSPD 7 required that DHS (1) produce a national infrastructure protection plan summarizing initiatives for sharing information, including providing threat warning data to state and local governments and the private sector; and (2) establish appropriate systems, mechanisms, and procedures to share homeland security information with other federal departments and agencies, state and local governments, and the private sector in a timely manner.[Footnote 8] * In August 2004, the President issued executive orders: * strengthening terrorism information sharing by (1) requiring establishment of common standards for the sharing of terrorism information within and among the intelligence and counterterrorism communities and appropriate authorities of state and local governments and (2) establishing a council chaired by OMB to plan for and oversee the establishment of automated terrorism information sharing among appropriate agencies[Footnote 9] and: * establishing a National Counterterrorism Center to serve as the primary organization in the federal government for analyzing and integrating intelligence possessed or acquired by the United States pertaining to terrorism and counterterrorism.[Footnote 10] * In December 2004, the Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-458) required the establishment of (1) an information-sharing environment (ISE) as a means of facilitating the exchange of terrorism information among appropriate federal, state, local, and tribal entities, and the private sector; and (2) an information-sharing council to support the President and the ISE program manager with advice on developing policies, procedures, guidelines, roles, and standards necessary to implement and maintain the ISE. In addition, federal agencies have taken steps to expand the mechanisms available for sharing information with and among key stakeholders. * The Federal Bureau of Investigation (FBI) has acted to enhance its information sharing with state and local law enforcement officials, such as providing guidance and additional staffing. It has more than doubled the number of its Joint Terrorism Taskforces (JTTF), from 35 prior to the September 11 attacks to 84 as of July 2004, and state and local law enforcement officials' participation on these task forces has also increased. The FBI has at least one JTTF in each of its 56 field locations and plans to expand that number to 100 JTTFs. The FBI also circulates declassified intelligence information through a weekly bulletin and provides threat information to state and local law enforcement officials via various database networks. * In September 2004, we reported that 9 federal agencies identified 34 major networks supporting homeland security functions--32 operational and 2 in development. For the networks for which cost estimates were available, the cost totaled approximately $1 billion per year for fiscal years 2003 and 2004. Among the networks identified, DHS's Homeland Secure Data Network appears to be a significant initiative for future sharing of classified homeland security information among civilian agencies and DOD. The 9/11 Commission recognized that information sharing must be "guided by a set of practical policy guidelines that simultaneously empower and constrain officials, telling them clearly what is and is not permitted."[Footnote 11] While the wide range of executive and legislative branch actions is encouraging, significant challenges remain in developing the required detailed policies, procedures, and plans for sharing homeland security-related information. For example, DHS had not developed a plan detailing how it will manage its information-sharing responsibilities and relationships, including consideration of appropriate incentives for nonfederal entities to increase information sharing with the federal government, expand participation, and perform other specific tasks such as protecting critical infrastructure.[Footnote 12] HSPD 7 required that DHS develop such a plan by December 2004, however the plan remains under development. The absence of such plans is exacerbated by the lack of established processes and procedures for disseminating homeland security information to the private sector. For example, without clear processes and procedures for rapidly sharing appropriate information, the ability of private sector entities to effectively design facility security systems and protocols can be impeded. In addition, the lack of sharing procedures can also limit the federal government's accurate assessment of nonfederal facilities' vulnerability to terrorist attacks. Detailed plans are essential. For example, DHS has developed an initial version of an enterprise architecture to assist its efforts to integrate and share information among and between federal agencies and other entities; version 1.0 of its architecture does not, however, include many of the 34 networks that we identified as supporting homeland security information sharing. Improving the standardization and consolidation of data can also promote better sharing. For example, in 2003 we found that goals, objectives, roles, responsibilities, and mechanisms for information sharing had not been consistently defined by the 9 federal agencies that maintain 12 key terrorist and criminal watch list systems. As a result, efforts to standardize and consolidate appropriate watch list data would be impeded by the existence of overlapping sets of data, inconsistent agency policies and procedures for the sharing of those data, and technical incompatibilities among the various watch list information systems. In addition, 2004 reports from the inspectors general at DHS and the Department of Justice highlight the challenges and slow pace of integrating and sharing information between fingerprint databases.[Footnote 13] We have made numerous recommendations related to information sharing, particularly as they relate to fulfilling federal critical infrastructure protection responsibilities.[Footnote 14] For example, we have reported on the practices of organizations that successfully share sensitive or time-critical information, including establishing trust relationships, developing information-sharing standards and protocols, establishing secure communications mechanisms, and disseminating sensitive information appropriately. Federal agencies have concurred with our recommendations that they develop appropriate strategies to address the many potential barriers to information sharing. However, many federal efforts remain in the planning or early implementation stages. A great deal of work remains to effectively implement the many actions called for to improve homeland security information sharing, including establishing clear goals, objectives, and expectations for the many participants in information-sharing efforts; and consolidating, standardizing, and enhancing federal structures, policies, and capabilities for the analysis and dissemination of information. DOD Approach to Business Transformation: DOD spends billions of dollars each year to sustain key business operations that support our forces, including systems and processes related to acquisition and contract management, financial management, supply chain management, business systems modernization, and support infrastructure management--all of which appear individually on GAO's high-risk list. Recent and ongoing military operations in Afghanistan and Iraq and new homeland defense missions have led to newer and higher demands on our forces in a time of growing fiscal challenges for our nation. In an effort to better manage DOD's resources, the Secretary of Defense has appropriately placed a high priority on transforming force capabilities and key business processes. For years, GAO has reported on inefficiencies and the lack of adequate transparency and appropriate accountability across DOD's major business areas, resulting in billions of dollars of wasted resources annually. Although the Secretary of Defense and senior leaders have shown commitment to business transformation, as evidenced by individual key initiatives related to acquisition reform, business modernization, and financial management, among others, little tangible evidence of actual improvement has been seen in DOD's business operations to date. Improvements have generally been limited to specific business process areas, such as DOD's purchase card program, and have resulted in the incorporation of many key elements of reform, such as increased management oversight and monitoring and results-oriented performance measures. However, DOD has not taken the steps it needs to take to achieve and sustain business reform on a broad, strategic, departmentwide and integrated basis. Among other things, it has not established clear and specific management responsibility, accountability, and control over overall business transformation- related activities and applicable resources. In addition, DOD has not developed a clear strategic and integrated plan for business transformation with specific goals, measures, and accountability mechanisms to monitor progress, or a well-defined blueprint, commonly called an enterprise architecture, to guide and constrain implementation of such a plan. For these reasons, GAO, for the first time, is designating DOD's lack of an integrated strategic planning approach to business transformation as high risk. DOD's current and historical approach to business transformation has not proven effective in achieving meaningful and sustainable progress in a timely manner. As a result, change is necessary in order to expedite the effort and increase the likelihood of success. For DOD to successfully transform its business operations, it will need a comprehensive and integrated business transformation plan; people with needed skills, knowledge, experience, responsibility, and authority to implement the plan; an effective process and related tools; and results-oriented performance measures that link institutional, unit, and individual performance goals and expectations to promote accountability for results. Over the last 3 years, GAO has made several recommendations that, if implemented effectively, could help DOD move forward in establishing the means to successfully address the challenges it faces in transforming its business operations. For example, GAO believes that DOD needs a full-time chief management officer (CMO) position, created through legislation, with responsibility and authority for DOD's overall business transformation efforts. This is a "good government" matter that should be addressed in a professional and nonpartisan manner. The CMO must be a person with significant authority and experience who would report directly to the Secretary of Defense. Given the nature and complexity of the overall business transformation effort, and the need for sustained attention over a significant period of time, this position should be a term appointment (e.g., 7 years) and the person should be subject to a performance contract. DOD has agreed with many of our recommendations and launched efforts intended to implement many of them, but progress to date has been slow. DOD Personnel Security Clearance Program: Delays in completing hundreds of thousands of background investigations and adjudications (a review of investigative information to determine eligibility for a security clearance) have led us to add the DOD personnel security clearance program to our 2005 high-risk list. Personnel security clearances allow individuals to gain access to classified information that, in some cases, could reasonably be expected to cause exceptionally grave damage to national defense or foreign relations through unauthorized disclosure. Worldwide deployments, contact with sensitive equipment, and other security requirements have resulted in DOD having approximately 2 million active clearances. Problems with DOD's personnel security clearance process can have repercussions throughout the government because DOD conducts personnel security investigations and adjudications for industry personnel from 22 other federal agencies, in addition to performing such functions for its own service members, federal civilian employees, and industry personnel. While GAO's work on the clearance process has focused on DOD, clearance delays in other federal agencies suggest that similar impediments and their effects may extend beyond DOD. Since at least the 1990s, GAO has documented problems with DOD's personnel security clearance process, particularly problems related to backlogs and the resulting delays in determining clearance eligibility. Since fiscal year 2000, DOD has declared its personnel security clearance investigations program to be a systemic weakness--a weakness that affects more than one DOD component and may jeopardize the department's operations--under the Federal Managers' Financial Integrity Act of 1982. An October 2002 House Committee on Government Reform report also recommended including DOD's adjudicative process as a material weakness. As of September 30, 2003 (the most recent data available), DOD could not estimate the full size of its backlog, but we identified over 350,000 cases exceeding established time frames for determining eligibility. The negative effects of delays in determining security clearance eligibility are serious and vary depending on whether the clearance is being renewed or granted to an individual for the first time. Delays in renewing previously issued clearances can lead to heightened risk of national security breaches because the longer individuals hold a clearance, the more likely they are to be working with critical information and systems. Delays in issuing initial clearances can result in millions of dollars of additional costs to the federal government, longer periods of time needed to complete national security-related contracts, lost-opportunity costs if prospective employees decide to work elsewhere rather than wait to get a clearance, and diminishing quality of the work because industrial contractors may be performing government contracts with personnel who have the necessary security clearances but are not the most experienced and best-qualified personnel for the positions involved. DOD has taken steps--such as hiring more adjudicators and authorizing overtime for adjudicative staff--to address the backlog, but a significant shortage of trained federal and private-sector investigative personnel presents a major obstacle to timely completion of cases. Other impediments to eliminating the backlog include the absence of an integrated, comprehensive management plan for addressing a wide variety of problems identified by GAO and others. In addition to matching adjudicative staff to workloads and working with the Office of Personnel Management (OPM) to develop an overall management plan, DOD needs to develop and use new methods for forecasting clearance needs and monitoring backlogs, eliminate unnecessary limitations on reciprocity (the acceptance of a clearance and access granted by another department, agency, or military service), determine the feasibility of implementing initiatives that could decrease the backlog and delays, and provide better oversight for all aspects of its personnel security clearance process. The National Defense Authorization Act for Fiscal Year 2004 authorized the transfer of DOD's personnel security investigative function and over 1,800 investigative employees to OPM. The transfer is scheduled to take place in February 2005. While the transfer would eliminate DOD's responsibility for conducting the investigations, it would not eliminate the shortage of trained investigative personnel needed to address the backlog. Although DOD would retain the responsibility for adjudicating clearances, OPM would be accountable for ensuring the investigations are completed in a timely manner. Management of Interagency Contracting: In recent years, federal agencies have been making a major shift in the way they procure many goods and services. Rather than spending a great deal of time and resources contracting for goods and services themselves, they are making greater use of existing contracts already awarded by other agencies. These contracts are designed to leverage the government's aggregate buying power and provide a much-needed simplified method for procuring commonly used goods and services. Thus, their popularity is gaining quickly. The General Services Administration (GSA) alone, for example, has seen a nearly tenfold increase in interagency contract sales since 1992, pushing the total sales mark up to $32 billion (see fig. 1). Other agencies, such as the Department of the Treasury and the National Institutes of Health, also sponsor interagency contracts. Figure 1: Multiple Award Schedule Sales, Fiscal Years 1992 through 2004: [See PDF for image] Note: Dollars amounts are then-year dollars. [End of figure] These contract vehicles offer the benefits of improved efficiency and timeliness; however, they need to be effectively managed. If not properly managed, a number of factors can make these interagency contract vehicles high risk in certain circumstances: (1) they are attracting rapid growth of taxpayer dollars; (2) they are being administered and used by some agencies that have limited expertise with this contracting method; and (3) they contribute to a much more complex environment in which accountability has not always been clearly established. Use of these contracts, therefore, demands a higher degree of business acumen and flexibility on the part of the federal acquisition workforce than in the past. This risk is widely recognized, and the Congress and executive branch agencies have taken several steps to address it. However, the challenges associated with these contracts, recent problems related to their management, and the need to ensure that the government effectively implements measures to bolster oversight and control so that it is well positioned to realize the value of these contracts warrants designation of interagency contracting as a new high-risk area. Interagency contracts are awarded under various authorities and can take many forms. Typically, they are used to provide agencies with commonly used goods and services, such as office supplies or information technology services. Agencies that award and administer interagency contracts usually charge a fee to support their operations. These types of contracts have allowed customer agencies to meet the demands for goods and services at a time when they face growing workloads, declines in the acquisition workforce, and the need for new skill sets. Our work and that of some agency inspectors general has revealed instances of improper use of interagency contracts. For example, we recently reviewed contracts and task orders awarded by DOD and found some task orders under the GSA schedules that did not satisfy legal requirements for competition because the work was not within the scope of the underlying contracts.[Footnote 15] Similarly, the inspector general for the Department of the Interior found that task orders for interrogators and other intelligence services in Iraq were improperly awarded under a GSA schedule contract for information technology services.[Footnote 16] More broadly, the GSA inspector general conducted a comprehensive review of the contracting activities of GSA's Federal Technology Service (FTS), an entity that provides contracting services for agencies across the government, and reported that millions of dollars in fiscal year 2003 awards did not comply with laws and regulations.[Footnote 17] Administration officials have acknowledged that the management of interagency contracting needs to be improved. Interagency contracting is being used more with regard to purchases of services, which have increased significantly over the past several years and now represent over half of federal contract spending. Agencies also are buying more sophisticated or complex services, particularly in the areas of information technology and professional and management support. In many cases, interagency contracts provide agencies with easy access to these services, but purchases of services require different approaches in describing requirements, obtaining competition, and overseeing contractor performance than purchases of goods. In this regard, we and others have reported on the failure to follow prescribed procedures designed to ensure fair prices when using schedule contracts to acquire services. At DOD, the largest customer for interagency contracts, we found that competition requirements were waived for a significant percentage of supply schedule orders we reviewed, frequently based on an expressed preference to retain the services of incumbent contractors. DOD concurred with our recommendations to develop guidance for the conditions under which waivers of competition may be used, require documentation to support waivers, and establish approval authority based on the value of the orders.[Footnote 18] There are several causes of the deficiencies we and others have found with the use of interagency contracts, including the increasing demands on the acquisition workforce, insufficient training, and in some cases inadequate guidance. Two additional factors are worth noting. First, the fee-for-service arrangement creates an incentive to increase sales volume in order to support other programs of the agency that awards and administers an interagency contract. This may lead to an inordinate focus on meeting customer demands at the expense of complying with required ordering procedures. Second, it is not always clear where the responsibility lies for such critical functions as describing requirements, negotiating terms, and conducting oversight. Several parties--the requiring agency, the ordering agency, and in some cases the contractor--are involved with these functions. But, as the number of parties grows, so too does the need to ensure accountability. The Congress and the administration have taken several steps to address the challenges of interagency contracting. In 2003, the Congress sought to improve contract oversight and execution by enacting the Services Acquisition Reform Act. The Act created a new chief acquisition officer position in many agencies and enhanced workforce training and recruitment. More recently, the Congress responded to the misuse of interagency contracting by requiring more intensive oversight of purchases under these contracts. In July 2004, GSA launched "Get It Right," an oversight and education program, to ensure that its largest customer, DOD, and other federal agencies properly use GSA's interagency contracts and its acquisition assistance services. Through this effort, GSA seeks to demonstrate a strong commitment to customer agencies' compliance with federal contracting regulations and, among other things, improve processes to ensure competition, integrity, and transparency. Additionally, to address workforce issues, OMB, GSA, and DOD officials have said they are developing new skills assessments, setting standards for the acquisition workforce, and coordinating training programs aimed at improving the capacity of the federal acquisition workforce to properly handle the growing and more complex workload of service acquisitions. These recent actions are positive steps toward improving management of interagency contracting, but, as with other areas, some of these actions are in their early stages and others are still under development. In addition, it is too early to tell whether all of the corrective actions will be effectively implemented, although a recent limited review by the GSA Inspector General found some improvement at FTS from enhanced management controls. Our work on major management challenges indicates that specific and targeted approaches are also needed to address interagency contracting risks across the government. Ensuring the proper use of interagency contracts must be viewed as a shared responsibility of all parties involved. But this requires that specific responsibilities be more clearly defined. In particular, to facilitate effective purchasing through interagency contracts, and to help ensure the best value of goods and services, agencies must clarify roles and responsibilities and adopt clear, consistent, and enforceable policies and processes that balance the need for customer service with the requirements of contract regulations. Internal controls and appropriate performance measures help ensure that policies and processes are implemented and have the desired outcomes. In addition, to be successful, efforts to improve the contracting function must be linked to agency strategic plans. As with other governmentwide high-risk areas, such as human capital and information security, effectively addressing interagency contract management challenges will require agency management to commit the necessary time, attention, and resources, as well as enhanced executive branch and congressional oversight. Making these investments has the potential to improve the government's ability to acquire high-quality goods and services in an efficient and effective manner, resulting in reduced costs, improved service delivery, and strengthened public trust. [End of section] Emerging Areas: In addition to specific areas that GAO has designated as high risk, there are other important broad-based challenges facing our government that are serious and merit continuing close attention. One area of increasing concern involves the need for the completion of comprehensive national threat and risk assessments in a variety of areas. For example, emerging requirements from the changing security environment, coupled with increasingly limited fiscal resources across the federal government, emphasize the need for agencies to adopt a sound approach to establishing realistic goals, evaluating and setting priorities, and making difficult resource decisions. GAO has advocated a comprehensive threat and/or risk management approach as a framework for decision making that fully links strategic goals to plans and budgets, assesses values and risks of various courses of actions as a tool for setting priorities and allocating resources, and provides for the use of performance measures to assess outcomes. Most prominently, two federal agencies with significant national security responsibilities--DHS and DOD--are still in the beginning stages of adopting a risk-based strategic framework for making important resource decisions involving billions of dollars annually. This lack of a strategic framework for investment decisions is one of the reasons that implementing and transforming DHS, and DOD's approach to business transformation, have been designated as high-risk areas. At the same time, this threat/risk assessment concept can be applied to a broad range of existing federal government programs, functions, and activities. The relatively new DHS, with an annual budget of over $40 billion, has not completed risk assessments mandated by the Homeland Security Act of 2002 to set priorities to help focus its resources where most needed. In performing its duties to protect the nation's critical infrastructure, DHS has not made clear the link between risk assessment and resource allocation, for example, what criteria it initially used to select assets of national importance and the basic strategy it uses to determine which assets warrant additional protective measures, and by how much these measures could reduce the risk to the nation. GAO has reviewed the work of several of DHS's component agencies that have taken some initial steps towards risk management, but much remains to be done. DHS's Immigration and Customs Enforcement (ICE), as a first step toward developing budget requests and workforce plans for fiscal year 2007 and beyond, has had its Office of Investigations field offices conduct baseline threat assessments to help identify risks. However, performance measures to assess how well a particular threat has been addressed were not used for workforce planning in ICE's fiscal year 2006 budget request. DHS's Customs and Border Protection (CBP) has taken steps to address the terrorism risks posed by oceangoing cargo containers. However, CBP has not performed a comprehensive set of assessments vital for determining the level of risk for oceangoing cargo containers and the types of responses necessary to mitigate that risk. The need to use a risk management approach has been a recurring theme in our previous work in transportation security. We reported in 2003 that DHS's Transportation and Security Administration (TSA) planned to adopt a risk management approach. To date, including in our most recent work on general aviation security, we have found that TSA has not fully integrated this approach, which includes assessments of threat, vulnerability, and criticality, to help it prioritize its efforts. As a result, we have recommended that TSA continue its efforts to integrate a risk management approach into its processes. DOD, with a budget of over $400 billion a year, exclusive of supplemental funding, is in the process of transforming its force capabilities and business processes. GAO has reported on limitations in DOD's strategic planning and budgeting, including the use of overly optimistic assumptions in estimating funding needs, often resulting in a mismatch between programs and budgets. In its strategic plan--the September 2001 Quadrennial Defense Review--DOD outlined a new risk management framework consisting of four dimensions of risk--force management, operational, future challenges, and institutional--to use in considering trade-offs among defense objectives and resource constraints. According to DOD, these risk areas are to form the basis for DOD's annual performance goals. They will be used to track performance results and will be linked to planning and resource decisions. As of December 2004, DOD was still in the process of implementing this approach departmentwide. It also remains unclear how DOD will use this approach to measure progress in achieving business and force transformation. We believe that instilling a disciplined approach to identifying and managing risk has broad applicability across a wide range of federal programs, operations, and functions across the federal government. This will be a continuing focus of our work in the future. More generally, we will also continue to monitor other management challenges identified through our work, including those discussed in our January 2003 Performance and Accountability Series: Major Management Challenges and Program Risks (GAO-03-95 through GAO-03-118). While not high risk at this time, these challenges warrant continued attention. For example, at the U.S. Census Bureau, a number of operational and managerial challenges loom large as the Bureau approaches its biggest enumeration challenge yet, the 2010 Census. The Census Bureau will undertake an important census test and make critical 2010 Census operational and design decisions in the coming months--and we will continue to closely monitor these challenges to assist the Congress in its oversight and the Bureau in its decision making. [End of section] Progress Being Made in Other High-Risk Areas: For other areas that remain on our 2005 high-risk list, there has been important but varying levels of progress, although not yet enough progress to remove these areas from the list. Top administration officials have expressed their commitment to maintaining momentum in seeing that high-risk areas receive adequate attention and oversight. Since our 2003 high-risk report, the Office of Management and Budget (OMB) has worked closely with a number of agencies that have high-risk issues, in many cases establishing action plans and milestones for agencies to complete needed actions to address areas that we have designated as high risk. Such a concerted effort by agencies and ongoing attention by OMB are critical; our experience over the past 15 years has shown that perseverance is required to fully resolve high- risk areas. The Congress, too, will continue to play an important role through its oversight and, where appropriate, through legislative action targeted at the problems and designed to address high-risk areas. Examples of progress in other programs or operations that were previously designated as high risk are discussed below and in the highlights pages that follow this report section. * Recognizing that federal agencies must transform their organizations to meet the new challenges of the 21st century and that their most important asset in this transformation is their people, GAO first added human capital management as a governmentwide high-risk issue in January 2001 to help focus attention and resources on the need for human capital reform. Since then, the Congress and the agencies have made more progress in revising and redesigning human capital policies, processes, and systems than in the past quarter century. The Congress called on agencies to do a better and faster job of hiring the right people with the right skills to meet their critical missions, such as protecting the homeland, and gave the agencies new flexibilities to meet this challenge. The Congress also granted agencies, such as DOD and DHS, unprecedented flexibility to redesign their human capital systems, including designing new classification and compensation systems, which could serve as models for governmentwide change. However, effectively designing and implementing any resulting human capital systems will be of critical importance not just for these agencies, but for overall civil service reform. As part of the President's Management Agenda, the administration also made strategic human capital management one of its top five priorities and established a system for holding agencies accountable for achieving this change. Some agencies have begun to assess their future workforce needs and implement available flexibilities to meet those needs. As a result of the ongoing significant changes in how the federal workforce is managed, there is general recognition that there should be a framework to guide human capital reform built on a set of beliefs that entail fundamental principles and boundaries that include criteria and processes that establish checks and limitations when agencies seek and implement their authorities. * The Postal Service (the Service) has made significant progress in improving its financial situation and implementing transformation initiatives to improve its financial viability since its transformation efforts and long-term outlook was designated as high risk in 2001. Several of its key achievements in the last 2 years include debt reduction of $9.3 billion, net income of $7 billion, productivity gains of 4.2 percent, the elimination of accumulated deficits, and reductions of about 45,000 in career employees. In addition, postal pension reform legislation was enacted to address a projected overfunding of the Service's pension obligation. The Congress also made progress in considering postal reform legislation, which, although not yet enacted, was approved by House and Senate oversight committees. However, key challenges remain, including generating revenues to offset declines in First-Class Mail volume, which generates revenues covering most of the Service's institutional costs; addressing large financial liabilities and obligations; achieving cost savings and productivity improvements, in part by restructuring its infrastructure and workforce; and addressing human capital challenges, such as succession planning and credible performance-based compensation systems. Further, postal reform remains a challenge that will require enactment of legislation by the Congress and leadership by the Service to effectively carry out its transformation. * Since January 2003, the administration has taken several key steps to address long-standing problems in managing federal real property. First, in an effort to provide a governmentwide focus on federal real property issues, the President added the Federal Asset Management Initiative to the President's Management Agenda and signed Executive Order 13327 in February 2004. Under the order, agencies are to designate a senior real property officer to, among other things, identify and categorize owned and leased real property managed by the agency and develop agency asset management plans. Agencies such as DOD and the Department of Veterans Affairs (VA) have taken other actions-- DOD is preparing for a round of base realignments and closures in 2005, and in May 2004, VA announced a wide range of asset realignment decisions. These and other efforts are positive steps, but it is too early to judge whether the administration's focus on this area will have a lasting impact. The underlying conditions and related obstacles that led to GAO's high-risk designation continue to exist. Remaining obstacles include competing stakeholder interests in real property decisions, various legal and budget-related disincentives to optimal, businesslike, real property decisions, and the need for better capital planning among agencies. * Since GAO designated modernizing federal disability programs as a high-risk area in 2003, the Social Security Administration (SSA) and VA have made some progress toward improving their disability programs. A key initiative involves SSA's proposal to improve the timeliness and accuracy of disability decisions and to foster return to work at all stages of the decision-making process. In addition, the Congress established a commission to study the appropriateness of veterans' benefits. Moreover, SSA and VA have both made some gains in timeliness in their disability claims decisions. While these actions have yielded some progress, SSA's and VA's disability programs still face significant challenges. For example, despite the slowdown in workforce growth nationwide, increased employment opportunities for persons with disabilities have been afforded by advances in medicine and technology and the growing expectation that people with disabilities can and do want to work. Nevertheless, federal disability programs remain grounded in outmoded concepts that equate medical conditions with work incapacity. In addressing these challenges, GAO believes that SSA and VA should take the lead in examining the fundamental causes of program problems and seek both the management and legislative solutions needed to transform their programs so that they are in line with the current state of science, medicine, technology, and labor market conditions. At the same time, these agencies should continue to develop and implement strategies for improving the accuracy, timeliness, and consistency of disability decision making. * The Department of Health and Human Services and its Centers for Medicare & Medicaid Services (CMS) have made some progress to improve the fiscal integrity and oversight of the Medicaid program, which was designated high risk in 2003. For example, CMS has strengthened oversight of state financing schemes that have inappropriately boosted the federal share of Medicaid spending, by centralizing its review process and conducting targeted financial management reviews of states' programs. CMS also proposed last year that Medicaid payments to government facilities be limited to their actual costs--a recommendation that GAO earlier made to the Congress and that remains open. The results of these actions will need to be assessed to determine their effectiveness in improving the program's fiscal integrity, and more action is needed before the program's high-risk designation can be removed. For example, CMS did not take action in response to our recommendations intended to better ensure that state Medicaid demonstration programs, to expand coverage to certain populations, do not increase the federal government's costs beyond what they would have been without the demonstrations, a long-standing administration policy. * The Department of Housing and Urban Development (HUD) has demonstrated commitment to and progress in addressing weaknesses in its Single-Family Mortgage Insurance and Rental Housing Assistance program areas. Specifically, HUD has acted to reduce the risk of financial loss by improving its oversight of lenders and appraisers and by increasing its use of foreclosure prevention tools. Further, HUD has continued to implement measures to reduce errors in rental subsidy payments and to improve the physical condition of HUD-assisted housing. However, HUD needs to continue strengthening the management and oversight of its single-family mortgage insurance programs to reduce the risk of insurance losses and its vulnerability to questionable payments for property management services. Further, it needs to continue in its efforts to ensure that rental housing assistance program subsidy payments are accurate and that subsidy recipients are eligible. * Since the agency's inception in March 2003, DHS leadership has provided a foundation to maintain critical operations while undergoing transformation. DHS has worked to protect the homeland and secure transportation and borders, funded emergency preparedness improvements and emerging technologies, assisted law enforcement activities against suspected terrorists, and issued its first strategic plan. DHS has taken initial steps to address financial management weaknesses and is acquiring an integrated financial enterprise solution, recognized the need for and has begun to institutionalize a strategic management framework that addresses key information technology disciplines; and initiated strategic human capital planning efforts and published proposed regulations for a modern human capital management system. Concurrently, DHS is initiating corrective actions on a broad array of programmatic challenges that require sustained effort in areas such as transportation, cargo, and border security; tracking visitors; consolidating border security functions; updating outmoded capabilities in the Coast Guard fleet; and balancing homeland security with other missions, such as law enforcement and disaster planning. DHS must now follow through on these initial actions. Furthermore, in managing its transformation, DHS must overcome a number of significant challenges that as yet have not been adequately addressed. For example, annual goals and time frames are vague or missing; the capacity to achieve them is uncertain; and performance measures and plans to monitor, assess, and independently evaluate the effectiveness of corrective measures are not fully developed. Also, progress in forming effective partnerships with other governmental and private sector entities remains challenged in several critical areas, such as improving critical infrastructure protection and emergency preparedness. Importantly, DHS has also not completed legislatively mandated comprehensive threat and risk assessments to set priorities and to focus its limited resources to mitigate the greatest risk. DHS needs sustained leadership and a commitment to a strategy that incorporates accountability and oversight to succeed in its multiyear transformation. Failure to effectively address its management challenges and program risks could have serious consequences for our national security. [End of section] High-Risk Areas Consolidated: Collection of Unpaid Taxes and Earned Income Credit Noncompliance: We have combined our previous Collection of Unpaid Taxes and Earned Income Credit Noncompliance high-risk areas into an area titled Enforcement of Tax Laws. Collection of unpaid taxes was included in the first high-risk series report in 1990, with a focus on the backlog of uncollected debts owed by taxpayers. In 1995, we added Filing Fraud as a separate high-risk area, narrowing the focus of that high-risk area in 2001 to Earned Income Credit Noncompliance because of the particularly high incidence of fraud and other forms of noncompliance in that program. We expanded our concern about the Collection of Unpaid Taxes in our 2001 high-risk report to include not only unpaid taxes (including tax evasion and unintentional noncompliance) known to the Internal Revenue Service (IRS), but also the broader enforcement issue of unpaid taxes that IRS has not detected. We made this change because of declines in some key IRS collection actions as well as IRS's lack of information about whether those declines had affected voluntary compliance. Although the Congress dedicated a specific appropriation for Earned Income Credit compliance initiatives (both to curb noncompliance and encourage participation) in fiscal years 1998 through 2003, with the 2004 budget the Congress returned to appropriating a single amount for IRS to allocate among its various tax law enforcement efforts. In recent years, the resources IRS has been able to dedicate to enforcing the tax laws have declined, while IRS's enforcement workload- -measured by the number of taxpayer returns filed--has continually increased. Accordingly, nearly every indicator of IRS's coverage of its enforcement workload has declined in recent years. Although in some cases workload coverage has increased, overall IRS's coverage of known workload is considerably lower than it was just a few years ago. Although many suspect that these trends have eroded taxpayers' willingness to voluntarily comply--and survey evidence suggests this may be true--the cumulative effect of these trends is unknown because new research into the level of taxpayer compliance is only now being completed by IRS after a long hiatus. Further, IRS's workload has grown ever more complex as the tax code has grown more complex. Complexity creates a fertile ground for those intentionally seeking to evade taxes and often trips others into inadvertent noncompliance. IRS is challenged to administer and explain each new provision, thus absorbing resources that otherwise might be used to enforce the tax laws. Concurrently, other areas of particularly serious noncompliance have gained the attention of IRS and the Congress--such as abusive tax shelters and schemes employed by businesses and wealthy individuals that often involve complex transactions that may span national boundaries. Given the broad declines in IRS's enforcement workforce, IRS's decreased ability to follow up on suspected noncompliance, the emergence of sophisticated evasion concerns, and the unknown effect of these trends on voluntary compliance, IRS is challenged on virtually all fronts in attempting to ensure that taxpayers fulfill their obligations. IRS's success in overcoming these challenges becomes ever more important in light of the nation's large and growing fiscal pressures. Accordingly, we believe the focus of concern on the enforcement of tax laws is not confined to any one segment of the taxpaying population or any single tax provision. Our designation of the enforcement of tax laws as a high-risk area embodies this broad concern. IRS Business Systems Modernization and IRS Financial Management: IRS has long relied on obsolete automated systems for key operational and financial management functions, and its attempts to modernize these aging computer systems span several decades. This long history of continuing delays and design difficulties and their significant impact on IRS's operations led GAO to designate IRS's systems modernization activities and its financial management as high-risk areas in 1995. Since that time, IRS has made progress in improving its financial management, such as enhancing controls over hard copy tax receipts and data and budgetary activity, and improving the accuracy of property records. Additionally, for the past 5 years, IRS has received clean audit opinions on its annual financial statements and, for the past 3 years, has been able to achieve this within 45 days of the end of the fiscal year. However, IRS still needs to replace its outdated financial management systems, which is part of its business systems modernization program. Accordingly, since the resolution of IRS's remaining most serious and intractable financial management problems largely depends upon the success of IRS's business systems modernization efforts, and since we have continuing concerns related to this program, we are combining our two previous high-risk areas into one Business Systems Modernization high-risk area. [End of section] Highlights for Each High-Risk Area: Overall, the government continues to take high-risk problems seriously and is making long-needed progress toward correcting them. The Congress has also acted to address several individual high-risk areas through hearings and legislation. Continued perseverance in addressing high- risk areas will ultimately yield significant benefits. Lasting solutions to high-risk problems offer the potential to save billions of dollars, dramatically improve service to the American public, strengthen public confidence and trust in the performance and accountability of our national government, and ensure the ability of government to deliver on its promises. We have prepared highlights of each of the 25 high-risk areas on our updated list, showing (1) why the area is high risk, (2) the actions that have been taken and that are under way to address the problem since our last update report as well as the issues that are yet to be resolved, and (3) what remains to be done to address the risk. These highlights are presented on the following pages. Finally, we have compiled lists of GAO products issued since January 2003 related to the major management challenges identified in the 2003 Performance and Accountability Series. These lists, accompanied by narratives describing the related major management challenges, are available on our Web site at [Hyperlink, http://www.gao.gov/pas/2005]. HIGH-RISK SERIES: Strategic Human Capital Management: GAO Highlights: For additional information about this high-risk area, contact J. Christopher Mihm at (202) 512-6806 or mihmj@gao.gov. Why Area Is High Risk: In 2001, GAO designated strategic human capital management as a high- risk area because of the federal government's long-standing lack of a consistent strategic approach to marshaling, managing, and maintaining the human capital needed to maximize government performance and ensure its accountability. The area remains high risk because federal human capital strategies are still not appropriately constituted to meet current and emerging challenges or drive the transformations necessary for agencies to meet these challenges. For example, human capital considerations are a critical element for the intelligence organizations and related homeland security organizations that are undergoing a fundamental transformation in the aftermath of September 11, 2001. What GAO Found: The executive branch and the Congress have taken a number of steps to address the federal government's human capital shortfalls. For example, in 2001, the President's Management Agenda identified human capital management as a top priority, and recently the Office of Management and Budget reported that agencies are making improvements in addressing key human capital challenges. The Congress also sought to elevate human capital issues within federal agencies in part by creating the Chief Human Capital Officer positions and a Council to advise and assist agency leaders in their human capital efforts. The Congress has provided several agencies--most notably the Departments of Homeland Security and Defense--authorities to design and manage their human capital systems. Effective design and implementation of any resulting new policies and procedures is of critical importance. The Congress also recently provided agencies across the executive branch with additional human capital flexibilities, such as specific hiring authorities, and the Office of Personnel Management is working with the agencies to make the government more competitive for top talent by speeding up the hiring process. In addition, the Congress and the administration together have reformed the performance management and compensation systems for senior executives to better link the institutional, unit, and individual performance and reward systems. While more progress in addressing human capital challenges has been made in the last few years than in the previous 25, ample opportunities exist for agencies to improve their strategic human capital management to achieve results and respond to current and emerging challenges: * Leadership: Agencies need sustained leadership to provide the focused attention essential to completing multiyear transformations. * Strategic Human Capital Planning: Agencies need effective strategic workforce plans to identify and focus their human capital investments on the long-term issues that best contribute to results. * Acquiring, Developing, and Retaining Talent: Agencies need to continue to create effective hiring processes and use flexibilities and incentives to retain critical talent and reshape their workforces. * Results-Oriented Organizational Cultures: Agencies need to reform their performance management systems so that pay and awards are linked to performance and organizational results. Significant changes in how the federal workforce is managed are under way, and, consequently, there is general recognition that there needs to be a framework to guide human capital reform built on a set of beliefs and boundaries. Beliefs entail the fundamental principles that should govern all approaches to human capital reform and should not be altered or waived by agencies seeking human capital authorities. Boundaries include the criteria and processes that establish the checks and limitations when agencies seek and implement human capital authorities. What Remains to Be Done: Agencies--working with the Congress and OPM--must assess future workforce needs, especially in light of long-term fiscal challenges; determine ways to make maximum use of available authorities to recruit, hire, develop, and retain key talent to meet their needs; build a business case to request additional authorities as appropriate; and reform performance management systems to better link organizational and individual results. There is also a need to continue to develop a governmentwide framework for human capital reform that the Congress and the administration can implement to enhance performance, ensure accountability, and position the nation for the future. Related Products: Strategic Human Capital Management: Leadership: Highlights of a GAO and National Commission on the Public Service Implementation Initiative Forum on Human Capital: Principles, Criteria, and Processes for Governmentwide Federal Human Capital Reform. GAO-05- 69SP. Washington, D.C.: December 1, 2004. Intelligence Reform: Human Capital Considerations Critical to 9/11 Commission's Proposed Reforms. GAO-04-1084T. Washington, D.C.: September 14, 2004. Human Capital: Building on the Current Momentum to Transform the Federal Government. GAO-04-976T. Washington, D.C.: July 20, 2004. Human Capital: Observations on Agencies' Implementation of the Chief Human Capital Officers Act. GAO-04-800T. Washington, D.C.: May 18, 2004. Strategic Human Capital Planning: Human Capital: Key Principles for Effective Strategic Workforce Planning. GAO-04-39. Washington, D.C.: December 11, 2003. Human Capital: Succession Planning and Management Is Critical Driver of Organizational Transformation. GAO-04-127T. Washington, D.C.: October 1, 2003. Human Capital: Insights for U.S. Agencies from Other Countries' Succession Planning and Management Initiatives. GAO-03-914. Washington, D.C.: September 15, 2003. Acquiring, Developing, and Retaining Talent: Human Capital: Increasing Agencies' Use of New Hiring Flexibilities. GAO-04-959T. Washington, D.C.: July 13, 2004. Human Capital: Additional Collaboration Between OPM and Agencies Is Key to Improved Federal Hiring. GAO-04-797. Washington, D.C.: June 7, 2004. Human Capital: A Guide for Assessing Strategic Training and Development Efforts in the Federal Government. GAO-04-546G. Washington, D.C.: March 2004. Results-Oriented Organizational Cultures: Human Capital: Senior Executive Performance Management Can Be Significantly Strengthened to Achieve Results. GAO-04-614. Washington, D.C.: May 26, 2004. Human Capital: Implementing Pay for Performance at Selected Personnel Demonstration Projects. GAO-04-83. Washington, D.C.: January 23, 2004. Results-Oriented Cultures: Creating a Clear Linkage between Individual Performance and Organizational Success. GAO-03-488. Washington, D.C.: March 14, 2003. See www.gao.gov for numerous speeches and presentations from the Comptroller General on human capital challenges in general and as they apply to specific agencies. HIGH-RISK SERIES: U.S. Postal Service Transformation Efforts and Long-Term Outlook: GAO Highlights: For additional information about this high-risk area, contact Katherine Siggerud at (202) 512-2834 or siggerudk@gao.gov. Why Area Is High Risk: In April 2001, GAO designated U.S. Postal Service's transformation efforts and long-term outlook as a high-risk area due to growing risk that the Service would not be able to continue providing universal postal service at reasonable rates while remaining self-supporting through postal revenues. This inclusion on GAO's high-risk list was intended to focus needed attention on the dilemmas facing the Service before the situation escalates into a crisis, where the options for action may be more limited and costly. The Service has since taken steps to address its problems, and a presidential commission has reported on the need for far-reaching changes, including legislative reform. However, reform legislation has not yet been enacted and the underlying conditions that led to the high-risk designation continue to exist. Thus, the Service's transformation efforts and long-term outlook remains on GAO's high-risk list. What GAO Found: The Postal Service's financial viability is at risk because its business model--which relies on mail volume growth to mitigate rate increases and cover its costs--is not sustainable in an increasingly competitive environment, given new and emerging technologies. Financial, operational, governance, and human capital challenges threaten the Service's ability to remain self-supporting while providing affordable, high-quality, and universal postal service. Key trends that demonstrate the need for reform include declining mail volume, particularly for First-Class Mail; changes in the mail mix from high-margin to lower-margin products; changing demographics of the aging postal workforce; growing competition from private delivery companies; and projected revenue declines while expenses increase. The Service continues to face challenges in addressing its large financial liabilities and obligations (e.g., retiree health obligations), as well as in restructuring its infrastructure and workforce to become more efficient and performance based. First-Class Mail Volume Growth, Fiscal Years 1984 through 2004: [See PDF for image] [End of figure] The Service has recently cut costs and improved productivity, but it is not clear how the Service will realign its outdated infrastructure and modernize its workforce policies and practices to achieve additional long-term productivity gains. The Service has stated that it is using an evolutionary approach to transform its infrastructure and workforce. However, little information is available about its plans for this important effort. Many questions remain as to whether such an incremental approach will be sufficiently comprehensive, integrated, and responsive to the increasing pace of change in technology and competition affecting the Service's core business. Without bold action and better communication, the Service risks falling short of achieving the major productivity gains needed to offset rising costs and maintain quality service and affordable rates. Further, the Congress has not yet enacted comprehensive postal reform legislation that addresses the Service's key structural and systemic deficiencies, including its unfunded obligation for retiree health benefits and the escrow requirement. Without such action, the accessibility and affordability of postal services to the American people is at risk, which could result in dramatic increases in postal rates or a costly taxpayer bailout. What Remains to Be Done: To preserve its mission and financial viability and meet its key challenges, the Service needs to take bold action and better communicate how it plans to realign its infrastructure and workforce. Also, GAO continues to believe that comprehensive postal reform legislation is needed to clarify the Service's mission and role; enhance governance, transparency, and accountability; improve regulation of postal rates and oversight; address long-term financial obligations; and make human capital reforms. Related Products: U.S. Postal Service Transformation Efforts and Long-Term Outlook: GAO Products: U.S. Postal Service: USPS Needs to Clearly Communicate How Postal Services May Be Affected by Its Retail Optimization Plans. GAO-04-803. Washington, D.C.: July 13, 2004. Postal Service: Progress in Implementing Supply Chain Management Initiatives. GAO-04-540. Washington, D.C.: May 17, 2004. U.S. Postal Service: Key Reasons for Postal Reform. GAO-04-565T. Washington, D.C.: March 23, 2004. Need for Comprehensive Postal Reform. GAO-04-455R. Washington, D.C.: February 6, 2004. U.S. Postal Service: Key Elements of Comprehensive Postal Reform. GAO- 04-397T. Washington, D.C.: January 28, 2004. Postal Pension Funding Reform: Issues Related to the Postal Service's Proposed Use of Pension Savings. GAO-04-238. Washington, D.C.: November 26, 2003. Postal Pension Funding Reform: Review of Military Service Funding Proposals. GAO-04-281. Washington, D.C.: November 26, 2003. U.S. Postal Service: Bold Action Needed to Continue Progress on Postal Transformation. GAO-04-108T. Washington, D.C.: November 5, 2003. Federal Real Property: Vacant and Underutilized Properties at GSA, VA, and USPS. GAO-03-747. Washington, D.C.: August 19, 2003. U.S. Postal Service: A Primer on Postal Worksharing. GAO-03-927. Washington, D.C.: July 31, 2003. U.S. Postal Service: Key Postal Transformation Issues. GAO-03-812T. Washington, D.C.: May 29, 2003. Review of the Office of Personnel Management's Analysis of the United States Postal Service's Funding of Civil Service Retirement System Costs. GAO-03-448R. Washington, D.C.: January 31, 2003. Other Products: President's Commission on the United States Postal Service: Embracing the Future: Making the Tough Choices to Preserve Universal Mail Service. http://www.treas.gov/offices/domestic-finance/usps/ Washington, D.C.: July 31, 2003. For more information on U.S. Postal Service major management challenges, see http://www.gao.gov/pas/2005/postal.htm. HIGH-RISK SERIES: Protecting the Federal Government's Information Systems and the Nation's Critical Infrastructures: GAO Highlights: Why Area Is High Risk: For additional information about this high-risk area, contact Joel Willemssen at (202) 512-6253 or willemssenj@gao.gov. What GAO Found: With the enactment of the Federal Information Security Management Act of 2002 (FISMA), the Congress continued its work to improve federal information security by permanently authorizing and strengthening key information security requirements. The administration has also made progress through a number of efforts, including the Office of Management and Budget's emphasis on information security in the budget process. However, significant information security weaknesses at federal agencies continue to place a broad array of federal operations and assets at risk of fraud, misuse, and disruption. Although recent reporting by these agencies showed some improvements, GAO found that many agencies still have not established information security programs consistent with FISMA's overall requirement to develop, document, and implement an agencywide information security program. For example, agencies are not consistently: * performing periodic risk assessments, * developing and maintaining current security plans, * creating and testing contingency plans, or: * evaluating and monitoring the effectiveness of security controls. Federal efforts have been taken to protect our nation's critical public and private information infrastructures. For example, federal policy emphasizes the importance of cooperative efforts among state and local governments and the private sector to protect these information infrastructures, and has established specific cyber responsibilities for the Department of Homeland Security and other federal agencies involved with the private sector in CIP. In addition, the federal government has led efforts to research and develop (R&D) new technologies; coordinate responses to incidents, threats, and vulnerabilities; and develop analysis and warnings capabilities related to critical information infrastructures. However, this area remains high risk as the federal government continues to face the critical challenges shown below. Challenges to Effective Cyber Critical Infrastructure Protection: Challenge: Policy and guidance; Description: Developing a comprehensive and coordinated national plan to facilitate CIP that clearly delineates the roles and responsibilities of federal and nonfederal CIP entities, defines interim objectives and milestones, sets time frames for achieving objectives, and establishes performance measures. Challenge: Trusted relationships; Description: Developing productive relationships within the federal government and between the federal government and state and local governments and the private sector. Challenge: Analysis and warning capabilities; Description: Improving the federal government's capabilities to analyze incident, threat, and vulnerability information obtained from numerous sources and share appropriate, timely, and useful warnings and other information concerning both cyber and physical threats to federal and nonfederal entities. Challenge: Information sharing incentives; Description: Providing appropriate incentives for nonfederal entities to increase information sharing with the federal government and enhance other CIP efforts. Source: GAO. [End of table] What Remains to Be Done: Federal agencies and our nation's critical infrastructures--such as power distribution, water supply, telecommunications, national defense, and emergency services--rely extensively on computerized information systems and electronic data to carry out their missions. The security of these systems and data is essential to preventing data tampering, disruptions in critical operations, fraud, and inappropriate disclosure of sensitive information. Protecting federal computer systems and the systems that support critical infrastructures--referred to as cyber critical infrastructure protection, or cyber CIP--is a continuing concern. Federal information security has been on GAO's list of high-risk areas since 1997; in 2003, GAO expanded this high-risk area to include cyber CIP. The continued risks to information systems include the escalating threat of computer security incidents, the ease of obtaining and using hacking tools, the steady advance in the sophistication and effectiveness of attack technology, and the emergence of new and more destructive attacks. Related Products: Protecting the Federal Government's Information Systems and the Nation's Critical Infrastructures: Critical Infrastructure Protection: Improving Information Sharing with Infrastructure Sectors. GAO-04-780. Washington, D.C.: July 9, 2004. Information Security: Agencies Need to Implement Consistent Processes in Authorizing Systems for Operation. GAO-04-376. Washington, D.C.: June 28, 2004. Information Security: Continued Action Needed to Improve Software Patch Management. GAO-04-706. Washington, D.C.: June 2, 2004. Information Security: Information System Controls at the Federal Deposit Insurance Corporation. GAO-04-630. Washington, D.C.: May 28, 2004. Technology Assessment: Cybersecurity for Critical Infrastructure Protection. GAO-04-321. Washington, D.C.: May 28, 2004. Information Security: Continued Efforts Needed to Sustain Progress in Implementing Statutory Requirements. GAO-04-483T. Washington, D.C.: March 16, 2004. Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems. GAO-04-354. Washington, D.C.: March 15, 2004. Information Security: Technologies to Secure Federal Systems. GAO-04- 467. Washington, D.C.: March 9, 2004. Information Security: Further Efforts Needed to Address Serious Weaknesses at USDA. GAO-04-154. Washington, D.C.: January 30, 2004. Information Security: Improvements Needed in Treasury's Security Management Program. GAO-04-77. Washington, D.C.: November 14, 2003. Information Security: Computer Controls over Key Treasury Internet Payment System. GAO-03-837. Washington, D.C.: July 30, 2003. FDIC Information Security: Progress Made but Existing Weaknesses Place Data at Risk. GAO-03-630. Washington, D.C.: June 18, 2003. Information Security: Progress Made, but Weaknesses at the Internal Revenue Service Continue to Pose Risks. GAO-03-44. Washington, D.C.: May 30, 2003. Information Security: Progress Made, but Challenges Remain to Protect Federal Systems and the Nation's Critical Infrastructures. GAO-03-564T. Washington, D.C.: April 8, 2003. Critical Infrastructure Protection: Efforts of the Financial Services Sector to Address Cyber Threats. GAO-03-173. Washington, D.C.: January 30, 2003. HIGH-RISK SERIES: Managing Federal Real Property: GAO Highlights: For additional information about this high-risk area, contact Mark Goldstein at (202) 512-2834 or goldsteinm@gao.gov. Why Area Is High Risk: In January 2003, GAO designated federal real property as a high-risk area due to long-standing problems with excess and underutilized property, deteriorating facilities, unreliable real property data, and costly space challenges. Federal agencies were also facing many challenges in protecting their facilities due to the threat of terrorism. To date, the underlying conditions that led to the designation continue, and more remains to be done to address these problems and the obstacles that prevent agencies from solving them. As a result, this area remains high risk. What GAO Found: The federal real property portfolio is vast and diverse--over 30 agencies control hundreds of thousands of real property assets worldwide, including facilities and land worth hundreds of billions of dollars. Unfortunately, many of these assets are no longer effectively aligned with, or responsive to, agencies' changing missions. Further, many assets are in an alarming state of deterioration; agencies have estimated restoration and repair needs to be in the tens of billions of dollars. Compounding these problems are the lack of reliable governmentwide data for strategic asset management; a heavy reliance on costly leasing, instead of ownership, to meet new needs; and the cost and challenge of protecting these assets against terrorism. In February 2004, the President added the Federal Asset Management Initiative to the President's Management Agenda and signed Executive Order 13327. The order requires senior real property officers at all executive branch departments and agencies to, among other things, prioritize actions needed to improve the operational and financial management of the agency's real property inventory. A new Federal Real Property Council at the Office of Management and Budget (OMB) has developed guiding principles for real property asset management and is also developing performance measures, a real property inventory database, and an agency asset management planning process. In addition to these reform efforts, agencies such as the Departments of Defense (DOD) and Veterans Affairs (VA) have made progress in addressing long- standing federal real property problems. For example, DOD is preparing for a round of base realignment and closures in 2005. Also, in May 2004, VA announced a wide range of asset realignment decisions. These and other efforts are positive steps, but it is too early to judge whether the administration's focus on this area will have a lasting impact. The underlying conditions and related obstacles that led to GAO's high-risk designation continue to exist. Remaining obstacles include competing stakeholder interests in real property decisions; various legal and budget-related disincentives to optimal, businesslike, real property decisions; and the need for better capital planning among agencies. Examples of Vacant GSA, VA, and USPS Facilities: [See PDF for image] [End of figure] What Remains to Be Done: Since January 2003, some important efforts to address the problems have been initiated by the administration and executive agencies, including a Presidential Executive Order on real property reform and OMB's development of guiding principles for real property asset management. The executive order is clearly a positive step. However, it has not been fully implemented, and GAO continues to believe that there is a need for a comprehensive, integrated transformation strategy for real property. In addition, further actions are necessary to address the underlying problems and related obstacles, including competing stakeholder interests in real property decisions and legal and budget- related disincentives to optimal, businesslike, real property decisions. Related Products: Managing Federal Real Property: Homeland Security: Further Actions Needed to Coordinate Federal Agencies' Protection Efforts and Promote Key Practices. GAO-05-49. Washington, D.C.: November 30, 2004. Embassy Construction: Achieving Concurrent Construction Would Help Reduce Costs and Meet Security Goals. GAO-04-952. Washington, D.C.: September 28, 2004. Homeland Security: Transformation Strategy Needed to Address Challenges Facing the Federal Protective Service. GAO-04-537. Washington, D.C.: July 14, 2004. U.S. Postal Service: Key Elements of Comprehensive Postal Reform. GAO- 04-397T. Washington, D.C.: January 28, 2004. Budget Issues: Agency Implementation of Capital Planning Principles Is Mixed. GAO-04-138. Washington, D.C.: January 16, 2004. Embassy Construction: State Department Has Implemented Management Reforms, but Challenges Remain. GAO-04-100. Washington, D.C.: November 4, 2003. Federal Real Property: Actions Needed to Address Long-standing and Complex Problems. GAO-04-119T. Washington, D.C.: October 1, 2003. National Park Service: Efforts Underway to Address Its Maintenance Backlog. GAO-03-1177T. Washington, D.C: September 27, 2003. Federal Real Property: Vacant and Underutilized Properties at GSA, VA, and USPS. GAO-03-747. Washington, D.C.: August 19, 2003. VA Health Care: Framework for Analyzing Capital Asset Realignment for Enhanced Services Decisions. GAO-03-1103R. Washington, D.C.: August 18, 2003. Military Base Closures: Better Planning Needed for Future Reserve Enclaves. GAO-03-723. Washington, D.C.: June 27, 2003. Military Housing: Opportunities That Should Be Explored to Improve Housing and Reduce Costs for Unmarried Junior Servicemembers. GAO-03- 602. Washington, D.C.: June 10, 2003. Federal Real Property: Executive and Legislative Actions Needed to Address Long-standing and Complex Problems. GAO-03-839T. Washington, D.C.: June 5, 2003. HIGH-RISK SERIES: Implementing and Transforming the Department of Homeland Security: GAO Highlights: For additional information about this high-risk area, contact Norm Rabkin at (202) 512-8777 or rabkinn@gao.gov. Why Area Is High Risk: GAO designated implementing and transforming the Department of Homeland Security (DHS) as high risk in 2003 because DHS had to transform 22 agencies--several with major management challenges--into one department, and failure to effectively address its management challenges and program risks could have serious consequences for our national security. The areas GAO identified as at risk include planning and priority setting; accountability and oversight; and a broad array of management, programmatic, and partnering challenges. What GAO Found: Since its inception in March 2003, DHS leadership has provided a foundation for maintaining critical operations while undergoing transformation. DHS has worked to protect the homeland and secure transportation and borders, funded emergency preparedness improvements and emerging technologies, assisted law enforcement activities against suspected terrorists, and issued its first strategic plan. However, in managing its transformation, DHS must overcome a number of significant challenges that as yet have not been adequately addressed. For example, annual goals and time frames are vague or missing, and the capacity to achieve them is uncertain. Performance measures and plans to monitor, assess, and independently evaluate the effectiveness of corrective measures are not fully developed. In addition, DHS has not completed legislatively mandated comprehensive threat and risk assessments to set priorities and to focus its limited resources to mitigate the greatest risk. Moreover, given these challenges, DHS needs sustained leadership and a commitment to a strategy that incorporates accountability and oversight to succeed in its multiyear transformation. DHS also must follow through on its initial actions to address its management, programmatic, and partnering challenges. DHS's high-risk management challenges and actions include: * strengthening internal controls and reducing the number of material weaknesses in its financial systems; * fully establishing and institutionalizing a departmentwide strategic framework for managing information; and: * addressing systemic problems in human capital and acquisition systems. Concurrently, DHS is initiating corrective actions on a broad array of programmatic challenges that require sustained effort. These challenges include improving transportation, cargo, and border security; systematically tracking visitors; consolidating border security functions; updating outmoded capabilities in the Coast Guard fleet; and balancing homeland security with other missions, such as law enforcement and disaster planning. Also, DHS's progress in forming effective partnerships with other governmental and private-sector entities remains challenged in several critical areas, such as improving critical infrastructure protection and emergency preparedness, communication among first responders, dissemination of timely and specific threat information, and planning for continuity of operations in case of an adverse event. Overall, DHS has made some progress, but significant challenges remain to concurrently transform DHS into a more effective organization with robust planning, management, and operations while maintaining and improving readiness for its highly critical mission to secure the homeland. Therefore, DHS's transformation remains high risk. What Remains to Be Done: Successful transformations of large organizations, even those faced with less strenuous reorganizations and pressure for immediate results than DHS, can take from 5 to 7 years to take hold on a sustainable basis. For DHS to successfully address its daunting management challenges and transform itself into a more effective organization, it needs to (1) develop a departmentwide implementation and transformation strategy that includes comprehensive threat and risk assessment and strategic management principles to set goals and priorities, focus its limited resources, and establish key milestones and accountability provisions; (2) develop adequate performance measures and evaluation plans; (3) provide sound and innovative human capital management; and (4) follow through on its corrective actions to address management, programmatic, and partnering challenges. Related Products: Implementing and Transforming the Department of Homeland Security: GAO Products: Homeland Security: Further Actions Needed to Coordinate Federal Agencies' Facility Protection Efforts and Promote Key Practices. GAO- 05-49. Washington, D.C.: November 30, 2004. Homeland Security: Effective Regional Coordination Can Enhance Emergency Preparedness. GAO-04-1009. Washington, D.C.: September 15, 2004. Department of Homeland Security: Formidable Information and Technology Management Challenge Requires Institutional Approach. GAO-04-702. Washington, D.C.: August 27, 2004. Homeland Security: Transformation Strategy Needed to Address Challenges Facing the Federal Protective Service. GAO-04-537. Washington D.C.: July 14, 2004. The Chief Operating Officer Concept and its Potential Use as a Strategy to Improve Management at the Department of Homeland Security. GAO-04- 876R. Washington, D.C.: June 28, 2004. Human Capital: DHS Faces Challenges in Implementing Its New Personnel System. GAO-04-790. Washington, D.C.: June 18, 2004. Transportation Security Administration: High-Level Attention Needed to Strengthen Acquisition Function. GAO-04-544. Washington, D.C.: May 28, 2004. Homeland Security: Summary of Challenges Faced in Targeting Oceangoing Cargo Containers for Inspection. GAO-04-557T. Washington, D.C.: March 31, 2004. Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed. GAO-04-569T. Washington, D.C.: March 18, 2004. Contract Management: Coast Guard's Deepwater Program Needs Increased Attention to Management and Contractor Oversight. GAO-04-380. Washington, D.C.: March 9, 2004. Aviation Security: Challenges Exist in Stabilizing and Enhancing Passenger and Baggage Screening Operations. GAO-04-440T. Washington, D.C.: February 12, 2004. DHS Products: Major Management Challenges Facing the Department of Homeland Security. OIG-05-06. DHS Office of the Inspector General. Washington, D.C.: December 2004. For more information on Department of Homeland Security major management challenges, see http://www.gao.gov/pas/2005/dhs.htm: HIGH-RISK SERIES: Department of Defense Business Systems Modernization: GAO Highlights: For additional information about this high-risk area, contact Randolph C. Hite at (202) 512-3439 or hiter@gao.gov. Why Area Is High Risk: Within the context of the Department of Defense's (DOD) business transformation efforts, the department is spending billions of dollars to modernize its business systems. While some aspects of its systems modernization management have been improved, many of the underlying conditions that contributed to past failures to improve these systems remain fundamentally unchanged. As a result, DOD as a whole remains far from where it needs to be to effectively and efficiently manage an undertaking with the size, complexity, and significance of its departmentwide business systems modernization. GAO first designated this program as high risk in 1995; it remains so today. What GAO Found: DOD, one of the largest and most complex organizations in the world, reported that it relies on over 4,000 systems to conduct its business operations. These systems currently function in a stovepiped, duplicative, and nonintegrated environment that contributes to the department's operational problems. For years, DOD has attempted to modernize these systems, and GAO has provided numerous recommendations to help guide modernization efforts. For example, in 2001 GAO provided DOD with a set of recommendations to help it develop and use an enterprise architecture (modernization blueprint) and establish effective investment management controls to guide and constrain how it was spending billions of dollars annually on information technology systems. GAO also made numerous project-specific and DOD-wide recommendations aimed at getting DOD to follow proven best practices when it acquired systems solutions. While DOD agreed with most of these recommendations, to date the department has made uneven progress in addressing them. After 3 years and over $200 million in obligations, DOD still has not developed a business enterprise architecture containing sufficient scope and detail to guide and constrain its departmentwide systems modernization and business transformation. One reason for this limited progress is its failure to adopt key architecture management best practices that GAO recommended, such as developing plans for creating the architecture; assigning accountability and responsibility for directing, overseeing, and approving the architecture; and defining performance metrics for evaluating it. Furthermore, the department still lacks an effective investment management process for selecting and controlling ongoing and planned business systems investments. While it has issued a policy that assigns investment management responsibilities for business systems, it has not yet defined the detailed procedures necessary for implementing the policy, clearly defined the roles and responsibilities of the business domain owners, established common investment criteria, or ensured that its business systems are consistent with the architecture. Instead, each DOD component continues to make its own parochial investment decisions. Finally, DOD incorporated some, but not all, key acquisition best practices and needed controls in its revised systems acquisition policies and guid