This is the accessible text file for GAO report number GAO-07-310 entitled 'High-Risk Series: An Update' which was released on January 31, 2007. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: January 2007: High-Risk Series: An Update: GAO-07-310: GAO Highlights: Highlights of GAO-07-310, a report to Congress on GAO’s High-Risk Series Why GAO Did This Study: GAO’s audits and evaluations identify federal programs and operations that, in some cases, are high risk due to their greater vulnerabilities to fraud, waste, abuse, and mismanagement. In recent years, GAO also has identified high-risk areas to focus on the need for broad-based transformations to address major economy, efficiency, or effectiveness challenges. Since 1990, GAO has periodically reported on government operations it has designated as high risk. In this 2007 update for the 110th Congress, GAO presents the status of high-risk areas identified in 2005 and new high-risk areas warranting attention by Congress and the executive branch. Lasting solutions to high-risk problems offer the potential to save billions of dollars, dramatically improve service to the public, strengthen confidence and trust in the performance and accountability of the U.S. government, and ensure the ability of government to deliver on its promises. What GAO Found: In its January 2005 update, GAO identified 25 high-risk areas and, in March 2006, added a 26th area. Since 2005, progress has been made in all areas, although the extent varies by area. Both the executive branch and Congress have shown a continuing commitment to addressing high-risk challenges and taken steps to help correct several of their root causes. High-risk areas were also among the suggested areas for oversight for the 110th Congress that GAO recently provided to congressional leadership. Sufficient progress has been made to remove the high-risk designation from two areas: U.S. Postal Service transformation efforts and long-term outlook and HUD single-family mortgage insurance and rental housing assistance programs. Other areas made significant progress, but not enough to be removed from the list this cycle. Continued attention from the executive branch and Congress is needed to make additional progress in other high-risk areas. This year, GAO is designating three new high-risk areas. The first new area—critical to the nation’s economic development—involves transportation financing and capacity. Revenues to support federal transportation trust funds are eroding at a time when investment is needed to expand capacity to address congestion caused by increasing passenger and freight travel. Given these problems, Congress and, for some issues, the Department of Transportation should reassess the federal role, revenue increase mechanisms, and funding allocations to better position the federal government to address financing and capacity challenges. The second area involves effective protection of technologies critical to U.S. national security. Technologies that underpin U.S. economic and military strength continue to be targets for theft, espionage, reverse engineering, and illegal export. Government programs established decades ago to protect critical technologies are ill-equipped to weigh competing U.S. interests as the security environment and technological innovation continue to evolve in the 21st century. Accordingly, we are designating the effective identification and protection of critical technologies as a governmentwide high-risk area that warrants a strategic re-examination of existing programs to identify needed changes and ensure the advancement of U.S. interests. The third area being designated as high risk involves federal oversight of food safety because of risks to the economy and to public health and safety. Agriculture, as the largest industry and employer in the United States, generates more than $1 trillion in economic activity annually. Any food contamination could undermine consumer confidence in the government’s ability to ensure the safety of the U.S. food supply, as well as cause severe economic consequences. The current fragmented federal system has caused inconsistent oversight, ineffective coordination, and inefficient use of resources. GAO has recommended that Congress consider a fundamental re-examination of the system and other improvements to help ensure the rapid detection of and response to any accidental or deliberate contamination of food before public health and safety is compromised. What GAO Recommends: This report contains GAO’s views on what remains to be done to bring about lasting solutions for each high-risk area. Perseverance by the executive branch in implementing GAO’s recommended solutions and continued oversight and action by Congress are both essential to achieving and sustaining progress. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-310. To view the full product, click on the link above. For more information, contact George H. Stalcup at (202) 512-9490 or stalcupg@gao.gov. [End of Section] GAO's 2007 High-Risk List: 2007 High-Risk Areas: Addressing Challenges in Broad-Based Transformations: * Strategic Human Capital Management[A]; * Managing Federal Real Property[A]; * Protecting the Federal Government's Information systems and the Nation's Critical Infrastructures; * Implementing and Transforming the Department of Homeland Security; * Establishing Appropriate and Effective Information-Sharing Mechanisms to Improve Homeland Security; * DOD Approach to Business Transformation[A]; - DOD Business Systems Modernization; - DOD Personnel Security Clearance Program; - DOD Support Infrastucture Management; - DOD Financial Management; - DOD Supply Chain Management; - DOD Weapons Systems Acquisition; * FAA Air Traffic Control Modernization; * Financing the Nation's Transportation System[A] (New); * Ensuring the effective Protection of Technologies Critical to U.S. National Security Interests[A] (New); * Transforming Federal Oversight of Food Safety[A] (New). Managing Federal Contracting More Effectively; * DOD Contract Management; * DOE Contract Management; * NASA Contract Management; * Management of Interagency Contracting. Assessing the Efficiency and Effectiveness of tax law Administration; * Enforcement of tax laws[A]; * IRS Business Systems Modernization. Modernizing and safeguarding Insurance and Benefit Programs; * Modernizing Federal Disability Programs[A]; * Pension Benefit Guaranty Corporation Single-Employer Pension Insurance Program; * Medicare Program[A]; * Medicaid Program[A]; * National Flood Insurance Program[A]. Source: GAO. [A] Legislation is likely to be necessary, as a supplement to actions by the executive branch, in order to effectively address this high-risk area. [End of table] Contents: Letter: Historical Perspective: High-Risk Designations Removed: U.S. Postal Service's Transformation Efforts and Long-Term Outlook: HUD's Single-Family Mortgage Insurance and Rental Housing Assistance Programs: New High-Risk Areas: Financing the Nation's Transportation System: Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests: Transforming Federal Oversight of Food Safety: Progress Being Made in Other High-Risk Areas: Highlights for Each High-Risk Area: Tables: Table 1: Changes to GAO's High-Risk List, 1990 to 2007: Table 2: Areas Removed from GAO's High-Risk List, 1990-2007: Table 3: Year That Areas on GAO's 2007 High-Risk List Were Designated as High Risk: Table 4: U.S. Government Programs for the Identification and Protection of Critical Technologies: Figure: Figure 1: Current Highway Trust Fund Year-End Balance Forecasts: United States Government Accountability Office: Washington, DC 20548: Comptroller General of the United States: January 2007: The President of the Senate: The Speaker of the House of Representatives: Since 1990, GAO has periodically reported on government programs and operations that it identifies as "high risk." This effort, which is supported by the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Government Reform, has brought a much needed focus to a targeted list of major challenges that are impeding effective government and costing the government billions of dollars each year. To help improve these high-risk operations, GAO has made hundreds of recommendations. Moreover, GAO's focus on high- risk problems contributed to Congress enacting a series of governmentwide reforms to address critical human capital challenges, strengthen financial management, improve information technology practices, and instill a more effective, credible, and results-oriented government. GAO's high-risk status reports are provided at the start of each new Congress to help in setting congressional oversight agendas. These reports also help Congress and the executive branch carry out their responsibilities while improving the government's performance and enhancing its accountability for the benefit of the American people. In this regard, I recently provided congressional leadership with a set of recommendations based on GAO's work, including work on areas we have designated as high risk, for its consideration in developing the oversight agenda of the 110th Congress. Together, the high-risk update and the recommendations for oversight can help congressional decision makers focus on the key management challenges facing the nation. The nation also continues to face broader policy challenges associated with the current long-term fiscal imbalance and other key sustainability challenges, as well as the need to ensure the federal government is transparent, economical, efficient, effective, ethical, and equitable. Addressing these challenges will require Congress to make tough choices that fundamentally re-examine and transform the government to be more effective in the 21st century. The infrastructure to support these decisions is not fully in place, and focused attention by the legislative and executive branches is needed to make progress. In this regard, in the coming months, I plan to highlight the set of tools needed to support more strategic decision making related to these broader challenges facing our nation. These tools will center on expanding the governmentwide focus on results; improving transparency through better financial and performance management reporting; building structures and processes that facilitate more strategic, systemic, and integrated solutions; and transforming federal organizations, functions, and operations. This report summarizes progress made in correcting high-risk problems, actions under way, and further actions that GAO believes are needed. In addition, GAO has determined that sufficient progress has been made to remove the high-risk designation from two areas: the U.S. Postal Service's transformation efforts and long-term outlook, and the Department of Housing and Urban Development's single-family mortgage insurance and rental housing assistance programs. GAO has also designated three new areas as high risk: financing the nation's transportation system, ensuring the effective protection of technologies critical to U.S. national security interests, and transforming federal oversight of food safety. Furthermore, the Department of Defense (DOD) continues to dominate the high-risk list. Specifically, DOD has eight of its own high-risk areas and shares responsibility for seven governmentwide high-risk areas. In recent years, GAO's high-risk program has increasingly focused on those major programs and operations that need urgent attention and transformation in order to ensure that our national government functions in the most economical, efficient, and effective manner possible. Further, the administration has looked to GAO's program in shaping governmentwide initiatives such as the President's Management Agenda; and more recently, the administration undertook an effort to encourage agencies to develop corrective action plans for high-risk areas. As in prior GAO high-risk update reports, federal programs and operations are also emphasized when they are at high risk because of their greater vulnerabilities to fraud, waste, abuse, and mismanagement. In addition, some of these high-risk agencies, programs, or policies are in need of transformation, and several items will require action by both the executive branch and Congress. Our objective for the high-risk list is to bring visibility and urgency to these areas in order to prompt needed actions sooner rather than later. Copies of this update are being sent to the President, the congressional leadership, other Members of Congress, the Director of the Office of Management and Budget, and the heads of major departments and agencies. Signed by: David M. Walker: Comptroller General of the United States: Historical Perspective: In 1990, GAO began a program to report on government operations that we identified as "high risk." Since then, generally coinciding with the start of each new Congress, we have periodically reported on the status of progress to address high-risk areas and updated our high-risk list. Our most recent high-risk update was in January 2005.[Footnote 1] Overall, our high-risk program has served to identify and help resolve serious weaknesses in areas that involve substantial resources and provide critical services to the public. Since our program began, the government has taken high-risk problems seriously and has made long- needed progress toward correcting them. In some cases, progress has been sufficient for us to remove the high-risk designation. A summary of changes to our high-risk list over the past 17 years are shown in table 1. Areas removed from the high-risk list over that same period are shown in table 2. The areas on GAO's 2007 high-risk list, and the year each was designated as high risk, are shown in table 3. Table 1: Changes to GAO's High-Risk List, 1990 to 2007: Original high-risk list in 1990; Number of areas: 14. High-risk areas added since 1990; Number of areas: 33. High-risk areas removed since 1990; Number of areas: 18. High-risk areas consolidated since 1990; Number of areas: 2. High-risk list in 2007; Number of areas: 27. Source: GAO. [End of table] Table 2: Areas Removed from GAO's High-Risk List, 1990-2007: Area: Federal Transit Administration Grant Management; Year removed: 1995; Year designated high risk: 1990. Area: Pension Benefit Guaranty Corporation; Year removed: 1995; Year designated high risk: 1990. Area: Resolution Trust Corporation; Year removed: 1995; Year designated high risk: 1990. Area: State Department Management of Overseas Real Property; Year removed: 1995; Year designated high risk: 1990. Area: Bank Insurance Fund; Year removed: 1995; Year designated high risk: 1991. Area: Customs Service Financial Management; Year removed: 1999; Year designated high risk: 1991. Area: Farm Loan Programs; Year removed: 2001; Year designated high risk: 1990. Area: Superfund Program; Year removed: 2001; Year designated high risk: 1990. Area: National Weather Service Modernization; Year removed: 2001; Year designated high risk: 1995. Area: The 2000 Census; Year removed: 2001; Year designated high risk: 1997. Area: The Year 2000 Computing Challenge; Year removed: 2001; Year designated high risk: 1997. Area: Asset Forfeiture Programs; Year removed: 2003; Year designated high risk: 1990. Area: Supplemental Security Income; Year removed: 2003; Year designated high risk: 1997. Area: Student Financial Aid Programs; Year removed: 2005; Year designated high risk: 1990. Area: Federal Aviation Administration Financial Management; Year removed: 2005; Year designated high risk: 1999. Area: Forest Service Financial Management; Year removed: 2005; Year designated high risk: 1999. Area: HUD Single-Family Mortgage Insurance and Rental Housing Assistance Programs; Year removed: 2007; Year designated high risk: 1994. Area: U.S. Postal Service Transformation Efforts and Long-Term Outlook; Year removed: 2007; Year designated high risk: 2001. Source: GAO. [End of table] Table 3: Year That Areas on GAO's 2007 High-Risk List Were Designated as High Risk: Area: Medicare Program; Year designated high risk: 1990. Area: DOD Supply Chain Management; Year designated high risk: 1990. Area: DOD Weapon Systems Acquisition; Year designated high risk: 1990. Area: DOE Contract Management; Year designated high risk: 1990. Area: NASA Contract Management; Year designated high risk: 1990. Area: Enforcement of Tax Laws; Year designated high risk: 1990. Area: DOD Contract Management; Year designated high risk: 1992. Area: DOD Financial Management; Year designated high risk: 1995. Area: DOD Business Systems Modernization; Year designated high risk: 1995. Area: IRS Business Systems Modernization; Year designated high risk: 1995. Area: FAA Air Traffic Control Modernization; Year designated high risk: 1995. Area: Protecting the Federal Government's Information Systems and the Nation's Critical Infrastructures; Year designated high risk: 1997. Area: DOD Support Infrastructure Management; Year designated high risk: 1997. Area: Strategic Human Capital Management; Year designated high risk: 2001. Area: Medicaid Program; Year designated high risk: 2003. Area: Managing Federal Real Property; Year designated high risk: 2003. Area: Modernizing Federal Disability Programs; Year designated high risk: 2003. Area: Implementing and Transforming the Department of Homeland Security; Year designated high risk: 2003. Area: Pension Benefit Guaranty Corporation Single-Employer Pension Insurance Program; Year designated high risk: 2003. Area: Establishing Appropriate and Effective Information-Sharing Mechanisms to Improve Homeland Security; Year designated high risk: 2005. Area: DOD Approach to Business Transformation; Year designated high risk: 2005. Area: DOD Personnel Security Clearance Program; Year designated high risk: 2005. Area: Management of Interagency Contracting; Year designated high risk: 2005. Area: National Flood Insurance Program; Year designated high risk: 2006. Area: Financing the Nation's Transportation System; Year designated high risk: 2007. Area: Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests; Year designated high risk: 2007. Area: Transforming Federal Oversight of Food Safety; Year designated high risk: 2007. Source: GAO. [End of table] Over the years, 18 areas have been removed from the high-risk list. Eight of these were among the 14 programs and operations we determined to be high risk at the outset of our efforts to monitor such programs. These results demonstrate that the sustained attention and commitment by Congress and agencies to resolve serious, long-standing high-risk problems have paid off, as root causes of the government's exposure for more than half of our original high-risk list have been successfully addressed. Historically, high-risk areas have been so designated because of traditional vulnerabilities related to their greater susceptibility to fraud, waste, abuse, and mismanagement. As our high-risk program has evolved, we have increasingly used the high-risk designation to draw attention to areas associated with broad-based transformations needed to achieve greater economy, efficiency, effectiveness, accountability, and sustainability of selected key government programs and operations. Perseverance by the executive branch is needed in implementing our recommended solutions for addressing these high-risk areas. Continued congressional oversight and, in some cases, additional legislative action will also be key to achieving progress, particularly in addressing challenges in broad-based transformations. To determine which federal government programs and functions should be designated high risk, we use our guidance document, Determining Performance and Accountability Challenges and High Risks.[Footnote 2] In determining whether a government program or operation is high risk, we consider whether it involves national significance or a management function that is key to performance and accountability. We also consider whether the risk is: * an inherent problem, such as may arise when the nature of a program creates susceptibility to fraud, waste, and abuse, or: * a systemic problem, such as may arise when the programmatic; management support; or financial systems, policies, and procedures established by an agency to carry out a program are ineffective, creating a material weakness. Further, we consider qualitative factors, such as whether the risk: * involves public health or safety, service delivery, national security, national defense, economic growth, or privacy or citizens' rights, or: * could result in significantly impaired service; program failure; injury or loss of life; or significantly reduced economy, efficiency, or effectiveness. In addition, we also consider the exposure to loss in monetary or other quantitative terms. At a minimum, $1 billion must be at risk in areas such as the value of major assets being impaired; revenue sources not being realized; major agency assets being lost, stolen, damaged, wasted, or underutilized; improper payments; and contingencies or potential liabilities. Before making a high-risk designation, we also consider corrective measures planned or under way to resolve a material control weakness and the status and effectiveness of these actions. When legislative and agency actions, including those in response to our recommendations, result in significant and sustainable progress toward resolving a high-risk problem, we remove the high-risk designation. Key determinants here include a demonstrated strong commitment to and top leadership support for addressing problems, the capacity to do so, a corrective action plan, and demonstrated progress in implementing corrective measures. The next section discusses how we applied our criteria in determining what high-risk designations to remove and what to add for our 2007 update. [End of section] High-Risk Designations Removed: For our 2007 high-risk update, we determined that sufficient progress has been made to warrant removing two areas from the high-risk list: the U.S. Postal Service's transformation efforts and long-term outlook and the Department of Housing and Urban Development's (HUD) single- family mortgage insurance and rental housing assistance programs. As we have with areas previously removed from the high-risk list, we will continue to monitor these programs, as appropriate, to ensure that the improvements we have noted are sustained. U.S. Postal Service Transformation Efforts and Long-Term Outlook: In 2001, we designated the Postal Service's (Service) transformation efforts and long-term outlook as high risk because the Service's financial outlook had deteriorated significantly. The Service had a projected deficit of $2 billion to $3 billion, severe cash flow pressures, its debt was approaching the statutory borrowing limit; cost growth was outpacing revenue increases; and productivity gains were limited. Other challenges the Service faced included liabilities that exceeded assets by $3 billion at the end of fiscal year 2002; major liabilities and obligations estimated at close to $100 billion; a restructuring of the workforce due to impending retirements and operational changes; and long-standing labor-management relations problems. We were also concerned that the Service had no comprehensive plan to address its financial, operational, or human capital challenges, including how it planned to reduce its debt, and it did not have adequate financial reporting and transparency that would allow the public to understand changes in its financial situation. Thus, we recommended that the Service develop a comprehensive plan, in conjunction with other stakeholders, that would identify the actions needed to address its challenges and provide publicly available quarterly financial reports with sufficient information to understand the Service's current and projected financial condition. As the Service's financial difficulties continued in 2002, we concluded that the need for a comprehensive transformation of the Service was more urgent than ever. The Service's basic business model, which assumed that rising mail volume would cover rising costs and mitigate rate increases, was outmoded as mail volumes stagnated or deteriorated in an increasingly competitive environment. We called for Congress to act on comprehensive postal reform legislation. In our January 2003 high-risk report, we noted that the Service had made progress by issuing a Transformation Plan in April 2002 and was beginning to implement the plan. However, no consensus had been reached on the Service's future, and we continued to have concerns about its financial outlook. Subsequently, the Service gained some financial breathing room primarily because legislation enacted in April 2003 reduced the Service's payments for its pension obligations, which allowed the Service to achieve record net income, repay debt, and delay rate increases until January 2006. In addition, a presidential commission issued a report in July 2003 with a proposed future vision for the Service and recommendations to ensure the viability of postal services, and Congress considered proposed postal reform legislation. Since 2003, the Service has continued to make progress in addressing its financial and human capital challenges, it improved its financial reporting by instituting quarterly financial reports, and it updated its Transformation Plan in September 2005. At the end of fiscal year 2005, the Service had paid off its debt. In addition, as of the end of fiscal year 2006, it had achieved 7 consecutive years of productivity gains, positive net income for fiscal years 2003 through 2006, more than $5 billion in cost savings since 2001, and it reduced its complement by 95,000 since 2001. Also, in December 2006, the Service reached tentative compensation contract agreements, subject to ratification by union members, with three of its four major unions. Very importantly, significant progress was also made when Congress enacted comprehensive postal reform legislation in December 2006, which provides a framework for modernizing the Service's rate-setting processes and addresses the Service's long-term financial obligations by returning responsibility for employees' military pension benefits to the U.S. Treasury and establishing a mechanism for prefunding retiree health benefits. The Postal Service's management has demonstrated a commitment to implementing the Transformation Plan and addressing many of the financial and human capital challenges it faces. Also, the new postal reform legislation gives the Service additional pricing flexibility and allows it to retain earnings, which provide additional mechanisms to address continuing challenges related to the Service's increasingly competitive environment, given new and emerging technologies. These continuing challenges include (1) generating sufficient revenues as First-Class Mail volume declines and the changing mail mix provides less revenue contribution than First-Class Mail, (2) controlling costs as compensation and benefit costs rise, (3) continuing work-hour reductions while maintaining service, (4) optimizing its infrastructure and workforce to reduce costs and improve operational efficiency, and (5) providing reliable data to assess performance. Some of the Service's challenges relate to governmentwide challenges that remain on our high-risk list, such as strategic human capital management and managing federal real property. In the human capital area, the Service continues to faces challenges related to managing workforce changes due to retirements and network consolidations and implementing performance-based compensation systems. In the real property area, significant challenges remain related to how the Service is planning and implementing infrastructure realignment to reduce excess capacity as well as reflect changes in operations. Further challenges persist related to the Service's identification and disposal of excess property. We plan to closely monitor these challenges to ensure that they are addressed. We will also monitor the implementation of the postal reform legislation to determine how the results and impacts compare with legislative intentions. HUD Single-Family Mortgage Insurance and Rental Housing Assistance Programs: In 1994, we designated the U.S. Department of Housing and Urban Development (HUD) as high risk because of fundamental management and organizational problems that put billions of dollars in insured mortgages and housing and community development assistance at risk. In 2001, we narrowed the high-risk designation to HUD's single-family mortgage insurance and rental housing assistance programs because progress was made overall, but significant and persistent problems in these two program areas remained. Consistent with this designation, four of the five material weaknesses cited in the audit report on HUD's fiscal year 2001 financial statements related to these programs. Under these programs, HUD manages more than $400 billion in insured mortgages and annually spends about $30 billion to subsidize rents for lower- income households. To accomplish this, HUD relies on thousands of intermediaries, including lenders, appraisers, property management contractors, public housing agencies, and multifamily property owners. Historically, weaknesses in HUD's oversight of these entities have made the programs vulnerable to fraud, waste, and abuse. For example, in prior high-risk updates we noted that deficiencies in HUD's approval, monitoring, and enforcement efforts for lenders and appraisers increased the risk of insurance losses. In the rental assistance program area, we reported that problems with HUD's monitoring of public housing agencies and multifamily property owners contributed to billions of dollars in improper rent subsidy payments (i.e., payments that were too high or too low). In our January 2005 high-risk update, we reported that HUD had demonstrated commitment to and progress in addressing weaknesses in the two high-risk program areas but that some of HUD's corrective actions were in the early stages of implementation and additional steps were needed to resolve ongoing problems. For example, in the single-family mortgage insurance area, we reported that HUD had improved its oversight of lenders and appraisers and issued or proposed regulations to strengthen lender accountability and combat predatory lending practices. However, we also noted that HUD continued to grant loan underwriting authority to lenders that had not met the agency's performance standards, and that weaknesses in HUD's process for paying single-family property management contractors made the agency vulnerable to questionable and potentially fraudulent payments. In the rental housing assistance program area, we reported that HUD made progress in reducing improper rental assistance payments. However, we also noted that HUD had not fully implemented a critical part of its efforts to reduce improper rental assistance payments--the verification of tenant incomes using a Web-based data system--and it was uncertain whether the agency would be able to sustain the reductions it had already achieved. HUD had also made progress in ensuring that HUD- assisted housing met the agency's physical condition standards. Since 2005, HUD has continued to demonstrate a commitment to and capacity for resolving risks, develop corrective action plans, institute programs to monitor and evaluate the effectiveness of corrective measures, and demonstrate progress in implementing corrective measures. For example, HUD has continued to take actions to address long-standing problems in its single-family mortgage insurance programs, and has addressed more recently identified problems. More specifically: * In accordance with our recommendations, HUD has made progress in implementing its corrective action plan for improving oversight of lenders. Specifically, HUD has developed and implemented new and clearer guidance for granting lenders underwriting authority. HUD has hired a contractor to review the implementation of the new guidance and plans to conduct additional monitoring through periodic internal reviews. Additionally, in 2005, HUD modified its system for rating the underwriting quality of loans in a way intended to focus more on underwriting errors that are likely to affect HUD's insurance risk.[Footnote 3] * HUD made substantial progress in implementing its corrective action plan to address weaknesses we identified in its process for paying single-family property management contractors.[Footnote 4] For example, in response to our recommendations, HUD has developed a financial control manual that contains internal control procedures and policies, including strict documentation requirements, for HUD field staff to use in reviewing and approving payments. To ensure the effectiveness of these corrective measures, HUD retained an independent public accountant to periodically review the performance of the property managers and test HUD field offices for compliance with the internal control policies and procedures. * In September 2005, we reported that HUD consistently underestimated the subsidy costs for its single-family mortgage insurance program.[Footnote 5] To more reliably estimate program costs, we recommended that HUD study and report in the annual actuarial review of its insurance fund the impact of variables not in the agency's loan performance models that have been found in other studies to influence credit risk. Consistent with our recommendation, a HUD contractor incorporated variables for down-payment assistance and borrower credit history into the actuarial review. According to HUD, the contractor will continue to improve the forecasting ability of the models as necessary using research and development funds provided for in the contract. The audit report on HUD's fiscal year 2006 financial statements eliminated the agency's only two outstanding material weaknesses because of the improvements HUD made to its process for estimating subsidy costs. * In an April 2006 report, we cited factors limiting the effectiveness of HUD's mortgage scorecard (an automated tool that evaluates the default risk of borrowers).[Footnote 6] In response to our recommendations, HUD developed a policy and procedures manual that calls for annual (1) monitoring of the scorecard's ability to predict loan default, (2) testing of additional predictive variables to include in the scorecard, and (3) updating the scorecard with recent loan performance data. HUD has also taken actions to address the remaining problems in its rental housing assistance programs. For example: * HUD continued to reduce the amount of improper rent subsidies and exceeded goals set in The President's Management Agenda, Fiscal Year 2002. HUD's goal for fiscal year 2005 was to reduce improper rent subsidies by 50 percent, compared with fiscal year 2000, when HUD paid an estimated $2.2 billion in improper subsidies. HUD exceeded this goal by reducing estimated improper subsidies to $925 million in fiscal year 2005, a decline of 58 percent. Although the amount of improper subsidies is still sizable, because of this progress the audit report on HUD's fiscal year 2005 financial statements eliminated a long- standing material weakness related to oversight and monitoring of subsidy calculations. In accordance with the Improper Payments Information Act of 2002, HUD plans to continue monitoring the effectiveness of its corrective actions by making annual estimates of improper payments. * In 2006, HUD executed an important part of its plan for reducing improper rental assistance payments by implementing a Web-based system that provides public housing agencies with an efficient method for validating the incomes of families receiving assistance. This system, which HUD also plans to implement for multifamily property owners, utilizes a database containing wage, unemployment, and new hire information compiled by the Department of Health and Human Services. HUD expects that the system will avoid an estimated $6 billion in improper rent subsidies over 10 years. * In response to our recommendations, HUD made on-site reviews of public housing agencies' compliance with policies for determining rent subsidies a permanent part of its oversight activities.[Footnote 7] Beginning in fiscal year 2006, HUD committed resources to review 275 public housing agencies annually. HUD also developed and implemented a system designed to collect complete and consistent information from these reviews to help focus corrective actions where needed. * HUD has continued to monitor the physical condition of HUD-assisted housing, and its assessments indicate a substantial level of compliance with the agency's physical standards. HUD physical inspections showed that in fiscal years 2005 and 2006, about 94 percent of HUD-assisted properties had satisfactory inspection scores. In addition, HUD has made progress on human capital, acquisition management, and information technology issues that in previous years we cited as major management challenges contributing to HUD's high-risk designation. For example, consistent with our recommendations, in 2005 HUD finalized guidance for implementing a comprehensive strategic workforce plan that identifies the knowledge, skills, and abilities HUD needs and the actions that it plans to take to build its workforce for the future.[Footnote 8] HUD also developed a new succession management plan to help ensure that the large number of staff expected to retire over the next several years are replaced with qualified employees. In the acquisition management area, HUD responded to our recommendations by developing guidance emphasizing the use of contract administration plans and a risk-based approach for overseeing the work of contractors.[Footnote 9] Finally, HUD has made progress in its information technology by reducing the number of noncompliant financial management systems from 17 in 2003 to 2 in 2006. We are removing the high-risk designation from HUD's single-family mortgage insurance and rental housing assistance programs because of the agency's progress in addressing problems in these areas. However, it will be important for HUD to continue to place a high priority on efficient and effective management of these programs. Proposed program changes could introduce new risks and oversight challenges. More specifically, HUD has proposed changes to its single-family mortgage insurance program that would increase the size of the mortgages the agency could insure, give the agency flexibility to set insurance premiums based on the credit risk of borrowers, and reduce down-payment requirements from the current 3 percent to potentially zero. However, to implement this legislative proposal, HUD would have to manage new risks and accurately estimate the costs of program changes. The administration has also made legislative proposals to replace HUD's largest rental housing assistance program (the Housing Choice Voucher program) with a broader-purpose grant program. While such proposals could help control rental subsidy costs and increase administrative flexibility for public housing agencies, they also could complicate HUD's oversight efforts by eliminating the uniformity of the current program. [End of section] New High-Risk Areas: GAO's use of the high-risk designation to draw attention to the challenges associated with the economy, efficiency, and effectiveness of government programs and operations in need of broad-based transformation has led to important progress. We will also continue to identify high-risk areas based on the more traditional focus on fraud, waste, abuse, and mismanagement. Our focus will continue to be on identifying the root causes behind vulnerabilities, as well as actions needed on the part of the agencies involved and, if appropriate, Congress. For 2007, we have designated the following three new areas as high risk: financing the nation's transportation system, ensuring the effective protection of technologies critical to U.S. national security interests, and transforming federal oversight of food safety. Financing the Nation's Transportation System: The nation's economic vitality and its citizens' quality of life depend significantly on the efficiency of its transportation infrastructure. This efficiency is threatened by increasing congestion. For example, travel on roads is expected to increase by about 25 percent from 2000 to 2010, freight traffic is expected to increase by 43 percent from 1998 to 2010, and air traffic is expected to triple by 2025. As congestion increases, the federal government faces the challenge of providing funds to help maintain and expand the nation's transportation system and ensuring that these funds are used efficiently. However, revenues from traditional funding mechanisms may not keep pace with demand. Furthermore, the nation's long-term fiscal challenges limit the ability of decision makers to look to other revenue sources that are currently funding security and other vital needs, raising questions about the ability of federal programs to provide the robust growth that many transportation advocates believe is required to meet the nation's mobility needs. Compounding these funding constraints is the absence of a link between federal grant funding levels and specific performance- related goals and outcomes, resulting in little assurance that federal funding is being channeled to the nation's most critical mobility needs. In addition, federal funding is often tied to a single transportation mode, which may limit the use of federal funds to finance the greatest improvements in mobility. Revenues to support the Highway Trust Fund--the major source of federal highway and transit funding--are eroding. Receipts for the Highway Trust Fund, which are derived from motor fuel and truck-related taxes (on truck and trailer sales, truck tires, and heavy-vehicle use) are continuing to grow. However, the federal motor fuel tax rate of 18.4 cents per gallon has not been increased since 1993, and thus the purchasing power of fuel tax revenues has eroded with inflation. Furthermore, that erosion will continue with the introduction of more fuel-efficient vehicles and alternative-fueled vehicles in the coming years, raising the question of whether fuel taxes are a sustainable source for financing transportation. In addition, funding authorized in the recently enacted highway and transit program legislation is expected to outstrip the growth in trust fund receipts. As a result, the Department of the Treasury and the Congressional Budget Office are forecasting that the trust fund balance will steadily decline and reach a negative balance by the end of fiscal year 2011. (See fig. 1.) On a positive note, the 2005 reauthorization of the trust fund and its related programs established a commission--chaired by the Secretary of Transportation and which will report later this year--to recommend approaches for placing the trust fund on a sustainable path. Figure 1: Current Highway Trust Fund Year-End Balance Forecasts: [See PDF for image] Source: GAO analysis of data provided in the President's budget and by CBO. [End of figure] In the face of these constraints, state and local governments are pursuing alternative mechanisms that have the potential to meet mobility and financing needs and help decision makers carry out and grow their surface transportation programs. For example, many states are pursuing tolling projects that have the promise to raise revenues, improve capital investment decisions by better targeting spending for new capacity, and enhance private-sector investment in public infrastructure. Tolls that vary according to the level of congestion (called congestion or value pricing) can maintain a predetermined level of service, create incentives for drivers to avoid driving alone in congested conditions, and encourage drivers to use public transportation or travel at less congested times. One state, Oregon, is studying the technical feasibility of replacing its motor fuel tax with a per-mile user fee. Intercity passenger rail service is also at a critical juncture. The existing intercity passenger rail system is in poor financial condition, and the federal funds provided for it are not targeted to the greatest public benefits, such as transportation congestion relief. The current service provider (Amtrak) continues to rely heavily on federal subsidies--over $1 billion annually in recent years--and will require billions more to address deferred maintenance and achieve a "state of good repair."[Footnote 10] This current crisis is not unusual; Amtrak has struggled to become financially solvent since its inception. We have recommended that Congress consider restructuring the nation's intercity passenger rail system, which would entail establishing clear goals for the system, defining the roles of key stakeholders (including the federal government), and developing funding mechanisms that include cost sharing between the federal government and other beneficiaries. The freight railroad industry is projected to grow substantially with expected increases in freight traffic, but the industry's ability to fund this projected growth is largely uncertain. For private companies seeking to maximize returns for shareholders, railroad investment poses a substantial risk. But railroad investment is critical to freight mobility and economic growth, and investments in rail projects can produce public benefits, such as reducing highway congestion, strengthening intermodal connections and the efficiency of the publicly owned transportation system, and enhancing public safety and the environment. As a result, the federal and state governments have increasingly invested public funds in freight rail projects, such as the $100 million that Congress provided in 2005 for rail infrastructure improvements in the Chicago area. In the years ahead, Congress is likely to receive further requests for funding and face additional decisions about potential federal policy responses and the federal role in the nation's freight railroad infrastructure. In the highly constrained federal funding environment, such policy responses need to recognize that the freight transportation system functions in a competitive marketplace, calling for a mode-neutral approach. Currently, as we have reported, the trucking and barge industries have a competitive price advantage over railroads because trucks and barges use infrastructure that is owned and maintained by the government, whereas rail companies use infrastructure that they pay to own and maintain.[Footnote 11] In addition, decision makers will be challenged to make investment decisions that reflect public priorities and are designed to achieve demonstrable, wide-ranging public benefits that warrant the commitment of scarce federal funds. Federal aviation programs are also facing growing infrastructure demands and constrained resources. To meet the anticipated increases in commercial aviation travel, the Federal Aviation Administration (FAA) and aviation stakeholders are developing the "next-generation air transportation system" (NGATS) to modernize the nation's air traffic control (ATC) infrastructure and increase capacity. This effort is complex and costly: Under one scenario that includes a limited, preliminary cost estimate for NGATS, FAA's budget would, on average, exceed FAA's fiscal year 2006 appropriation level by about $1 billion a year (in today's dollars) through 2025. FAA and some stakeholders have raised doubts about the ability of the current funding system--the Aviation Trust Fund--to generate revenues to meet these budgetary needs equitably and efficiently over time. Specifically, FAA and some stakeholders are concerned that as FAA's workload (and, therefore, costs) rises, there will be no corresponding increase in its revenues because of the greater use of smaller aircraft and a decline in inflation-adjusted airfares. Trends in these data provide support for these concerns. While FAA has a history of cost control problems associated with ATC modernization, it has made a number of important management improvements. However, questions remain about FAA's ability to manage the transition to NGATS cost-effectively. However, failing to meet these infrastructure challenges in aviation may have significant consequences, since aviation is an integral part of the economy. FAA is expected to release its proposal to reform the current funding system within the next few months. Given the common challenges spanning the nation's transportation infrastructure, Congress and, for some issues, the Department of Transportation should reassess the following issues for all transportation modes to better position the federal government to address these challenges: 1. the appropriate federal role and strategy in funding, selecting, and evaluating transportation investments; 2. mechanisms to seek alternative sources of revenues and, where appropriate, to increase revenues for infrastructure improvements, including user fees and alternatives to stimulate private investment, while considering their impact on the federal budget; and: 3. funding allocation and monitoring methods to ensure the equity, efficiency, accountability, and performance of transportation investments. Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests: U.S. military strategy is premised on technological superiority on the battlefield. The Department of Defense spends billions of dollars each year for the development and production of high technology weaponry to maintain superiority. These weapons and militarily useful technologies are sold overseas by U.S. companies for economic reasons and by the U.S. government for foreign policy, security, and economic reasons. Yet, the technologies that underpin U.S. military and economic strength continue to be targets for theft, espionage, reverse engineering, and illegal export. At the same time, the programs the U.S. government has in place to protect critical technologies by weighing competing and sometimes conflicting national security, foreign policy, and economic interests have long been criticized by industry and allies for their inability to adapt to a changing world environment and their lack of efficiency. The U.S. government has a myriad of laws, regulations, policies, and processes intended to identify and protect critical technologies so they can be transferred to foreign parties in a manner consistent with U.S. interests. The government's technology protection programs include those that regulate U.S. defense-related exports and investigate proposed foreign acquisitions of U.S. national security-related companies. (See table 4.) Responsibility for administering or overseeing the different programs is divided among multiple federal agencies and several congressional committees. However, in the decades since these programs were put in place, significant forces have heightened the U.S. government's challenge of weighing security concerns with the desire to reap economic benefits. Most notably, in the aftermath of the September 2001 terrorist attacks, the threats facing the nation have been redefined. In addition, the economy has become increasingly globalized as countries open their markets and the pace of technological innovation has quickened worldwide. Government programs established decades ago to protect critical technologies are ill-equipped to weigh competing U.S. interests as these forces continue to evolve in the 21st century. Accordingly, we are designating the effective identification and protection of critical technologies as a governmentwide high-risk area, which warrants a strategic re- examination of existing programs to identify needed changes and ensure the advancement of U.S. interests. Table 4: U.S. Government Programs for the Identification and Protection of Critical Technologies: Program: Militarily Critical Technologies Program; Agencies: Defense; Program's purpose: Identify and assess technologies that are critical for retaining U.S. military dominance; Legal authority: Export Administration Act of 1979. Program: Dual-Use Export Control System; Agencies: Commerce (lead), State, Central Intelligence Agency, Defense, Energy, Homeland Security, and Justice; Program's purpose: Regulate export of dual-use items by U.S. companies after weighing economic, national security, and foreign policy interests; Legal authority: Export Administration Act of 1979. Program: Arms Export Control System; Agencies: State (lead), Defense, Homeland Security, and Justice; Program's purpose: Regulate export of arms by U.S. companies, giving primacy to national security and foreign policy concerns; Legal authority: Arms Export Control Act of 1976. Program: Foreign Military Sales Program; Agencies: State and Defense (leads), Homeland Security; Program's purpose: Provide foreign governments with U.S. defense articles and services to help promote interoperability while lowering the unit costs of weapon systems; Legal authority: Arms Export Control Act of 1976. Program: National Disclosure Policy Process; Agencies: State, Defense, and intelligence community; Program's purpose: Determine the releasibility of classified military information, including classified weapons and military technologies, to foreign governments; Legal authority: National Security Decision Memorandum 119 of 1971. Program: Committee on Foreign Investment in the United States (CFIUS); Agencies: Treasury (lead), Commerce, Defense, Homeland Security, Justice, State, and six offices from the Executive Office of the President; Program's purpose: Investigate the impact of foreign acquisitions on national security and to suspend or prohibit acquisitions that might threaten national security; Legal authority: Exon-Florio Amendment of 1988 to the Defense Production Act of 1950. Program: National Industrial Security Program; Agencies: Defense (lead), applicable to other departments and agencies; Program's purpose: Ensure that contractors (including those under foreign influence, control, or ownership) appropriately safeguard classified information in their possession; Legal authority: Executive Order No. 12829 of 1993. Program: Anti-Tamper Policy; Agencies: Defense; Program's purpose: Establish anti-tamper techniques on weapons systems when warranted as a method to protect critical technologies on these systems; Legal authority: Defense Policy Memorandum, 1999. Sources: GAO (analysis); cited legal authorities (data). [End of table] Over the years, we have identified weaknesses in the effectiveness and efficiency of government programs designed to protect critical technologies while advancing U.S. interests. While each program has its own set of challenges, we found that these weaknesses are largely attributable to poor coordination within complex interagency processes, inefficiencies in program operations, and a lack of systematic evaluations for assessing program effectiveness and identifying corrective actions. The impacts of these weaknesses are not always visible or immediate but, as we have reported, increase the risk of military gains by entities with interests contrary to those of the United States and of financial harm to U.S. companies. Others, including the Office of the National Counterintelligence Executive, congressional committees, and inspectors general, have also reported on vulnerabilities in these programs and the resulting harm--both actual and potential--to U.S. security and economic interests. Several of the programs designed to protect critical technologies are inherently complex. Multiple departments and agencies representing various interests, which at times can be competing and even divergent, participate in decisions about the control and protection of critical U.S. technologies. However, as exemplified below, poor coordination and fundamental disagreements among the departments have had unintended consequences for both national security and economic interests. * Commerce and State have yet to clearly determine which department controls the export of certain missile technology items, which increases the risk that these items will fall into the wrong hands or creates an unlevel playing field for U.S. companies.[Footnote 12] Since Commerce and State have different restrictions on these items, it is important that they define who controls the items. Otherwise, the exporter--not the government--is left to determine which restrictions apply and the type of governmental review. * The departments participating in the Committee on Foreign Investment in the United States (CFIUS) lack a coordinated approach for defining what constitutes a threat to national security and what warrants an investigation to ensure that the risk of foreign ownership is mitigated.[Footnote 13] This lack of agreement among the members, which limits CFIUS's analyses of proposed and completed foreign acquisitions, has been intensified by continued economic globalization and by increasingly diffuse threats. Some CFIUS members have argued that taking a more traditional and narrow view of what constitutes a national security threat can limit the protection of critical infrastructure or the preservation of technological superiority in the defense arena. Recently, member agencies indicated a need for changes to the process and some are currently under way. * Within Defense, the military services and programs have different interpretations of what constitutes military critical technologies, which can result in different conclusions about what technologies need protection through the application of anti-tamper techniques.[Footnote 14] Defense does not coordinate or oversee how the services and programs identify critical technologies needing anti-tamper protection. This creates the vulnerability of having the same technology protected on one weapon system but not on another, thereby exposing both systems to exploitation and compromise. While government officials responsible for administering the programs designed to protect critical technologies may appropriately take time to make decisions as they consider the multiple interests involved, inefficiencies in the various programs have created unnecessary delays in sharing critical technologies with allies. * Although State has implemented a series of initiatives primarily designed to expedite the processing of arms export licenses, we found that these initiatives have generally not been successful.[Footnote 15] Most notably, the department designated the processing of license applications in support of Operations Iraqi Freedom and Enduring Freedom its top priority and established an expedited process for reviewing those applications. However, only 19 percent of the applications submitted through the expedited process for these operations were processed within the goals set by the department.[Footnote 16] These included applications for protective body armor for U.S. and coalition forces and aircraft defensive systems. The departments charged with protecting critical technologies have not systematically evaluated their respective programs to determine whether they are fulfilling their missions in a changing environment and whether corrective actions are needed. * Given its lack of systematic evaluations, Commerce cannot readily identify weaknesses in the dual-use export control system or implement needed corrective measures that allow U.S. companies to compete in the global marketplace while minimizing the risk to other U.S. interests.[Footnote 17] As we and the Office of Management and Budget have reported, Commerce has not established performance measures that provide a basis for assessing the effectiveness of the dual-use export control system. Instead, Commerce relies on narrow measures related to the efficiencies of its processes and anecdotal indications to gauge how well the system is functioning. * After the September 2001 terrorist attacks, State did not make fundamental or significant changes to the arms export control system, its objectives, or implementing regulations.[Footnote 18] State officials maintained that such changes are not needed because they regard the system as effective in keeping U.S. defense items out of enemy hands while ensuring that allies can obtain needed arms. However, State's conclusions regarding the system appear without basis because State has not provided evidence that it systematically assessed the effectiveness of its controls or major initiatives that were intended to facilitate sales to allies. Further, our reports have documented weaknesses and challenges over the years that point to vulnerabilities in the arms export control system and its ability to protect U.S. interests. * Defense cannot provide assurances that its oversight of foreign owned or influenced contractors is sufficient to reduce the risk of foreign interests gaining unauthorized access to U.S. classified information.[Footnote 19] Specifically, Defense does not systematically collect information to know if contractors are reporting certain business transactions, which would enable Defense to know when a contractor has come under foreign influence and determine what protective measures may be needed to reduce the risk of information compromise. For example, one foreign-owned contractor appeared to have had access to U.S. classified information for at least 6 months before a protective measure was implemented. Moreover, Defense neither centrally collects information to determine the magnitude of contractors under foreign influence nor assesses the effectiveness of its oversight so it can identify weaknesses in its protective measures and make necessary adjustments. We have recommended numerous corrective actions to address these weaknesses and inefficiencies, but the departments involved have not implemented many of the recommendations that address the most fundamental problems affecting the protection of critical technologies and the advancement of U.S. interests. Legislation has been introduced to modify or reform aspects of the programs for protecting critical technologies. For example, legislation was introduced in the 109th Congress to reauthorize the Export Administration Act.[Footnote 20] Also, the House of Representatives passed legislation in 2005 to create an interagency strategic export control board charged with conducting a comprehensive evaluation of U.S. export controls and developing recommendations for consolidating export control functions. In addition, the House and Senate passed two different bills in the last Congress, and new legislation has recently been introduced in the House to reform CFIUS and its approach to evaluating proposed foreign acquisitions. However, to date, legislation has not been enacted to overhaul these programs and executive action has not resulted in fundamental changes to these programs. Implementation of our outstanding recommendations should be an interim step in improving the effectiveness and efficiency of existing government programs intended to identify and protect critical technologies. However, further actions are needed. The executive and legislative branches need to re-examine the current government programs to determine whether and how they can collectively achieve their mission and evaluate alternative approaches. The results of these efforts should provide the basis for establishing a comprehensive framework with clear responsibilities and accountability for identifying and protecting critical technologies as global forces continue to reshape U.S. national security and economic interests. Transforming Federal Oversight of Food Safety: This nation enjoys a plentiful and varied food supply that is generally considered to be safe. However, the patchwork nature of the federal oversight of food safety calls into question whether the government can plan more strategically to inspect food production processes, identify and react more quickly to any outbreaks of contaminated food, and focus on achieving results to promote the safety and integrity of the nation's food supply. This challenge is even more urgent since the terrorist attacks of September 11, 2001, heightened awareness of agriculture's vulnerabilities to terrorism, such as the deliberate contamination of food or the introduction of disease to livestock, poultry, and crops. Over several years, we have reported on issues that suggest that food safety could be designated as a high-risk area because of the need for transforming the federal oversight framework to reduce risks to public health as well as the economy. Either an accidental or deliberate contamination of food or the introduction of disease to livestock, poultry, and crops could undermine consumer confidence in the government's ability to ensure the safety of the U.S. food supply, as well as cause severe economic consequences. Each year, about 76 million people contract a food-borne illness in the United States; about 325,000 require hospitalization; and about 5,000 die, according to the Centers for Disease Control and Prevention. In addition, agriculture, as the largest industry and employer in the United States, generates more than $1 trillion in economic activity annually, or about 13 percent of the gross domestic product. The value of U.S. agricultural exports exceeded $68 billion in fiscal year 2006. An introduction of a highly infectious foreign animal disease, such as avian influenza or foot-and-mouth disease, would cause severe economic disruption, including substantial losses from halted exports. Similarly, food contamination, such as the recent E. coli outbreaks, can have a detrimental impact on local economies. For example, industry representatives estimate losses from the recent California spinach E. coli outbreak to range from $37 million to $74 million. A challenge for the 21st century is how several federal agencies can integrate the myriad food safety programs and strategically manage their portfolios to promote the safety and integrity of the nation's food supply.[Footnote 21] In numerous previous reports, we have described the fragmented federal food safety system in which 15 agencies collectively administer at least 30 laws related to food safety. The two primary agencies are the U.S. Department of Agriculture (USDA), which is responsible for the safety of meat, poultry, and processed egg products and the Food and Drug Administration (FDA), which is responsible for virtually all other foods. Among other agencies with responsibilities related to food safety, the National Marine Fisheries Service in the Department of Commerce conducts voluntary, fee-for-service inspections of seafood safety and quality; the Environmental Protection Agency (EPA) regulates the use of pesticides and maximum allowable residue levels on food commodities and animal feed; and the Department of Homeland Security (DHS) is responsible for coordinating agencies' food security activities. The food safety system is further complicated by the subtle differences in food products that dictate which agency regulates a product as well as the frequency with which inspections occur. For example, how a packaged ham-and-cheese sandwich is regulated depends on how the sandwich is presented. USDA inspects manufacturers of packaged open- face meat or poultry sandwiches (e.g., those with one slice of bread), but FDA inspects manufacturers of packaged closed-face meat or poultry sandwiches (e.g., those with two slices of bread). Although there are no differences in the risks posed by these products, USDA inspects wholesale manufacturers of open-face sandwiches sold in interstate commerce daily, while FDA inspects closed-face sandwiches an average of once every 5 years. This federal regulatory system for food safety evolved piecemeal, typically in response to particular health threats or economic crises. During the past 30 years, we have detailed problems with the fragmented federal food safety system and reported that the system has caused inconsistent oversight, ineffective coordination, and inefficient use of resources. Our most recent work demonstrates that these challenges persist. Specifically: * Existing statutes give agencies different regulatory and enforcement authorities. For example, food products under FDA's jurisdiction may be marketed without the agency's prior approval. On the other hand, food products under USDA's jurisdiction must generally be inspected and approved as meeting federal standards before being sold to the public. Under current law, USDA inspectors maintain continuous inspection at slaughter facilities and examine each slaughtered meat and poultry carcass. They also visit each processing facility at least once during each operating day. For foods under FDA's jurisdiction, however, federal law does not mandate the frequency of inspections.[Footnote 22] * We reported that federal agencies are spending resources on overlapping food safety activities.[Footnote 23] USDA and FDA both inspect shipments of imported food at 18 U.S. ports-of-entry. However, these two agencies do not share inspection resources at these ports. For example, USDA officials told us that all USDA-import inspectors are assigned to and located at USDA-approved import inspection facilities and some of these facilities handle and store FDA-regulated products. USDA has no jurisdiction over these FDA-regulated products. Although USDA maintains a daily presence at these facilities, the FDA-regulated products may remain at the facilities for some time awaiting FDA inspection. In fiscal year 2003, USDA spent almost $16 million on imported food inspections, and FDA spent more than $115 million. * Food recalls are voluntary and federal agencies responsible for food safety have no authority to compel companies to carry out recalls--with the exception of FDA's authority to require a recall for infant formula. USDA and FDA provide guidance to companies for carrying out voluntary recalls. We reported that USDA and FDA can do a better job in carrying out their food recall programs so they can quickly remove potentially unsafe food from the marketplace.[Footnote 24] These agencies do not know how promptly and completely companies are carrying out recalls, do not promptly verify that recalls have reached all segments of the distribution chain, and use procedures to alert consumers to a recall that may not be effective. * The terrorist attacks of September 11, 2001, have heightened concerns about agriculture's vulnerability to terrorism. The Homeland Security Act of 2002 assigned DHS the lead coordination responsibility for protecting the nation against terrorist attacks, including agroterrorism. Subsequent presidential directives further define agencies' specific roles in protecting agriculture and the food system against terrorist attacks. We reported that in carrying out these new responsibilities, agencies have taken steps to better manage the risks of agroterrorism, including developing national plans and adopting standard protocols.[Footnote 25] However, we also found several management problems that can reduce the effectiveness of the agencies' routine efforts to protect against agroterrorism. For example, there are weaknesses in the flow of critical information among key stakeholders and shortcomings in DHS's coordination of federal working groups and research efforts. * In response to the nation's pressing fiscal challenges, agencies may have to explore new approaches to achieve their missions. FDA is responsible for ensuring the safety of seafood. More than 80 percent of the seafood that Americans consume is imported. We reported in 2001 that FDA's seafood inspection program did not sufficiently protect consumers.[Footnote 26] For example, FDA tested about 1 percent of imported seafood products. We subsequently found that FDA's program has shown some improvement. More foreign firms are inspected, and inspections show that more U.S. seafood importers are complying with its requirements.[Footnote 27] Given FDA officials' concerns about limited inspection resources, we also identified options, such as using personnel in the National Oceanic and Atmospheric Administration's Seafood Inspection Program to augment FDA's inspection capacity or state regulatory laboratories for analyzing imported seafood. FDA agreed with these options. * We reported that in fiscal year 2003, four agencies--USDA, FDA, EPA, and the National Marine Fisheries Service--spent $1.7 billion on food safety-related activities.[Footnote 28] USDA and FDA together were responsible for nearly 90 percent of federal expenditures for food safety. However, these expenditures were not based on the volume of foods regulated by the agencies or consumed by the public. The majority of federal expenditures for food safety inspection were directed toward USDA's programs for ensuring the safety of meat, poultry, and egg products; however, USDA is responsible for regulating about 20 percent of the food supply. In contrast, FDA, which is responsible for regulating about 80 percent of the food supply, accounted for only about 24 percent of expenditures. Others have called for fundamental changes to the federal food safety system overall. In 1998, the National Academy of Sciences concluded that the system is not well equipped to meet emerging challenges.[Footnote 29] In response to the academy's report, the President established a Council on Food Safety which released a Food Safety Strategic Plan in January 2001. The plan recognized the need for a comprehensive food safety statute and concluded "the current organizational structure makes it more difficult to achieve future improvements in efficiency, efficacy, and allocation of resources based on risk." While many of the recommendations we made have been acted upon, a fundamental re-examination of the federal food safety system is warranted. Taken as a whole, our work indicates that Congress and the executive branch can and should create the environment needed to look across the activities of individual programs within specific agencies and toward the goals that the federal government is trying to achieve. To that end, we have recommended, among other things, that Congress enact comprehensive, uniform, and risk-based food safety legislation and commission the National Academy of Sciences or a blue ribbon panel to conduct a detailed analysis of alternative organizational food safety structures.[Footnote 30] We have also recommended that the executive branch reconvene the President's Council on Food Safety to facilitate interagency coordination on food safety regulation and programs. These actions can begin to address the fragmentation in the federal oversight of food safety. Going forward, to build a sustained focus on the safety and the integrity of the nation's food supply, Congress and the executive branch can integrate various expectations for food safety with congressional oversight and through agencies' strategic planning processes. The development of a governmentwide performance plan that is mission-based, has a results-orientation, and provides a cross-agency perspective offers a framework to help ensure agencies' goals are complementary and mutually reinforcing. Further, with pressing fiscal challenges, this plan can assist decision makers in balancing trade- offs and comparing performance when resource allocation and restructuring decisions are made. [End of section] Progress Being Made in Other High-Risk Areas: For other areas that remain on our 2007 high-risk list, there has been important but varying levels of progress, although not yet enough progress to remove these areas from the list. Top administration officials have expressed their commitment to ensuring that high-risk areas receive adequate attention and oversight. The Office of Management and Budget (OMB) has led an initiative to prompt agencies to develop detailed action plans for each area on our high-risk list. These plans are to identify specific goals and milestones that address and reduce the risks identified by us within each high-risk area. Further, OMB has encouraged agencies to consult with us regarding the problems our past work has identified, and the many recommendations for corrective actions we have made. While progress on developing and implementing plans has been mixed, such a concerted effort by agencies and ongoing attention by OMB are critical; our experience over the past 17 years has shown that perseverance is required to fully resolve high- risk areas. Congress, too, will continue to play an important role through its oversight and, where appropriate, through legislative action targeting both specific problems and the high-risk areas overall. Examples of progress in other programs or operations that were previously designated as high risk are discussed below and in the highlights pages that follow this section. * The Department of Health and Human Services and its Centers for Medicare & Medicaid Services (CMS) have made some progress to improve the fiscal integrity and oversight of the Medicaid program, which was designated high risk in 2003. For example, CMS has taken steps to improve its oversight of certain Medicaid financial management activities, including efforts to oversee states' financing methods. It also issued a comprehensive 5-year plan in July 2006 that outlined initial activities planned for implementing the Medicaid Integrity Program required by the Deficit Reduction Act of 2005. However, several oversight weaknesses previously identified by us have not yet been addressed. For example, CMS has not incorporated the use of key Medicaid data systems into its oversight of states' Medicaid claims, or clarified and communicated its policies in several high-risk areas, such as supplemental payment arrangements and administrative costs. The results of CMS's actions will need to be assessed to determine their effectiveness in improving the program's fiscal integrity, and more action is needed before the program's high-risk designation can be removed. * Regarding the Medicare program, the Centers for Medicare & Medicaid Services (CMS) has made some progress in the last 2 years in reforming and refining payment methods, enhancing program integrity, improving program management, and overseeing patient safety and care. For example, CMS is improving how it sets or updates rates for hospital services, durable medical equipment, and certain drugs and devices supplied in medical facilities. Medicare's most recent estimate of its national rate of improper payments was 4.4 percent--the lowest since measurement began in 1996. Nevertheless, Medicare's size, complexity, and vulnerability to mismanagement and improper payments suggest that its high-risk designation cannot be removed. For example, GAO found weaknesses in CMS's information security controls that could make sensitive, personally identifiable medical information vulnerable to unauthorized access. Similarly, call centers sponsored by the agency or private drug plans fell short in providing accurate and complete information to callers inquiring about the new prescription drug benefit. * The administration and real property-holding agencies have made progress toward strategically managing federal real property. In response to both an executive order aimed at improving real property management and the President's Management Agenda initiative on real property, agencies have, among other things, established asset management plans, standardized data reporting, and adopted performance measures. Also, the administration has created a Federal Real Property Council and plans to work with Congress to provide agencies with tools to better manage real property. These actions have addressed our prior concern that a strategic governmentwide focus on solving the problems was lacking, but the underlying conditions that led to the high-risk designation continue to exist. * Since the 2005 high-risk update, the Department of Homeland Security (DHS) has made progress in addressing major transformation, management, and program challenges, which prior GAO work has identified as key to successfully transforming 22 agencies into one department and effectively carrying out its homeland security and other missions. DHS has produced a strategic plan that contains most elements required by the Government Performance and Results Act and the under secretary of management is working to integrate some management functions. However, DHS has not linked its goals to resource requirements in its strategic plan and has not involved all stakeholders in its strategic planning process. Moreover, DHS lacks not only a comprehensive strategy with overall goals and a timeline but also a dedicated management integration team to support its management integration efforts. DHS and its components are developing corrective action plans to address material weaknesses identified by the financial statement auditor, but recent audits found its financial systems do not conform to federal requirements, and financial statements contain numerous material weaknesses. DHS is working to develop a departmentwide framework for managing information but has not implemented an effective process for informed decision making by senior leadership about competing technology investment options or a comprehensive information security program to protect its information and systems. DHS has taken some actions to integrate the legacy agency workforces that make up its components and has made progress in establishing human capital capabilities for the US-VISIT program, but DHS has not linked its new human capital system to its strategic plan. DHS has made progress in enhancing communication among its acquisition organizations through its strategic sourcing and small business programs, but some components remain exempted from the unified acquisition organization, and the chief procurement officer has insufficient staff for departmentwide oversight. In addition, DHS has continued to form necessary partnerships and has undertaken a number of efforts with private entities, but key partnering challenges continue as DHS seeks to leverage resources and more effectively carry out its homeland security responsibilities. In their program activities, DHS and the Transportation Security Administration (TSA) have taken numerous actions to strengthen commercial aviation security, and the Coast Guard has moved to control costs by offering incentives to contractors that attempt to foster competition for subcontracts. However, TSA faces the difficult task of assessing and allocating resources across all transportation modes based on risk, while adapting to changing threats within the commercial aviation industry. DHS agencies have made progress in activities to refine the screening of foreign visitors to the United States, target potentially dangerous cargo, and provide the personnel necessary to effectively fulfill border security and trade agency missions. However, trade and visitor screening systems have weaknesses that must be overcome to better ensure border and trade security. DHS has also enhanced the efficiency of certain immigration services, reducing the size of the backlog of immigration-benefit applications. However, DHS has not adopted a comprehensive risk management approach when it comes to the detection and investigation of immigration fraud. Finally, DHS has made revisions to the National Response Plan to clarify federal roles and responsibilities. In response to concerns raised by us and others, Congress clarified the roles and responsibilities of the Federal Emergency Management Agency (FEMA) in the DHS fiscal year 2007 appropriations act and designated the FEMA Administrator as the "Principal Advisor" to the President on emergency management. However, DHS has yet to develop necessary disaster capabilities and to create accountability systems that effectively balance the need for fast and flexible response against the need to prevent waste, fraud, and abuse. * During the past 2 years, the Internal Revenue Service (IRS) has made progress in its enforcement efforts. Notably, enforcement revenue rose from $43.1 billion in fiscal year 2004 to $48.7 billion in fiscal year 2006. Based on preliminary data, IRS increased the overall percentage of tax returns examined between fiscal year 2004 and fiscal year 2006 by about 30 percent. IRS completed research in 2005 on individual taxpayers' compliance and is currently using the results to better target operational audits. IRS also set a long-term goal to increase the compliance rate. Despite these promising developments, challenges remain. IRS's most recent estimate of the gross tax gap (the difference between the taxes that should have been paid voluntarily and on time and what was actually paid) was $345 billion for tax year 2001. Although IRS estimates that it would eventually collect $55 billion of this amount, a net tax gap of $290 billion would remain. Given the magnitude of the tax gap, even a relatively small percentage reduction in the gap would yield billions of dollars in additional revenue for the government. IRS needs periodic, if not annual, measurements of compliance to gauge the extent to which compliance is changing and to effectively target its service and enforcement efforts. Further, IRS lacks a data-based plan to improve compliance and reach its long-term goal. Real progress in reducing the tax gap will require efforts beyond enforcement. IRS will need to develop and execute multiple strategies over a sustained period including working with Treasury to develop new and innovative solutions to improve compliance. Statutory changes will be needed as well to meaningfully reduce the gap and we have presented options, such as additional withholding for selected parties and additional information reporting on the cost basis for securities sales, for Congress to consider. * We first added the Pension Benefit Guaranty Corporation's (PBGC) single-employer pension insurance program as a high-risk area in July 2003 because the program's financial health was threatened by structural weaknesses in pension funding rules, the program's premium structure, and the potential for large bankruptcies among sponsors with underfunded plans in weak industries. Since then, Congress passed major pension reform legislation that was signed into law. The reforms include revisions to the defined benefit pension funding rules, changes to the PBGC program's insurance premium structure, and other changes aimed at limiting the risk that underfunded plans might pose to PBGC. While some of these reforms represent progress, their ultimate impact on the single-employer program's deficit is unclear. Many of these reforms will be phased in gradually, postponing their potentially positive effect on plan funding, while other changes could have the effect of increasing PBGC's financial exposure. * The Federal Aviation Administration (FAA) has made significant progress in addressing air traffic control modernization program weaknesses since it was designated as high risk in 1995. For example, FAA has established a framework for improving its system management capabilities and addressed weakness on selected air traffic control systems; implemented key components of a cost accounting system and established a cost estimating methodology; and made progress in establishing an organizational culture that supports sound acquisitions. FAA has also developed an action plan with the Office of Management and Budget to continue to address these issues. Additionally, FAA has reported that it has exceeded its targets for delivering selected system acquisitions on cost and schedule for the past 3 years. However, FAA-improved system management capabilities have yet to be institutionalized, the cost estimating methodology has not yet been fully implemented, and major systems will be coming on line in the next few years. Moreover, FAA still faces many human capital challenges, including obtaining the technical and contract management expertise needed to define, implement, and integrate numerous complex programs and systems. With FAA expecting to spend about $9.4 billion between now and the end of fiscal year 2011 to upgrade and replace air traffic control systems, these actions are as critical as ever. * Since 2005, DOD has taken some positive steps toward addressing challenges related to the supply chain management high-risk area. For example, in collaboration with OMB, DOD developed a plan to address some of the systemic weaknesses in supply chain management. The plan encompasses 10 initiatives, such as war reserve materiel improvements and the expanded use of radio frequency identification, aimed at the three focus areas we have identified from our prior work: requirements forecasting, asset visibility, and materiel distribution. This plan provides a framework for addressing systemic weaknesses and focusing long-term efforts to improve supply support to the warfighter. DOD has made some progress implementing these initiatives, and DOD leadership has demonstrated a commitment to resolving supply chain management problems. However, successful resolution of these long-standing problems will take several years of continued efforts, and the department faces challenges and risks in successful implementation of proposed changes. For example, DOD's plan generally lacks outcome- focused performance metrics for many of its initiatives, making it difficult to track and demonstrate progress in improving the three focus areas. Further, DOD's ability to make coordinated, systemic improvements that cut across the multiple organizations involved in the materiel distribution system has been hindered by problems defining who has accountability and authority for making such improvements. [This page is intentionally left blank.] [End of section] Highlights for Each High-Risk Area: Overall, the government continues to take high-risk problems seriously and is making long-needed progress toward correcting them. Congress has also acted to address several individual high-risk areas through hearings and legislation. Continued perseverance in addressing high- risk areas will ultimately yield significant benefits. Lasting solutions to high-risk problems offer the potential to save billions of dollars, dramatically improve service to the American public, strengthen public confidence and trust in the performance and accountability of our national government, and ensure the ability of government to deliver on its promises. We have prepared highlights of each of the 27 high-risk areas on our updated list, showing (1) why the area is high risk, (2) the actions that have been taken and that are under way to address the problem since our last update report as well as the issues that are yet to be resolved, and (3) what remains to be done to address the risk. These highlights are presented on the following pages. Highlights: High-Risk Series: Strategic Human Capital Management: GAO Highlights: For additional information about this high-risk area, contact J. Christopher Mihm at (202) 512-6806 or mihmj@gao.gov. Why Area Is High Risk: GAO first added strategic human capital management as a governmentwide high-risk area in 2001 because federal agencies lacked a strategic approach to human capital management that integrates human capital efforts with agency mission and program goals. The area remains high risk because the federal government now faces one of the most significant transformations to the civil service in half a century, as momentum grows toward making governmentwide changes to agency pay, classification, and performance management systems. What GAO Found: Progress in addressing federal human capital challenges has been made since 2001, but significant opportunities remain to improve strategic human capital management to respond to current and emerging 21st century challenges. For example, the federal government has not transformed, in many cases, how it classifies, compensates, develops, and motivates its employees to achieve maximum results within available resources and existing authorities. A key challenge is determining how to update the government’s classification and compensation systems to be more market based and performance oriented. Although this shift must be part of a broader strategy of change management and performance improvement initiatives, progress was made when Congress and the administration modernized the senior executive performance-based pay system by requiring a clearer link between individual and organizational performance and pay. This shift to a performance-based pay system can help transform the culture of federal agencies, and the lessons learned from implementing this reform effort will be critical to modernizing the performance management and pay systems under which other federal employees will be compensated. Progress was also made when Congress recognized that agencies needed more effective human capital systems to succeed in their transformations. Congress gave the Departments of Homeland Security and Defense statutory authorities intended to help them manage their people more strategically. In this environment, however, where nearly 900,000 employees will work under systems now exempt from the rules of Title 5, the federal government is rapidly approaching the point where “standard governmentwide” human capital policies and process are neither standard nor governmentwide. Before implementing any future human capital reforms, agencies should demonstrate they have met certain conditions, including that they have developed an institutional infrastructure that can support reform. This infrastructure should include, among other things, (1) a modern, credible performance management system that provides clear linkage between institutional, unit, and individual performance-oriented outcomes; and (2) adequate safeguards to ensure the fair, effective, credible, and nondiscriminatory implementation of the system. As the government’s human capital leader, OPM has a key role in helping agencies build the needed infrastructure and is likely to certify agency readiness to implement reforms. OPM is taking steps to help agencies prepare for reform. For example, OPM’s Human Capital Assessment and Accountability Framework is designed to help agencies implement effective human capital management systems and improve their human capital management practices. Given OPM’s responsibility, it must ensure it has the capacity to assist agencies and to lead these important human capital transformations. This includes developing an internal workforce capacity with adequate skills and competencies, effective partnerships with the Chief Human Capital Officers Council, and an evaluation strategy to monitor progress. What Remains to Be Done: Moving forward, there is still a need for a governmentwide framework to advance human capital reform in order to avoid further fragmentation within the civil service, ensure management flexibility as appropriate, allow a reasonable degree of consistency, provide adequate safeguards, and maintain a level playing field among federal agencies competing for talent. Agencies must continue to assess their workforce needs and make use of available authorities. Congress should make pay and performance management reform the first step in any governmentwide reform effort, and the Office of Personnel Management (OPM) should evaluate and learn from its approach to implementing the performance-based pay system for senior executives and apply these lessons to future human capital reforms. Related GAO Products: Strategic Human Capital Management: Office of Personnel Management: Key Lessons Learned to Date for Strengthening Capacity to Lead and Implement Human Capital Reforms. GAO- 07-90. Washington, D.C.: January 19, 2007. Human Capital: Aligning Senior Executives' Performance with Organizational Results Is an Important Step Toward Governmentwide Transformation. GAO-06-1125T. Washington, D.C.: September 26, 2006. Office of Personnel Management: OPM Is Taking Steps to Strengthen Its Internal Capacity for Leading Human Capital Reform. GAO-06-861T. Washington, D.C.: June 27, 2006. Human Capital: Trends in Executive and Judicial Pay. GAO-06-708. Washington, D.C.: June 21, 2006. Human Capital: Agencies Are Using Buyouts and Early Outs with Increasing Frequency to Help Reshape Their Workforces. GAO-06-324. Washington, D.C.: March 31, 2006. Human Capital: Observations on Final Regulations for DOD's National Security Personnel System. GAO-06-227T. Washington, D.C.: November 17, 2005. Human Capital: Designing and Managing Market-Based and More Performance- Oriented Pay Systems. GAO-05-1048T. Washington, D.C.: September 27, 2005. Human Capital: DOD's National Security Personnel System Faces Implementation Challenges. GAO-05-730. Washington, D.C.: July 14, 2005. Human Capital: Agencies Need Leadership and the Supporting Infrastructure to Take Advantage of New Flexibilities. GAO-05-616T. Washington, D.C.: April 21, 2005. Human Capital: Observations on Final DHS Human Capital Regulations. GAO- 05-391T. Washington, D.C.: March 2, 2005. Also see [Hyperlink, http://www.gao.gov] for numerous speeches and presentations from the Comptroller General on human capital challenges in general and as they apply to specific agencies. [End of section] Highlights of High-Risk Series: Managing Federal Real Property: GAO Highlights: For additional information about this high-risk area, contact Mark Goldstein at (202) 512-2834 or goldsteinm@gao.gov. Why Area Is High Risk: In January 2003, GAO designated federal real property as a high-risk area because of long-standing problems with excess and underutilized property, deteriorating facilities, unreliable real property data, and reliance on costly leasing. Federal agencies were also facing many challenges in protecting their facilities against the threat of terrorism. Progress has been made, but the problems that led to the designation of federal real property as a high-risk area still exist. In addition, deep-rooted obstacles, including competing stakeholder interests and legal and budgetary limitations, could significantly hamper a governmentwide transformation. As a result, this area remains high risk. What GAO Found: The administration and real property-holding agencies have made progress toward strategically managing federal real property. In response to the President’s Management Agenda initiative and Executive Order 13327, issued in February 2004, agencies have, among other things, established asset management plans, standardized data reporting, and adopted performance measures. Also, the administration has created a Federal Real Property Council and plans to work with Congress to provide agencies with tools to better manage real property. These are positive steps, but the underlying conditions still exist. For example, the Departments of Energy (Energy) and Homeland Security (DHS) and the National Aeronautics and Space Administration (NASA) reported that over 10 percent of their facilities are excess or underutilized. In addition, Energy, NASA, the General Services Administration (GSA), and the Departments of the Interior (Interior), State (State), and Veterans Affairs (VA) reported repair and maintenance backlogs for buildings and structures that total over $16 billion. Also, Energy, Interior, GSA, State, and VA reported an increased reliance on leasing to meet space needs. While agencies have made progress in collecting real property data, data reliability is still a challenge at DOD and other agencies. Finally, agencies reported using risk-based approaches to prioritize security needs, which GAO has recommended, but cited obstacles such as a lack of resources for security enhancements. In past high-risk updates, GAO called for a transformation strategy to address the long-standing problems in this area. While the administration’s approach is generally consistent with what GAO envisioned, certain areas warrant further attention. Specifically, problems are exacerbated by deep-rooted obstacles that include competing stakeholder interests, legal and budgetary limitations, and the need for improved capital planning. For example, agencies cite local interests as barriers to disposing of excess property and agencies’ limited ability to pursue ownership leads them to lease property that would be more cost-effective to own over time. Figure: Examples of Excess Federal Facilities: [See PDF for Image] Source: VA and USPS. From left to right: former Main VA Hospital Building, Milwaukee; former Main Post Office, Chicago. [End of Figure] What Remains to be Done: After fully implementing the executive order on real property reform and related President’s Management Agenda initiatives, agencies will need to show significant progress toward eliminating the problems that led to this area’s designation as high risk, such as reducing inventories of facilities to a minimum and making headway in addressing the repair backlog. In addition, the Office of Management and Budget (OMB) and agencies, through the Federal Real Property Council, will need to focus on developing strategies to address deep-rooted obstacles to a successful transformation, such as competing stakeholder interests. Related Products: Managing Federal Real Property: DOD's Overseas Infrastructure Master Plans Continue to Evolve. GAO-06- 913R. Washington, D.C.: August 22, 2006. Embassy Construction: State Has Made Progress Constructing New Embassies, but Better Planning Is Needed for Operations and Maintenance Requirements. GAO-06-641. Washington, D.C.: June 30, 2006. Federal Real Property: Most Public Benefit Conveyances Used as Intended, but Opportunities Exist to Enhance Federal Oversight. GAO-06- 511. Washington, D.C.: June 21, 2006. Federal Courthouses: Rent Increases Due to New Space and Growing Energy and Security Costs Require Better Tracking and Management. GAO-06-613. Washington, D.C.: June 20, 2006. Homeland Security: Guidance and Standards Are Needed for Measuring the Effectiveness of Agencies' Facility Protection Efforts. GAO-06-612. Washington, D.C.: May 31, 2006. Federal Real Property: Excess and Underutilized Property Is an Ongoing Problem. GAO-06-248T. Washington, D.C.: February 6, 2006. Federal Real Property: Reliance on Costly Leasing to Meet New Space Needs Is an Ongoing Problem. GAO-06-136T. Washington, D.C.: October 6, 2005. VA Health Care: Key Challenges to Aligning Capital Assets and Enhancing Veterans' Care. GAO-05-429. Washington, D.C.: August 5, 2005. Military Bases: Analysis of DOD's 2005 Selection Process and Recommendations for Base Closures and Realignments. GAO-05-785. Washington, D.C.: July 1, 2005. Federal Real Property: Further Actions Needed to Address Long-standing and Complex Problems. GAO-05-848T. Washington, D.C.: June 22, 2005. Smithsonian Institution: Facilities Management Reorganization Is Progressing, but Funding Remains a Challenge. GAO-05-369. Washington, D.C.: April 25, 2005. U.S. Postal Service: The Service's Strategy for Realigning Its Mail Processing Infrastructure Lacks Clarity, Criteria, and Accountability. GAO-05-261. Washington, D.C.: April 8, 2005. [End of Section] Highlights of High-Risk Series: Protecting the Federal Government's Information Systems and the Nation's Critical Infrastructures: GAO Highlights: For additional information about this high-risk area, contact David Powner at (202) 512-9286 or pownerd@gao.gov, or Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Why Area is High Risk: Federal agencies and our nation’s critical infrastructures—such as power distribution, water supply, telecommunications, national defense, and emergency services— rely extensively on computerized information systems and electronic data to carry out their missions. The security of these systems and data is essential to preventing disruptions in critical operations, fraud, and inappropriate disclosure of sensitive information. Protecting federal computer systems and the systems that support critical infrastructures—referred to as cyber critical infrastructure protection, or cyber CIP—is a continuing concern. Federal information security has been on GAO’s list of high-risk areas since 1997; in 2003, GAO expanded this high-risk area to include cyber CIP. The continued risks to information systems include escalating and emerging threats such as phishing, spyware, and spam; the ease of obtaining and using hacking tools; the steady advance in the sophistication of attack technology; and the emergence of new and more destructive attacks. What GAO Found: With the enactment of the Federal Information Security Management Act of 2002 (FISMA), Congress continued its work to improve federal information security by permanently authorizing and strengthening key information security requirements. The administration has also made progress in a number of efforts, including issuing guidance to federal agencies on appropriate measures to protect sensitive information. In addition, the governmentwide percentage of information systems reported as completing formal technical evaluation and receiving management authorization to operate increased from 62 percent to 85 percent between 2003 and 2005. However, significant information security weaknesses at federal agencies continue to place a broad array of federal operations and assets at risk of fraud, misuse, and disruption. Although recent reporting by these agencies showed some improvements, GAO found that many still have not complied consistently with FISMA’s overall requirement to develop, document, and implement agencywide information security programs. For example, agencies are not consistently: * developing and maintaining current security plans, * creating and testing contingency plans, and: * evaluating and monitoring the effectiveness of security controls managed by contractors. Without consistent implementation of information security management programs, weaknesses in information security controls will persist. As the focal point for federal efforts to protect the nation’s critical infrastructures, the Department of Homeland Security (DHS) and its National Cyber Security Division have key cybersecurity responsibilities. These include developing a national plan for critical infrastructure protection, including cybersecurity; planning for and coordinating cyber incident response and recovery; and identifying and assessing cyber threats and vulnerabilities. DHS has taken steps to fulfill its responsibilities, including establishing the U.S. Computer Emergency Readiness Team, developing high-level plans for infrastructure protection and incident response, establishing public/private working groups to facilitate coordination among government and industry, and organizing exercises in which government and private industry can practice responding to cyber events. However, DHS has not yet completely fulfilled any of its key responsibilities. For example, DHS has not yet developed national cyber threat and vulnerability assessments or public/private recovery plans for cybersecurity. Progress has been impeded by several challenges, including the reluctance of many in the private sector to share information with DHS, and a lack of departmental organizational stability and leadership needed to gain the trust of other stakeholders in the cybersecurity world. Until DHS fulfills its cybersecurity responsibilities, our nation’s critical infrastructures will remain at risk. What Remains to Be Done: Additional federal efforts are needed to establish effective information security programs that are consistent with FISMA, including testing and evaluating the effectiveness of controls and resolving known weaknesses. Federal cyber CIP actions should include implementing plans to fulfill key cybersecurity responsibilities, such as improving analysis and warning capabilities and developing a public/private Internet recovery plan. Related Products: Protecting the Federal Government's Information Systems and the nation's Critical Infrastructures: Information Security: Federal Reserve Needs to Address Treasury Auction Systems. GAO-06-659. Washington, D.C.: August 30, 2006. Information Security: Leadership Needed to Address Weaknesses and Privacy Issues at Veterans Affairs. GAO-06-897T. Washington, D.C.: June 20, 2006. DHS Faces Challenges in Developing a Joint Public/Private Recovery Plan, GAO-06-672. Washington, D.C.: June 16, 2006. Information Security: Continued Progress Needed to Strengthen Controls at the Internal Revenue Service. GAO-06-328. Washington, D.C.: March 23, 2006. Information Sharing: The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information. GAO-06-385. Washington, D.C.: March 17, 2006. Information Security: Federal Agencies Show Mixed Progress in Implementing Statutory Requirements. GAO-06-527T. Washington, D.C.: March 16, 2006. Information Security: Department of Health and Human Services Needs to Fully Implement Its Program. GAO-06-267. Washington, D.C.: February 24, 2006. Information Security: Progress Made, but Federal Aviation Administration Needs to Improve Controls over Air Traffic Control Systems. GAO-05-712. Washington, D.C.: August 26, 2005. Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, GAO-05- 434. Washington, D.C.: May 26, 2005. Information Security: Federal Agencies Need to Improve Controls over Wireless Networks. GAO-05-383. Washington, D.C.: May 17, 2005. Information Security: Emerging Cybersecurity Issues Threaten Federal Information Systems. GAO-05-231. Washington, D.C.: May 13, 2005. Information Security: Improving Oversight of Access to Federal Systems and Data by Contractors Can Reduce Risk. GAO-05-362. Washington, D.C.: April 22, 2005. [End of Section] Highlights: High-Risk Series: Implementing and Transforming the Department of Homeland Security: GAO Highlights: For additional information about this high-risk area, contact Norm Rabkin at (202) 512-8777 or rabkinn@gao.gov. Why Area Is High Risk: GAO designated implementing and transforming the Department of Homeland Security (DHS) as high risk in 2003 because DHS had to transform 22 agencies—several with major management challenges—into one department, and failure to effectively address its management challenges and program risks could have serious consequences for our national security. The areas GAO identified as at risk include planning and priority setting; accountability and oversight; and a broad array of management, programmatic, and partnering challenges. What GAO Found: Although DHS has made progress transforming its 22 agencies into a fully functioning department, this transformation remains high risk. DHS has yet to implement a corrective action plan that includes a comprehensive transformation strategy and its management systems—especially related to financial, information, acquisition, and human capital management—are not yet integrated and wholly operational. DHS also faces challenges to effectively carry out its program activities and enhance partnerships with private and public sector entities to leverage resources. The array of management and programmatic challenges continues to limit DHS’s ability to carry out its roles under the National Homeland Security Strategy in an effective risk-based way. A DHS-wide transformation strategy should include a strategic plan that identifies specific budgetary, human capital, and other resources needed to achieve stated goals. The strategy also should involve key stakeholders to ensure resource investments target the highest priorities. GAO’s work has shown that several DHS programs have not developed outcome-based measures to assess performance. Further, DHS is limited in its ability to use risk management to guide resource use, as DHS has not performed comprehensive risk assessments in transportation, trade, critical infrastructure, or immigration and customs systems. Serious transformation challenges remain in DHS management systems. For example, DHS lacks a comprehensive management strategy with overall goals, timelines, and a team dedicated to support its integration efforts. Also, the latest independent audit of DHS’s financial statements revealed 10 material weaknesses and confirmed that DHS’s financial management systems still do not conform to federal requirements. Further, DHS has not institutionalized a strategic framework for information management to, among other things, guide technology investments; and DHS human capital and acquisition systems will require continued attention to help prevent waste and ensure that DHS can allocate its resources efficiently and effectively. Since GAO’s January 2005 high-risk update, DHS has taken actions to improve program activities in areas such as cargo, transportation, and border security; Coast Guard management; disaster preparedness; and immigration services. However, DHS continues to face programmatic and partnering challenges. To help ensure its missions are achieved, DHS must overcome continued challenges related to cargo, transportation, and border security; systematic visitor tracking; outdated Coast Guard asset capabilities; and balancing homeland security with other missions, such as disaster preparedness. DHS and the Federal Emergency Management Agency have made progress in forming partnerships to better prepare for and execute disaster response, but they need to continue to develop (1) clearly defined leadership roles and responsibilities, (2) necessary disaster response capabilities, and (3) accountability systems to provide effective services while protecting against waste, fraud, and abuse. What Remains to Be Done: GAO’s prior work on mergers and acquisitions, undertaken before the creation of DHS, concluded that successful transformations of large organizations, even those faced with less strenuous reorganizations than DHS, can take years to achieve. For DHS to successfully transform into a more effective organization, it needs to (1) develop a departmentwide transformation strategy that adopts risk management and strategic management principles and establishes key milestones and performance measures to focus its limited resources; (2) improve management systems, including financial systems, information management, human capital, and acquisitions; and (3) continue to identify and implement corrective actions to address programmatic and partnering challenges. GAO Products: Aviation Security: TSA Oversight of Checked Baggage Screening Procedures Could Be Strengthened. GAO-06-869. Washington, D.C.: July 28, 2006. Homeland Security: Challenges in Creating an Effective Acquisition Organization. GAO-06-1012T. Washington, D.C.: July 27, 2006. Homeland Security: Progress Continues, but Challenges Remain on Department's Management of Information Technology. GAO-06-598T. Washington, D.C.: March 29, 2006. Financial Management Systems: DHS Has an Opportunity to Incorporate Best Practices in Modernization Efforts. GAO-06-553T. Washington, D.C.: March 29, 2006. Emergency Preparedness and Response: Some Issues and Challenges Associated with Major Emergency Incidents. GAO-06-467T. Washington, D.C.: February 23, 2006. Risk Management: Further Refinements Needed to Assess Risks and Prioritize Protective Measures at Ports and Other Critical Infrastructure. GAO-06-91. Washington, D.C.: December 15, 2005. Department of Homeland Security: Strategic Management of Training Important for Successful Transformation. GAO-05-888. Washington, D.C.: September 23, 2005. Results-Oriented Government: Improvements to DHS's Planning Process Would Enhance Usefulness and Accountability. GAO-05-300. Washington, D.C.: March 31, 2005. Department of Homeland Security: A Comprehensive and Sustained Approach Needed to Achieve Management Integration. GAO-05-139. Washington, D.C.: March 16, 2005. DHS Products: Major Management Challenges Facing the Department of Homeland Security. DHS Office of the Inspector General. OIG-07-12. Washington, D.C.: December 2006. [End of section] Highlights: High-Risk Series: Establishing Appropriate and Effective Information-Sharing Mechanisms to Improve Homeland Security: GAO Highlights: For additional information about this high-risk area, contact Eileen Larence, at (202) 512-6510, larencee@gao.gov, or Dave Powner, (202) 512- 9286 or pownerd@gao.gov. Why Area Is High Risk: In January 2005, we designated information sharing for homeland security a high-risk area because the federal government still faces formidable challenges in analyzing and disseminating key information among federal, state, local, and private partners in a timely, accurate, and useful manner. Since 9/11, multiple federal agencies have been assigned key roles for improving the sharing of information critical to homeland protection to address a major vulnerability exposed by the attacks, and this important function has received increasing attention. However, the underlying conditions that led to the designation continue and more needs to be done to address these problems and the obstacles that hinder information sharing. As a result, this area remains high risk. What GAO Found: More than 5 years after 9/11, the federal government still lacks an implemented set of policies and processes for sharing terrorism information, but has issued a government-wide strategy on how it will put in place the overall framework, policies, and architecture for sharing with critical partners—actions that we and others have recommended. Agencies also have taken a number of independent steps to better share information, but they must be successfully integrated into this framework. Progress at the federal level to improve sharing includes creation of the National Counterterrorism Center to operate as a partnership of intelligence agencies so they can analyze and disseminate national intelligence data; creation of a national database of known and suspected terrorists for screening persons coming into and exiting the country; and formation of a working group to resolve agencies’ myriad requirements for restricting access to sensitive information. However, as we reported in March 2006, the federal government still has not implemented the governmentwide policies and processes that the 9/11 Commission recommended and that Congress mandated. For example, the Intelligence Reform and Terrorism Prevention Act of 2004 required that action be taken to facilitate the sharing of terrorism information by establishing an “information sharing environment (ISE),” yet this environment remains in the planning stage. A final plan for the environment, which was released on November 16, 2006, defines key tasks and milestones for developing the information sharing environment, including identifying barriers and ways to resolve them, as GAO recommended. Completing the information sharing environment is a complex task that will take multiple years and long-term administration and congressional support and oversight, and will pose cultural, operational, and technical challenges that will require a collaborated response. Federal agencies are also focusing on better sharing with states, localities, and the private sector—a critical step since they are our first line of defense against terrorists—but these efforts are not without challenges. The Federal Bureau of Investigation (FBI) has expanded its Joint Terrorism Task Forces that bring together personnel from all levels of government. The Department of Homeland Security (DHS) implemented an information network to share homeland security information. States and localities are creating their own information “fusion” centers, some with FBI and DHS support. And DHS has implemented a program to protect sensitive information the private sector provides on security at critical infrastructure assets, such as nuclear and chemical facilities. But, the DHS Inspector General found that users of the information network were confused and frustrated with the system and as a result do not regularly use it; and DHS has still not won all of the private sector’s trust that the agency can adequately protect and effectively use the information that sector provides. These challenges will require longer-term actions to resolve. What Remains to Be Done: GAO has made several recommendations agencies are beginning to address, including: * assessing progress made on the key steps and milestones implementing the ISE and removing barriers to implementation; * consolidating and consistently applying restrictions on sensitive information so they do not hinder sharing; and: * defining what information agencies need from the private sector for homeland security, how they will use it, and how they will protect it, as well as providing incentives and building trusted relationships to promote sharing with these critical security partners. Related Products: Establishing Appropriate and Effective Information- Sharing Mechanisms to Improve Homeland Security: Managing Sensitive Information: DOJ Needs a More Complete Staffing Strategy for Managing Classified Information and a Set of Internal Controls for Other Sensitive Information. GAO-07-83. Washington, D.C.: October 20, 2006. Critical Infrastructure Protection: Progress Coordinating Government and Private Sector Efforts Varies by Sectors' Characteristics. GAO-07- 39. Washington, D.C.: October 16, 2006. Terrorist Watch List Screening: Efforts to Help Reduce Adverse Effects on the Public. GAO-06-1031. Washington, D.C.: September 29, 2006. Critical Infrastructure Protection: DHS Leadership Needed to Enhance Cybersecurity. GAO-06-1087T. Washington, D.C.: September 13, 2006. Maritime Security: Information-Sharing Efforts Are Improving. GAO-06- 933T. Washington, D.C.: July 10, 2006. Managing Sensitive Information: Actions Needed to Ensure Recent Changes in DOE Oversight Do Not Weaken an Effective Classification System. GAO- 06-785. Washington, D.C.: June 30, 2006. Managing Sensitive Information: DOD Can More Effectively Reduce the Risk of Classification Errors. GAO-06-706. Washington, D.C.: June 30, 2006. Information Sharing: DHS Should Take Steps to Encourage More Widespread Use of Its Program to Protect and Share Critical Infrastructure Information. GAO-06-383. Washington, D.C.: April 17, 2006. Information Sharing: The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information. GAO-06-385. Washington, D.C.: March 17, 2006. [End of section] Highlights: High-Risk Series: Department of Defense Approach to Business Transformation: GAO Highlights: For additional information about this high-risk area, contact Sharon Pickup at (202) 512-9619 or pickups@gao.gov. Why Area Is High Risk: In 2005, GAO added the Department of Defense’s (DOD) approach to business transformation as a high-risk area because (1) DOD’s business improvement efforts and control over resources were fragmented, (2) DOD lacked an integrated and enterprisewide business transformation plan and investment strategy, and (3) DOD had not designated a senior management official at an appropriate level with the authority to be responsible and accountable for enterprisewide business transformation. To illustrate the magnitude of the risk DOD faces with its business transformation efforts, the department bears sole responsibility for eight defense-specific high-risk areas and shares responsibility for six other high-risk areas—all of which are related to business operations. What GAO Found: DOD spends billions of dollars to sustain key business operations intended to support the warfighter, including systems and processes related to the management of contracts, finances, the supply chain, support infrastructure, and weapons systems acquisition. GAO has reported on inefficiencies in DOD’s business operations, such as the lack of sustained leadership and a comprehensive, integrated, and enterprisewide business plan. Moreover, at a time of increasing military operations and growing fiscal constraints, billions of dollars have been wasted annually because of the lack of adequate transparency and appropriate accountability across DOD’s business areas. DOD’s top management has demonstrated a commitment to transforming the department’s business operations and has established a governance structure that consists of several elements. For example, in September 2006, DOD released an enterprise transition plan that is intended to be both a roadmap and management tool for modernizing its business processes and information technology assets. DOD also established the Defense Business Systems Management Committee (DBSMC), which is composed of senior-level DOD officials and is intended to serve as the primary transformation leadership and oversight mechanism, and the Business Transformation Agency (BTA) to support the DBSMC. BTA is to execute enterprise-level business transformation by, among other things, integrating departmental lines of business, following a corporate model. Finally, as required by Congress, DOD is studying the feasibility and advisability of establishing a Chief Management Officer (CMO) to oversee the department’s business transformation process. As part of this effort, the Defense Business Board, an advisory panel, examined various options and endorsed the CMO concept in May 2006. These steps are positive, but DOD still lacks some critical elements that are needed to ensure a successful and sustainable business transformation effort. While the enterprise transition plan and supporting governance structure are important steps toward developing a strategic plan and DOD-wide oversight, the primary focus has been on business systems modernization. Enterprise-level business transformation is much broader—encompassing planning, management, structure, and processes. DOD’s lack of a comprehensive, integrated, enterprisewide business transformation plan linked with performance goals, objectives,