Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Background investigations"

    13 publications with a total of 51 open recommendations including 4 priority recommendations
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update the plans of action and milestones to reflect expected completion dates for implementing the recommendations made by US-CERT.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency plans to update the plans of action and milestones with the current status, including expected completion dates.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM partially concurred with the recommendation. The agency is working on making improvements to its automated system to further support its remedial action management processes, including timely closure.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update policy to reflect deployment of Department of Homeland Security threat indicators and the specific 24-hour scanning requirement.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of updating security policies.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of defining role-based training requirements for its continuous monitoring program.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should provide detailed guidance on the quality assurance process that includes evaluating security control assessments.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of developing additional standards for evaluating security controls testing and asserts it will use these standards for evaluating security control assessments.
    Director: Chris P. Currie
    Phone: (404) 679-1875

    2 open recommendations
    Recommendation: To enhance its ability to fulfill its role as the facilitator of cross-sector collaboration and best-practices sharing, the Secretary of Homeland Security should direct the Assistant Secretary of Infrastructure Protection, Office of Infrastructure Protection, to explore with key critical infrastructure partners, whether and what opportunities exist to harmonize federally-administered screening and credentialing access control efforts across critical infrastructure sectors.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure that SCO uses its time and resources to pursue the most efficient and effective screening and credentialing harmonization goals on behalf of the department, the Secretary of Homeland Security should direct the Deputy Assistant Secretary for Screening Coordination, Office of Policy, to establish goals and objectives to support its broader strategic framework for harmonization.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gretta L. Goodwin
    Phone: (202) 512-8777

    1 open recommendations
    Recommendation: To help the NICS Section achieve its mission to enhance national security and public safety by providing the timely and accurate determination of a person's eligibility to possess firearms, the Director of the FBI should monitor NICS check outcomes for specific categories of prohibited individuals to assess timeliness and provide this information to other DOJ entities for use in establishing priorities and tools to assist states in submitting more complete records for use during NICS checks.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Kay E. Brown
    Phone: (202) 512-7215

    3 open recommendations
    including 1 priority recommendation
    Recommendation: The Secretary of the Department of Health and Human Services should direct the Office of Refugee Resettlement to develop a process to update its bed capacity framework on an annual basis to include the most recent data related to numbers of unaccompanied children who may be referred to its care and adjust its planning scenarios that guide its bed capacity as appropriate.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: The Office of Refugee Resettlement (ORR) developed a bed capacity framework for fiscal year 2016 and anticipated completing its fiscal year 2017 bed capacity framework by September 30, 2016. The framework includes bed capacity projections, including expected referrals and placement needs, based, in part, on data from the previous year. GAO will close this recommendation when HHS completes its 2017 bed capacity framework.
    Recommendation: The Secretary of the Department of Health and Human Services should direct the Office of Refugee Resettlement to review its monitoring program to ensure that onsite visits are conducted in a timely manner, case files are systematically reviewed as part of or separate from onsite visits, and that grantees properly document the services they provide to children.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS agreed with our recommendation and ORR is in the process of reviewing its monitoring templates and tools and, according to HHS, has conducted a monitoring training for its Project Officers. In addition, ORR is sending additional Project Officers into the field to complete scheduled monitoring visits to its care provider facilities. HHS reports that ORR is on track to complete all scheduled monitoring visits for FY 2016. We will close this recommendation when ORR has completed its review of its monitoring templates and tools and demonstrates that it can complete its planned monitoring visits on schedule.
    Recommendation: The Secretary of the Department of Health and Human Services should direct the Office of Refugee Resettlement to develop a process to ensure all information collected through its existing post-release efforts are reliable and systematically collected so that they can be compiled in summary form and provide useful information to other entities internally and externally.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Office of Refugee Resettlement (ORR) created a new section in its unaccompanied children's policy guide that, among other things, includes case reporting, records management, retention, and information sharing requirements for post-release service providers. Post-release service providers are required to maintain this information in an ORR-provided database. Also, the section requires that all reports made to ORR's National Call Center be documented and reported in accordance with mandatory reporting laws, state licensing requirements, federal laws and regulations, and ORR policies and procedures. Lastly, in May 2016, ORR released data for the first quarter of fiscal year 2016 on Safety and Well-Being (SWB) follow-up calls that were made to children and their sponsors.
    Director: Cary Russell
    Phone: (202) 512-5431

    6 open recommendations
    including 1 priority recommendation
    Recommendation: To enable AFRICOM's component commands to better plan, advise, and coordinate for OCS, the AFRICOM Commander, as part of AFRICOM's ongoing efforts to update related guidance and emphasize the importance of OCS integration at the subordinate command level, should direct the service components to designate elements within their respective staffs to be responsible for coordinating OCS, and consider the establishment of an OCS Integration Cell or similar structure with these dedicated OCS personnel, as needed.

    Agency: Department of Defense: U.S. Africa Command
    Status: Open

    Comments: In July 2016, AFRICOM officials stated that there are clear advantages and benefits to establishing an OCSIC at Service-component level. USAFRICOM, as a geographic combatant command, assigns operational missions to subordinate commands for execution, including operational contract support (OCS) tasks. Joint Pub 4-10, as augmented by AFRICOM Command Instruction (ACI) 4800.01 A, specifies the tasks and functions in support of OCS that Service Components must execute. Service Components determine the most appropriate organizational structure best suited to meet its assigned mission. i.e. establishment of an OCSlC as deemed necessary. However, service components have indicated that guidance clarifying the circumstances under which they should establish OCSICs would be helpful. As such, this recommendation will remain open at this time.
    Recommendation: To enable AFRICOM's component commands to better plan, advise, and coordinate for OCS, the AFRICOM Commander, as part of AFRICOM's ongoing efforts to update related guidance and emphasize the importance of OCS integration at the subordinate command level, should clarify under what conditions a subordinate joint force command, such as Combined Joint Task Force-Horn of Africa, should establish an OCS Integration Cell.

    Agency: Department of Defense: U.S. Africa Command
    Status: Open

    Comments: AFRICOM officials told us that USAFRICOM J4 conducted a staff assistance visit (SA V) at CJTF-HOA from 16-19 August 2015. It was recommended that ClTF-HOA establish an OCS Working Group (OCSWG) that is owned b) the ClTF-HOA J4. The OCSWG is a doctrinal working group and would contain designated cross-functional staff members to enable OCS planning and policy generation as well as Oversee contractor management issues. Other OCS recommendations were made to the CJTF-HOA J4 that included adding permanent OCS billets to the J4 and executing OCSIC tasks. This recommendation will remain open at this time.
    Recommendation: To enable AFRICOM to better identify, address, and mitigate OCS readiness gaps at its component commands before inaccurate information is incorporated into formal defense readiness reporting systems, the AFRICOM Commander should clarify the scorecard process, including assessment standards, for OCS Readiness Scorecards to ensure that evaluators can accurately assess subordinate commands' OCS capabilities.

    Agency: Department of Defense: U.S. Africa Command
    Status: Open

    Comments: In July 2016, AFRICOM officials stated that while the OCS score card may be considered a best practice in the OCS execution in the AFRICOM AOR, it is not a replacement for the Defense Readiness Reporting System (DRRS) to report OCS. This recommendation will remain open at this time.
    Recommendation: To enable AFRICOM to comprehensively and consistently account for contractor personnel in Africa, the Secretary of Defense, in coordination with the Chairman of the Joint Chiefs of Staff, should direct Joint Staff to clarify what types of contractor personnel should be accounted for in its guidance on personnel status reports.

    Agency: Department of Defense
    Status: Open

    Comments: DOD has taken steps to clarify what types of contractor personnel should be accounted for in its guidance on personnel status reports, but revision of that guidance is ongoing. According to Joint Staff officials in August 2016, USAFRICOM has not yet incorporated its local policies and standards into the CJCSM 3150.13C as the manual is up for review by the Joint Staff and is projected to be completed by Spring 2017. Additionally, in February 2016, a class deviation became effective for the USAFRICOM area of responsibility (AOR). This deviation superseded Class Deviations 2014-O0005, and 2015-O0003. The deviation stated that contracting officers shall incorporate clause 252.225-7980, Contractor Personnel Performing in the United States Africa Command Area of Responsibility, in lieu of the clause at DFARS 252.225-7040, Contractor Personnel Supporting U.S. Armed Forces Deployed Outside the United States, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items that will require contractor personnel to perform in the United States Africa Command (USAFRICOM) area of responsibility. In addition, to the extent practicable, contracting officers shall modify current, active contracts with performance in the USAFRICOM AOR to include the clause 252.225-7980. The USAFRICOM Commander has identified a need to utilize the Synchronized Pre-deployment and Operational Tracker for all contracts performed in the AOR during all operational phases (including Phase 0), not limited to declared contingency operations. However, until guidance clarifying what types of contractor personnel is finalized, this recommendation will remain open.
    Recommendation: To enable AFRICOM to comprehensively and consistently account for contractor personnel in Africa, the AFRICOM Commander should develop area of responsibility-wide contractor personnel accountability guidance on or before December 2015, when the current guidance expires, that clarifies which types of contractor personnel should be accounted for using SPOT, and when SPOT accountability requirements should be incorporated into contracts.

    Agency: Department of Defense: U.S. Africa Command
    Status: Open

    Comments: In July 2016, AFRICOM officials told us Defense Federal Acquisition Regulation Supplement (DFARS) 252.225-7980 (Class Deviation 2016-00008), Contractor Personnel Performing in the United States Africa Command Area of Responsibility was published in June 2016. This clause requires the use of the Synchronized Pre-Deployment and Operational Tracker (SPOT) to account for all Contractor Authorized to Accompany the Force (CAAF), United States and third-country national contractors (TCNs), all private security contractors. and all other contractor personnel authorized to carry weapons when performing in the AFRICOM AOR on all DoD contracts, regardless of the contract amount or period of performance. Furthermore. the DoD contractor is required to submit to the cognizant contracting officer for SPOT reporting and aggregate count of all local national employees performing in the AFRICOM AOR. by country of performance, for 30 days or longer under a contract valued at or above $150.000. This recommendation will remain open at this time.
    Recommendation: To ensure that combatant commands are not contracting with entities that may be connected to or supporting prohibited organizations, the Secretary of Defense, in coordination with the Chairman of the Joint Chiefs of Staff, should develop guidance that clarifies the conditions under which combatant commands should have a foreign vendor vetting process or cell in place to determine whether potential vendors actively support any terrorist, criminal, or other sanctioned organizations, including clarifying when combatant commands should develop procedures for transmitting the names of any vendors identified through this process for inclusion in prohibited entities lists in the appropriate federal contracting databases, such as the System for Award Management.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: As of October 2016, DOD has taken steps to develop foreign vendor vetting guidance, but that guidance is in the process of being drafted. According to Joint Staff officials in August 2016, as required by NDAA for FY2015, Section 841(d)(1), the Director, Defense Procurement & Acquisition Policy, issued Class Deviation 2015-O0016, Prohibition on Providing Funds to the Enemy and Authorization of Additional Access to Records, effective September 15, 2015. Also, Joint Staff has drafted a Directive Type Memorandum (DTM)on foreign vendor vetting. When issued, the DTM will assign responsibility to each of the Combatant Commanders to establish a foreign vendor program in their respective Areas of Responsibility in accordance with NDAA for FY2015, Sections 841, 842 and 843. However, until the DTM is issued, this recommendation will remain open.
    Director: Maurer, Diana C
    Phone: (202) 512-9627

    2 open recommendations
    Recommendation: To improve disposition reporting that would help states update and complete criminal history records, the Director of the FBI should task the FBI Advisory Policy Board to establish a plan with time frames and milestones for achieving its Disposition Task Force's stated goals.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To better equip states to meet the regulatory requirement to notify individuals of their rights to challenge and update information in their criminal history records, and to ensure that audit findings are resolved, the Director of the FBI--in coordination with the Compact Council-- should determine why states do not comply with the requirement to notify applicants and use this information to revise its state educational programs accordingly.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    16 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test plan is developed.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, an independent assessor is selected to assess the system.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned to resolution are maintained.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA concurred with our recommendation. However, EPA has not yet provided evidence that it has implemented the recommendation. We plan to validate the department's actions when EPA informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA concurred with our recommendation. However, EPA has not yet provided evidence that it has implemented the recommendation. We plan to validate the department's actions when EPA informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Director of the Office of Personnel Management should develop, document, and implement oversight procedures for ensuring that a system test is fully executed for each contractor-operated system.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM concurred with our recommendation. However, as of April 2017, OPM had not implemented the recommendation to develop, document and implement oversight procedures to ensure that a system test is fully executed for each contractor-operated system. We will monitor OPM's efforts and validate OPM actions when evidence discloses that the recommendation has been implemented.
    Recommendation: To be able to effectively assist agencies with their contractor oversight programs, the Director of the Office of Management and Budget, in collaboration with the Secretary of Homeland Security, should develop and clarify reporting guidance to agencies for annually reporting the number of contractor-operated systems.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We requested comments on a draft of this report from the Office of Management and Budget, but none were provided. In June 2017, OMB stated that its and DHS's annual reporting requirements now contain an expanded list of criteria for contractor-operated systems, including definitions in related guidance from the National Institute of Standards and Technology. However, although the reporting requirements call for agencies to report on their total number of contractor-operated systems, neither the requirements or related guidance clarify which agency systems that have contractor relationships should be categorized as contractor-operated. The lack of clear instructions may continue to result in incomplete information regarding the number of contractor-operated systems within the government.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    4 open recommendations
    Recommendation: To help assess and improve the timeliness of the trusted traveler application adjudication process, the Commissioner of CBP should establish an updated performance target for completing application vetting and a process to modify that target, as needed, based on factors such as changes in the number of trusted traveler program applications and available resources.

    Agency: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection
    Status: Open

    Comments: According to CBP, the agency is transitioning to a new vetting platform, which will allow them to more fully assess application data. The estimated completion date is December 30, 2015.
    Recommendation: To help assess and improve the timeliness of the trusted traveler application adjudication process, the Commissioner of CBP should assess the feasibility of practices to expedite the interview process, which could include assessing the potential trade-offs, costs, and benefits associated with any proposed practices, such as those currently proposed or implemented at specific enrollment centers, and implement those practices CBP determines to be feasible.

    Agency: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection
    Status: Open

    Comments: According to CBP, the Office of Field Operations, Trusted Traveler Programs (TTP) Division intends to complete the recommendation and provide a summary of findings and recommended best practices by December 30, 2015.
    Recommendation: To help assess and improve the timeliness of the trusted traveler application adjudication process, the Commissioner of CBP should develop a mechanism to track enrollment interview appointment availability data over time.

    Agency: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection
    Status: Open

    Comments: According to CBP, the agency has initiated a redesign of the Global Online Enrollment System (GOES), to include GOES scheduling. A report on this effort, expected to further establish the project deliverables, level of effort, milestones and estimated completion timeline, is scheduled to be completed by December 30, 2015.
    Recommendation: To better ensure that the trusted traveler eligibility criteria and applicant adjudication processes are consistently implemented in accordance with CBP policy at all enrollment centers and by partner countries, the Commissioner of CBP should establish a mechanism or mechanisms in GES to allow CBP officers to efficiently document the types of interview questions asked and the nature of applicant responses, when appropriate, and then use this information to monitor the implementation of the interview process.

    Agency: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information. Status last updated October 16, 2015.
    Director: Farrell, Brenda S
    Phone: (202) 512-3604

    1 open recommendations
    Recommendation: To improve transparency of costs and the efficiency of suitability andpersonnel security clearance background investigation processes thatcould lead to cost savings, the Deputy Director for Management, Office of Management and Budget, in the capacity as Chair of the Performance Accountability Council, should expand and specify reform-related guidance to help ensure that reform stakeholders identify opportunities for cost savings, such as preventing duplication in the development of electronic case-management and adjudication technologies in the suitability determination and personnel security clearance processes.

    Agency: Executive Office of the President: Office of Management and Budget: Performance Accountability Council
    Status: Open

    Comments: In July 2013, OMB provided GAO with an update to this recommendation. Although OMB has not yet issued guidance to help ensure that reform stakeholders identify opportunities for cost savings, OMB noted that it continues to work with Executive Agents on activities that reduce duplication in electronic case management and adjudication technologies for the suitability determination and personnel security clearance processes and provided four examples of those activities. (1)In March 2012, OMB's Office of E-Government and Information Technology began meeting with OPM regarding opportunities to enhance the functionality of non-DoD adjudicative entities that are serviced by OPM's Central Verification System, a subsystem of OPM's Personnel Investigation Processing System. (2) In March 2012, OPM provided programming language to the National Security Agency for the Electronic Questionnaire for Investigations Processing (EQIP), which the PAC previously identified as the Executive Branch solution for all investigation requests/applications. Since, NSA has begun development of a single classified automated EQIP solution for the Intelligence Community (IC). (3) In May 2012, DoD directed the consolidation of the seven non-IC DOD Central Adjudication Facilities under a single centralized authority. This more efficiently allocates adjudicative resources in a single case management system. (4) In anticipation of the IC's move to a cloud computing environment, ODNI's Special Security Directorate has begun discussion with IC components on how best to support further standardization and prevent duplication as they develop and modify IT systems to implement investigative and adjudicative training standards, respond to reporting requirements, and implement revised adjudicative guidelines. (5) The PAC, the Security Executive Agent, and DOD continue to promote the adoption of the DOD eAdjudication system (CATS) solution within other agencies across Government. The CATS e-Processing Suite (e-Delivery, e-Screening, and e-Adjudication processes) eliminates manual processes and realizes adjudicative efficiencies through the use of technology. DoD recently reported that During FY2012, e-Delivery saved the DoD approximately 590,000 hours (over 280 man-years) in employee processing and handling time, equating to a one-year salary cost avoidance of nearly $33 million. In addition, during FY2012, e-Adjudication saved the DoD approximately 57,000 hours (over 28 man years) in employee adjudication time, equating to a one-year salary cost avoidance of nearly $3.2 million. Shortly after the report was issued, OPM provided GAO with a letter dated May 25, 2012, that included its plans to address the recommendations that GAO made in GAO-12-197, to improve the transparency of the costs and efficiency of the suitability and security clearance background investigation process. Although this recommendation was geared toward the Deputy Director for Management at OMB, OPM pledged to support OMB in the implementation of this recommendation by 1) providing cost analysis data to support cost efficient Executive Branch implementation of new Federal Investigative Standards, 2) supporting standardization and consolidation of investigative systems and processes to the extent it benefits the goals of cost efficiency and reciprocity, and 3) providing recommendations for the standardization of technology supporting suitability adjudicative processes to the extent this benefits the goals of cost efficiency and reciprocity. OPM noted that, in March 2012, it provided OMB reform leadership with both cost analysis data to support the implementation of the new Federal Investigative Standards and recommendations for the standardization of technology for the consideration of OMB's e-Government experts.
    Director: Wilshusen, Gregory C
    Phone: (202)512-3000

    4 open recommendations
    Recommendation: To ensure that PIV cards do not remain in the possession of staff whose employment or contract with the federal government is over, the Secretary of Commerce should establish controls, in addition to time frames for implementing a new tracking system, to ensure that PIV cards are revoked in a timely fashion.

    Agency: Department of Commerce
    Status: Open

    Comments: As of June 2017, Commerce had not submitted information or plans regarding revoking PIV cards in a timely fashion.
    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of the Interior should develop specific implementation plans for enabling PIV-based access to the department's major facilities, including identifying necessary infrastructure upgrades and time frames for deployment.

    Agency: Department of the Interior
    Status: Open

    Comments: As of June 2017, Interior had not yet provided specific implementation plans for enabling PIV access to the department's major facilities.
    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Labor should ensure that the department's plans for PIV-enabled physical access at major facilities are implemented in a timely manner.

    Agency: Department of Labor
    Status: Open

    Comments: As of June 2017, Labor had not provided any information about whether the department's plans for PIV-enabled physical access at major facilities were being implemented in a timely manner.
    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal networks and systems, the Administrator of NASA should develop and implement procedures for PIV-based logical access when using Apple Mac and mobile devices that do not rely on direct interfaces with PIV cards, which may be impractical.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: As of March 2017, NASA reported that it had begun implementing procedures for PIV-based logical access for the Apple Mac computers and mobile devices in its computing environment. NASA procured software to begin the transition of the Apple computers, but due to configuration issues the transition was not scheduled to be completed until December 2017. Further, NASA had begun the transition for mobile devices, which was scheduled to be completed by September 2017.
    Director: Clark, Cheryl E
    Phone: (202)512-9521

    3 open recommendations
    Recommendation: Based on a review of all existing contracts under $100,000 without an appointed COTR that should require contract employees to obtain favorable background investigation results, the Commissioner of the IRS should direct the appropriate IRS officials to amend those contracts to require that favorable background investigations be obtained for all relevant contract employees before routine, unescorted, unsupervised physical access to taxpayer information is granted.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: According to IRS, it has completed its contract review and made appropriate modifications as of July 2016. However, the modifications to the contracts were not made available for our review during the fiscal year 2016 audit. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of the IRS should direct the appropriate IRS officials to establish a policy requiring collaborative oversight between IRS's key offices in determining whether potential service contracts involve routine, unescorted, unsupervised physical access to taxpayer information, thus requiring background investigations, regardless of contract award amount. This policy should include a process for the requiring business unit to communicate to the Office of Procurement and the Human Capital Office the services to be provided under the contract and any potential exposure of taxpayer information to contract employees providing the services, and for all three units to (1) evaluate the risk of exposure of taxpayer information prior to finalizing and awarding the contract and (2) ensure that the final contract requires favorable background investigations as applicable, commensurate with the assessed risk.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that during fiscal year 2017, several internal organizations will partner to identify the remaining actions needed to address this recommendation. According to IRS, these actions include developing policies and procedures to reasonably assure that (1) oversight between IRS's key offices is conducted to determine whether potential service awards IRS enters into involve routine, unescorted, unsupervised physical access to taxpayer information by contractors, thus requiring background investigations, and (2) the resulting processes make clear who is responsible for completing the various steps, as well as who must maintain documentation of the approved access determination prior to the contractor being allowed to provide the services. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of the IRS should direct the appropriate IRS officials to revise the post orders for the service center campuses (SCC) and lockbox bank security guards to include specific procedures for timely reporting exterior lighting outages to SCC or lockbox bank facilities management. These procedures should specify (1) whom to contact to report lighting outages and (2) how to document and track lighting outages until resolved.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that during fiscal year 2017, it would update campus post orders to help ensure timely reporting, monitoring and repair of exterior lighting outages. In addition, AWSS engaged in discussions with personnel from FPS and GSA to coordinate responsibilities and suggested changes for post orders when security services are contracted by those entities. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Director: Grover, Jennifer A
    Phone: (202) 512-7141

    3 open recommendations
    including 1 priority recommendation
    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should perform an internal control assessment of the TWIC program by (1) analyzing existing controls, (2) identifying related weaknesses and risks, and (3) determining cost-effective actions needed to correct or compensate for those weaknesses so that reasonable assurance of meeting TWIC program objectives can be achieved. This assessment should consider weaknesses we identified in this report among other things, and include: (1) strengthening the TWIC program's controls for preventing and detecting identity fraud, such as requiring certain biographic information from applicants and confirming the information to the extent needed to positively identify the individual, or implementing alternative mechanisms to positively identify individuals; (2) defining the term extensive criminal history for use in the adjudication process and ensuring that adjudicators follow a clearly defined and consistently applied process, with clear criteria, in considering the approval or denial of a TWIC for individuals with extensive criminal convictions not defined as permanent or interim disqualifying offenses; and (3) identifying mechanisms for detecting whether TWIC holders continue to meet TWIC disqualifying criminal offense and immigration-related eligibility requirements after TWIC issuance to prevent unqualified individuals from retaining and using authentic TWICs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We reported that internal control weaknesses governing the enrollment, background checking, and use of TWIC potentially limit the program's ability to provide reasonable assurance that access to secure areas of MTSA-regulated facilities is restricted to qualified individuals. We further reported that TSA did not assess the internal controls designed and in place to determine whether they provided reasonable assurance that the program could meet defined mission needs for limiting access to only qualified individuals, and that internal control weaknesses in TWIC enrollment, background checking, and use could have contributed to the breach of selected MTSA-regulated facilities during covert tests conducted by our investigators. We recommended that DHS perform an internal control assessment of the TWIC program by (1) analyzing existing controls, (2) identifying related weaknesses and risks, and (3) determining cost-effective actions needed to correct or compensate for those weaknesses so that reasonable assurance of meeting TWIC program objectives can be achieved. In April 2013, DHS reported that it had taken a number of steps to address our recommendations. For example, it had refreshed and reissued fraudulent document detection training to enrollment personnel; created a mechanism for enrollment personnel to send detailed information of suspected fraud to adjudication personnel; benchmarked TWIC enrollment processes with passport enrollment processes; and defined guidance for adjudicators on the application of discretionary authority. As we reported in May 2013, to determine if the internal control weaknesses identified in our May 2011 report still exist, we conducted limited covert testing in late 2012. Our investigators again acquired an authentic TWIC through fraudulent means and were able to use this card and counterfeit TWIC cards to access areas of ports or port facilities requiring a TWIC for entry at four ports. In February 2014, TSA reported that it, in coordination with Coast Guard and DHS subject matter experts, had established an Executive Steering Committee to address recommendations from the May 2011 report on the TWIC program's internal controls (GAO-11-657). GAO recommended that the internal control assessment be the basis of the effectiveness assessment. In response, the Executive Steering Committee developed an internal control action plan that lists TWIC program control issues GAO identified, along with actions that TSA and the Coast Guard would or would not take to address them. However, based on our review of the internal control action plan and associated documents, and further discussing with TSA officials the methodology used to arrive at the internal control action plan, we determined that the internal control assessment we recommended has not been implemented. Specifically, there is no evidence of a detailed mapping of each policy and process in the program, their interrelationships, and clear linkage to show how actions in one step may enhance or reduce the effectiveness of the TWIC program achieving its stated mission needs. In January 2017 TSA awarded a contract for an internal control assessment of the TWIC program, including the TWIC program?s internal controls of the enrollment, background checking, and credential issuance processes. The assessment, however, is to exclude an assessment of Coast Guard?s role in TWIC enforcement. The project held a kickoff meeting in March of 2017 and is expected to produce final recommendations by August 2017. We believe that this is a positive step towards addressing our recommendation. However, the assessment does not include an evaluation of the use of TWIC, including Coast Guard's role in TWIC enforcement. We continue to believe that the internal control assessment inclusive of TWIC use and the interrelationship between acquiring a TWIC and using it in the maritime environment is needed. For the reasons noted above, this recommendation remains open.
    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: We reported that DHS had not assessed the program's effectiveness at enhancing security. We recommended that DHS conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks. In March 2012, DHS reported that it agreed that the results and progress of the internal control actions should be used to further evaluate the effectiveness of the TWIC program. They further noted that as the different long term actions progress, DHS will develop specific plans to address this action. In May 2013 (see GAO-13-198), we reported that DHS had not addressed this recommendation. On January 17, 2014, the explanatory statement accompanying the Consolidated Appropriations Act, 2014, directed DHS to complete the assessment that we recommended within 90 days after enactment (April 17, 2014). In February 2014, TSA reported that it, in coordination with Coast Guard and DHS subject matter experts, had established an Executive Steering Committee to address recommendations from the May 2011 report on the TWIC program's internal controls (GAO-11-657). GAO recommended that the internal control assessment be the basis of the effectiveness assessment. In response, the Executive Steering Committee developed an internal control action plan that lists TWIC program control issues GAO identified, along with actions that TSA and the Coast Guard would or would not take to address them. However, based on our review of the internal control action plan and associated documents, and further discussing with TSA officials the methodology used to arrive at the internal control action plan, we determined that the internal control assessment we recommended has not been implemented. Specifically, there is no evidence of a detailed mapping of each policy and process in the program, their interrelationships, and clear linkage to show how actions in one step may enhance or reduce the effectiveness of the TWIC program achieving its stated mission needs. As of March 2017, the internal control assessment we recommended as the basis for initiating the effectiveness assessment had not been completed. However, on January 15, 2016, Coast Guard reported that it had completed its effectiveness assessment. Specifically, DHS completed an effectiveness assessment titled "Security Assessment of the Transportation Worker Identification Credential and Readers." However, the effectiveness assessment did not substantively address the risk concerns identified in our report. For example, the effectiveness assessment lacked the internal control assessment we deem to be the critical first step for fully understanding the TWIC program's controls, costs, and risks. Further, while the effectiveness assessment presented a comparison of alternative credentialing approaches, the assessment did not fully consider, as discussed in our 2011 and 2013 reports, an approach wherein federal security threat assessments could be leveraged in concert with site-specific credentials. The analysis did consider the benefits of updating the TWIC credential to new federal credentialing standards. However, absent from the analysis is a risk-informed basis for disallowing site-specific credentials. While TWIC credentials are developed based on standards aligned with those used by federal entities, each federal entity continues to use site-specific credentials that have varying appearances, rather than a single credential for granting access to all federal entities. This is important, especially because Coast Guard's risk assessment does not include an evaluation of the security benefits and shortfalls that a single credential used nation-wide provide. Absent effectiveness assessment that meets the intent of our recommendation, this recommendation remains open.
    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should use the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks as part of conducting the regulatory analysis on implementing a new regulation on the use of TWIC with biometric card readers.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We reported that prior to issuing the regulation on implementing the use of TWIC as a flashpass, DHS conducted a regulatory analysis, which asserted that TWIC would increase security. The analysis included an evaluation of the costs and benefits related to implementing TWIC. We further reported that as a proposed regulation on the use of TWIC with biometric card readers is under development, DHS is to issue a new regulatory analysis. Conducting a regulatory analysis using the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and needed corrective actions could better inform and enhance the reliability of the new regulatory analysis. Moreover, these actions could help DHS identify and assess the full costs and benefits of implementing the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks, and help ensure that the TWIC program is more effective and cost-efficient than existing measures or alternatives at enhancing maritime security. We therefore recommended that DHS use the information from the internal control and effectiveness assessments we recommended as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks as part of conducting the regulatory analysis on implementing a new regulation on the use of TWIC with biometric card readers. In March 2012, DHS reported that upon completion of the internal control and effectiveness assessments, DHS will evaluate the results to determine any subsequent actions, and that any applicable data or risks will be communicated to the Coast Guard for consideration during their regulatory analysis. However, DHS has not implemented the internal control assessment we recommended, which is to be the basis for the effectiveness assessment and addressing this recommendation. Further, the January 15, 2016 effectiveness assessment titled "Security Assessment of the Transportation Worker Identification Credential and Readers" did not substantively address the risk concerns identified in our report. Given shortfalls that remain in addressing our internal control assessment and effectiveness assessment recommendations, this recommendation remains open pending DHS taking corrective actions. As of March 2017, no further action has been taken.
    Director: Clark, Cheryl E
    Phone: (202) 512-3000

    1 open recommendations
    Recommendation: To address other issues that may exist in IRS's master files that affect penalty calculations, the Commissioner of Internal Revenue should direct appropriate IRS officials to, in instances where programs are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: According to IRS, it had substantially completed its corrective actions to address 19 penalty programming issues it had identified from its internal assessment of penalty computation programs. However, as of September 30, 2016, IRS had not provided us with supporting documentation to validate that it completed the corrective actions. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 financial statement audit.