Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Computer emergency response team"

    2 publications with a total of 16 open recommendations
    Director: Gregory C.Wilshusen
    Phone: (202) 512-6244

    8 open recommendations
    Recommendation: To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should revise policies for incident response by including requirements for defining the incident response team's level of authority, and prioritizing the severity ratings of incidents for unclassified systems, based on impact.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should revise the department's incident response plan to include quantifiable metrics for measuring the incident response capability and its effectiveness.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should develop incident response procedures that provide instructions for prioritizing the handling of incidents by impact.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should ensure that all components test their incident response capability.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should revise policies for incident response by including requirements for defining the incident response team's level of authority, and establishing measures of performance.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should revise the department's incident response plan to include metrics for measuring the incident response capability and its effectiveness.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should test the department's incident response capability.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should train the department's incident response personnel per the agency's requirements.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    8 open recommendations
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require documentation of the reasoning behind risk determinations for breaches involving PII.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to document the number of affected individuals associated with each incident involving PII.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should document the number of affected individuals associated with each incident involving PII.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.