Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Computer security"

    39 publications with a total of 181 open recommendations including 12 priority recommendations
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: The Director of the Office of Management and Budget, in consultation with the Secretary of Homeland Security, and the Chief Information Officers Council, should evaluate whether the full implementation of the capability maturity model developed by the Council of the Inspectors General on Integrity and Efficiency ensures that consistent and comparable results are achieved across all federal agencies. (Recommendation 1)

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update the plans of action and milestones to reflect expected completion dates for implementing the recommendations made by US-CERT.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency plans to update the plans of action and milestones with the current status, including expected completion dates.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM partially concurred with the recommendation. The agency is working on making improvements to its automated system to further support its remedial action management processes, including timely closure.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update policy to reflect deployment of Department of Homeland Security threat indicators and the specific 24-hour scanning requirement.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of updating security policies.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of defining role-based training requirements for its continuous monitoring program.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should provide detailed guidance on the quality assurance process that includes evaluating security control assessments.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of developing additional standards for evaluating security controls testing and asserts it will use these standards for evaluating security control assessments.
    Director: Dave Wise
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Secretary of Transportation should direct NHTSA to define, document, and externally communicate the agency's roles and responsibilities in relation to connected vehicle data privacy.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Kirschbaum, Joseph W
    Phone: (202) 512-9971

    2 open recommendations
    Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

    Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

    Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: To effectively manage its information security program, the Chairman of the SEC should maintain up-to-date network diagrams and asset inventories in the system security plans for General Support System and a key financial system to accurately and completely reflect the current operating environment.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To effectively manage its information security program, the Chairman of the SEC should perform continuous monitoring using automated configuration and vulnerability scanning on the operating systems, databases, and network devices.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    10 open recommendations
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement the audit plans for the 12 systems and applications that we reviewed in the production computing environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that system administrators and security operations analysts are alerted in the event of audit processing failures.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should update information contingency plan test procedures to include updating contingency plans to reflect changes to the current operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that approved risk-based decisions pertaining to database configurations are based on suitable justification.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop, document, and implement the use of detailed procedures to facilitate the periodic review and analysis of audit records for its financial systems.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop an enterprise-wide system owner procedural document to control critical mainframe operating system commands.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should regularly update configuration standards and guidelines for network devices to incorporate recommendations from industry leaders, security agencies, and key practices from IRS partners to address known vulnerabilities applicable to IRS's environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement a compliance verification application, or other appropriate process, to ensure configuration policies are comprehensively tested on the mainframe.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that all known significant audit findings and recommendations related to financial reporting, which includes those in GAO's public and limited official use only reports, that directly relate to the objective of A-123 internal control tests are reviewed and monitored.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should identify and review service organizations' listing of user controls that are deemed relevant and test those controls to appropriately draw conclusions about the operating effectiveness of controls.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Nick Marinos
    Phone: (202) 512-9342

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer to update the procedure for granting access to the key financial application, to include responsibilities and steps for ensuring that the access privileges granted have been approved by the users' supervisor.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    9 open recommendations
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the extent to which the statutorily required implementing principles apply to NCCIC's cybersecurity functions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NCCIC is currently conducting an analysis of all mission functions to include the following goals: simplify the descriptions of NCCIC's mission functions, document all NCCIC functional capabilities, document the applicability of implementing principles to NCCIC mission functions, and map as appropriate. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that they were still in the process completing mission functional analysis described in DHS's response to Recommendation 1, which would serve as the basis of developing metrics. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NCCIC is updating existing policies and procedures for program management reviews (PMR) to include the metrics developed in recommendation two. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should integrate information related to security incidents to provide management with more complete information about NCCIC operations.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the NCCIC updated guidelines for incident reporting would be completed in May 2017. In addition, according to DHS, incident management system requirements were updated to support the new guidelines and are scheduled to be implemented in June 2017. DHS stated that these steps will enable the successful implementation of the new National Cyber Incident Scoring Schema (NCISS), which the NCCIC Watch Operations uses to help facilitate the timely, actionable, and relevant dissemination of information to leadership. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. As of August 2017, DHS has not provided evidence that the new guidelines have been implemented. However, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NCCIC had completed initial mapping of information flows, as well as the roles and responsibilities for the incident management function. A plan to integrate or consolidate disparate incident reporting systems is scheduled to be completed in December 2017. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop and implement procedures to perform regular reviews of customer information to ensure that it is current and reliable.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NPPD is gathering the requirements for a customer relationship management (CRM) tool that will support regular reviews and updates to customer information. Additionally, DHS stated that NCCIC will establish and implement a standing operating procedure for capturing and regularly updating prioritized customer information including contact information in the event of an incident. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should take steps to ensure the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the Office of Cybersecurity and Communications is establishing integrated customer engagement activities that support cyber risk mitigation and incident response planning. In addition, NCCIC will develop standing operating procedures that leverage existing information sharing programs, activities and relationships to tailor engagements that support owners and operators of the most critical cyber-dependent infrastructure assets including designated lifeline sectors. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the Assistant Secretary of Office of Cybersecurity and Communications (CS&C) had consolidated the Enterprise Architecture role within the Office of the Chief Technology Officer (CTO). Working across CS&C, the CTO will establish a technology roadmap, to include consolidation of networks. In addition, NCCIC is working to determine the potential impact of network consolidation on mission functions, including mapping current data sources. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should identify alternative methods to collaborate with international partners, while ensuring the security requirements of high-impact systems.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the potential reduction in sharing cybersecurity products that may result from migrating the NCCIC Portal to HSIN should be minimal. Contingency information sharing plans will be developed to mitigate potential issues through alternate information sharing practices, particularly involving an actual incident during migration transition. Foreign partnerships will continued to be maintained by exercises, analytic exchanges with our closest partners, and continued participation in multilateral and bilateral engagements. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    3 open recommendations
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to update security plans to ensure the plans fully and accurately document the controls selected and intended for protecting each of the six systems.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to implement a process to effectively monitor and track training for personnel with significant security roles and responsibilities.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to ensure that personnel with significant security responsibilities receive role-based training.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the National Institute of Standards and Technology Cybersecurity Framework.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should update technical assistance that is provided to covered entities and business associates to address technical security concerns.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should revise the current enforcement program to include following up on the implementation of corrective actions.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS neither concurred nor nonconcurred with the recommendation but plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish performance measures for the Office of Civil Rights (OCR) audit program.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish and implement policies and procedures for sharing the results of investigations and audits between OCR and Centers for Medicare & Medicaid Services to help ensure that covered entities and business associates are in compliance with the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS neither concurred nor nonconcurred with the recommendation but plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Director: David A. Powner
    Phone: (202) 512-9286

    5 open recommendations
    Recommendation: To effectively measure 18F's performance, the Administrator of GSA should direct the Commissioner for the Technology Transformation Service to ensure that goals and associated performance measures are outcome-oriented and that performance measures have targets, including (1) performance measures and targets tied to fully recovering program costs; and (2) goals, performance measures, and targets for how the program will achieve its mission after September 2016.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration (GSA) agreed with, and has begun to take steps to implement, this recommendation. Specifically, GSA developed a quarterly performance report for fiscal year 2017 that includes an outcome-oriented goal for 18F as well as associated performance measures and targets. According to a Technology Transformation Service official, GSA plans to expand its quarterly performance report for fiscal year 2018 to reflect additional 18F goals and performance measures, including measures tied to fully recovering program costs. We will continue to evaluate GSA's progress in implementing this recommendation.
    Recommendation: To effectively measure 18F's performance, the Administrator of GSA should direct the Commissioner for the Technology Transformation Service to assess actual results for each performance measure.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration (GSA) agreed with, and has begun to take steps to implement, this recommendation. Specifically, GSA developed a quarterly performance report for fiscal year 2017 that includes an outcome-oriented goal for 18F as well as associated performance measures with targets. Additionally, GSA has assessed actual results of the performance measures for the first two quarters of fiscal year 2017. According to a Technology Transformation Service official, GSA plans to expand its quarterly performance report for fiscal year 2018 to include additional 18F goals and performance measures. We will continue to evaluate GSA's progress in implementing this recommendation.
    Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to ensure that all goals and associated performance measures are outcome-oriented and that performance measures have targets.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB developed three goals for U.S. Digital Service (USDS): (1) rethink how the federal government builds and buys digital services; (2) expand the use of common, platforms, services, and tools; and (3) bring top technical talent into public service. In addition, OMB established performance measures with targets for its third goal and for each of the program's major projects. However, OMB has not established performance measures for the first two USDS goals. Further, the program's third goal is not outcome-oriented. We will continue to evaluate OMB's progress in implementing this recommendation.
    Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to assess actual results for each performance measure.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB assessed the results of performance measures for one of the U.S. Digital Service (USDS) program's goals--bring top technical talent into public service--and for each of the program's major projects. However, OMB has not established performance measures for the other two USDS goals--rethink how the federal government builds and buys digital services; and expand the use of common, platforms, services, and tools. We will continue to evaluate OMB's progress in implementing this recommendation.
    Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to update USDS policy to clearly define the responsibilities and authorities governing the relationships between CIOs and the digital service teams and require existing agency digital service teams to address this policy. In doing so, the Federal Chief Information Officer should ensure that this policy is aligned with relevant federal law and OMB guidance on CIO responsibilities and authorities.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. In particular, OMB updated its digital service team policy to require that teams appropriately inform their chief information officers (CIO) regarding U.S. Digital Service (USDS) projects. However, the policy does not describe the responsibilities or authorities governing the relationships between CIOs and digital service teams. We will continue to evaluate OMB's progress in implementing this recommendation.
    Director: Diana C. Maurer
    Phone: (202) 512-9627

    1 open recommendations
    Recommendation: In order to help ensure that ATF adheres to its policies and facilitates industry compliance with requirements, the Deputy Director of ATF should align the MS deletion policy, MS system design, and the timeliness of deletion practices to improve ATF's compliance with the policy.

    Agency: Department of Justice: Bureau of Alcohol, Tobacco, Firearms and Explosives
    Status: Open

    Comments: In September 2016, ATF reported that it deleted all purchaser names within those multiple sale records GAO identified as having been retained beyond time limits specified by ATF?s policy. In addition, ATF stated that it is in the process of implementing protocols to ensure that purging purchaser names within multiple sale records aligns with ATF policy. As of March 2017, ATF reported changing its query code to result in an improved match ratio with the MS system. In July 2017, ATF reiterated its deletion of affected purchaser names and its change in query code. However, given the longstanding nature of this issue, ATF needs to provide more documentation to demonstrate that the change in query code will identify all records eligible for deletion.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    17 open recommendations
    including 7 priority recommendations
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update security assessment plans for selected systems to ensure they include the test procedures to be performed.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system to support updates of security assessment plans that include the test procedures to be performed. Subsequent to NASA informing us that security assessment plans for selected systems include these test procedures, we plan to verify the agency's actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should re-evaluate security control assessments for selected systems to ensure that they comprehensively test technical controls.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation, and will re-evaluate the selected systems' security control assessments to ensure that technical controls will be comprehensively tested. NASA officials said that they expect to complete this action by January 15, 2018. Subsequent to NASA informing us that it has implemented the recommendation, we plan to verify the agency's actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update remedial action plans for selected systems, to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system that generates plans of actions and milestones (POA&Ms), but has not yet provided sufficient examples of remedial action plans for the selected systems. Subsequent to NASA informing us that it has updated POA&Ms for the selected systems to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates, we plan to verify these actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update the continuous monitoring strategy to include metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has issued an updated continuous monitoring strategy, but this strategy does not clearly identify specific metrics to be used. Subsequent to NASA informing us that the strategy includes metrics, ongoing status monitoring of metrics, and reporting of security status, we plan to verify these actions.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. NRC supplied documents regarding its cybersecurity assessment process, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update remedial action plans for selected systems, to include responsible organization, estimated funding, funding source, and scheduled completion dates.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency provided evidence that it is including the responsible organization and scheduled completion dates in its plans of action and milestones (POA&Ms). While the estimated funding and source of funding do not appear in the POA&Ms, the agency has indicated that this data is available elsewhere. We are following up with NRC to verify this information.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update the standard that addresses continuous monitoring to include metrics and ongoing status monitoring.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency expects to publish a revised computer security standard in 2018.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented, and where other plans are cross-referenced, ensure that the other system's plan appropriately addresses the control.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM concurred with our recommendation. The agency intends to migrate security plans to an automated system in order to improve management of security controls.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM partially concurred with our recommendation. OPM is in the process of reviewing its procedures for identifying employees and contractors who directly access its information systems and reviewing the training requirements for those individuals, as well as specialized training requirements, and how compliance is tracked.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM did not concur with our recommendation. OPM is developing additional standards for evaluating technical-controls testing and will incorporate these standards into its oversight of security assessments, once the standards are complete.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update remedial action plans for selected systems, to include source of funding and updated completion dates.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with our recommendation. OPM is in the process of migrating POA&Ms to a new automated system that will allow the source of funding to be included in plans of action and milestones.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA stated that all high-impact security controls have been addressed, and the agency expects to include all controls in one plan. Subsequent to the agency informing us that it has implemented the recommendation, we plan to verify its actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is tracking specialized training for staff who have significant security responsibilities. GAO plans to request further documentation and verify the completeness of VA's actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA has assessed technical controls, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update remedial action plans for selected systems, to include estimated funding and funding source.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is including more information in its remedial action plans for selected systems, but did not demonstrate that it is including estimated funding and funding sources in these plans.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should develop a continuous monitoring strategy that addresses organization-defined metrics, frequency of monitoring metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA is developing a new framework to address the people, processes, technology, and performance monitoring mechanisms identified in the Information Security Continuous Monitoring (ISCM) Maturity Model. This framework and supporting program plan are linked to the Department of Homeland Security Continuous Diagnostics and Mitigation (CDM) phase 1 deployment that is ongoing and anticipated to be completed by the fourth quarter of 2017. VA's ISCM program plan and framework have been delayed to accommodate these changes.
    Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. In addition OMB provided limited access to a document describing best practices for federal security operation centers. GAO is requesting further access to this document on best practices in order to determine whether OMB has adequately addressed the recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    4 open recommendations
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to document artifacts that support recommendation closure consistent with SEC policy.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to document a comprehensive physical inventory of the systems and applications in the production environment.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to provide personnel appropriate access to continuous monitoring reports and tools to monitor, evaluate, and remedy identified weaknesses.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to institute a process and assign the necessary personnel to review information produced by the vulnerability scanning tools to monitor, evaluate, and remedy identified weaknesses.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    6 open recommendations
    Recommendation: To ensure that agencies are provided with more complete guidance for contracts for cloud computing services, the Director of OMB should include all ten key practices in future guidance to agencies.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We are following up with OMB on its service level agreement (SLA) guidance to agencies.
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretary of Defense should direct the appropriate officials to ensure key practices are fully incorporated for cloud services as the contracts and associated SLAs expire. These efforts should include updating the Department of Defense memorandum on acquiring cloud services and current Defense Acquisition Regulations System to more completely include the key practices.

    Agency: Department of Defense
    Status: Open

    Comments: We are following up with DOD on updating their service level agreement (SLA) guidance.
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We are following up with DHS on the finalization of its service level agreement (SLA) guidance.
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We are following up with HHS on their service level agreement (SLA) guidance.
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

    Agency: Department of the Treasury
    Status: Open

    Comments: We are following up with Treasury on their service level agreement (SLA) guidance.
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: We are following up with VA on their service level agreement (SLA) guidance.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update system and application audit plans based on the current version of referenced policies and guidelines and when significant changes are made to a system or application.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: The IRS concurred with the recommendation and stated that it plans to implement it. Subsequent to IRS informing us that it has taken action on this recommendation, we plan to evaluate their implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update the security plan for systems that provide network infrastructure services to IRS personnel and information systems to reflect changes to the operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: On March 28, 2017, IRS officials informed us of the actions they were taking to address this recommendation. Upon receiving information from IRS, we plan to evaluate IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    9 open recommendations
    Recommendation: The Secretary of Homeland Security should direct Network Security Deployment (NSD) to determine the feasibility of enhancing NCPS's current intrusion detection approach to include functionality that would detect deviations from normal network behavior baselines.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 Update: In Feb. 2017, DHS officials stated that they have continued pilot activities that will enable DHS to identify suspicious network activity based on anomalous behavior and reputation and have collected lessons learned that are being tracked by the NCPS Program Management Office. Officials added that DHS had identified a contractor to support the transition of the pilot, including drafting an implementation plan; however, it had yet to award a contract due to lack of resources. As such, the agency did not have an estimated date on the completion of a draft plan for how the transition would be implemented. We requested that DHS provide a copy of the draft implementation plan for our review, when it became available. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct NSD to determine the feasibility of developing enhancements to current intrusion detection capabilities to facilitate the scanning of traffic not currently scanned by NCPS.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the NCPS Program Management Office is working with participating Internet Service Providers (ISP) to develop plans to support IPv6 for Traffic Aggregation, DNS redirection, and SMTP quarantining capabilities. Officials stated that an implementation plan that would include all ISP schedules for all planned intrusion prevention services would be available in the third quarter of fiscal year 2017. Additionally, regarding encrypted traffic, officials stated that it is conducting an analysis of Security on Encrypted Traffic (SonET) to better understand options for addressing the challenges, viability of options, and how the issue is being addressed at a broader industry level. The study is scheduled to continue through the fourth quarter of fiscal year 2017. We asked DHS to provide the ISP implementation plans (when finalized) and any findings from the ongoing SCADA and Encrypted traffic studies. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct United States Computer Emergency Readiness Team (US-CERT) to update the tool it uses to manage and deploy intrusion detection signatures to include the ability to more clearly link signatures to publicly available, open-source data repositories.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS stated that the NCPS PMO is working with participating Internet Service Providers (ISP) to develop plans to support IPv6 for Traffic Aggregation, DNS redirection, and SMTP quarantining capabilities. Officials stated that an implementation plan that would include all ISP schedules for all planned intrusion prevention services would be available in the third quarter of fiscal year 17. Additionally, officials stated that NSD is conducting an analysis on Security on Encrypted Traffic (SonET) to better understand options for addressing the challenges, viability of options, how the issue is being addressed at a broader industry level. The study will continue through the fourth quarter of fiscal year 2017. We asked DHS to provide the ISP implementation plans (when finalized) and any output/results (findings) from the ongoing studies DHS has related to SCADA and Encrypted traffic. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct US-CERT to consider the viability of using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, as an input into the development and management of intrusion detection signatures.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that enhancements were made so that Continuous Diagnostics and Mitigation program (CDM) data can be viewed with the Cyber Indicators Analysis Program (CIAP). Officials stated that the CDM data now may be combined with known vulnerability findings from NCATS and known threats collected from the CIAP system to further prioritize signature development as necessary. We have requested a meeting with DHS to observe the described enhancements. We believe that we will be able to close this recommendation, once we observe the claimed enhancements.
    Recommendation: The Secretary of Homeland Security should direct US-CERT to develop a timetable for finalizing the incident notification process, to ensure that customer agencies are being sent notifications of potential incidents, which clearly solicit feedback on the usefulness and timeliness of the notification.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 Update: In Feb. 2017, DHS stated that US-CERT is in the process of developing a targeted survey of EINSTEIN customers (based off of a prior survey). Additionally, US-CERT has updated the Incident Reporting Guidelines to address previously mentioned process concerns. We have requested a copy of these guidelines and will review the modifications made within. Additionally, DHS stated that modifications to the Remedy ticketing system are underway that would allow for the inclusion of user feedback. These changes are anticipated to be implemented by October 2017. We likely would not be able to close this recommendation until we could review the results of the modifications.
    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop metrics that clearly measure the effectiveness of NCPS's efforts, including the quality, efficiency, and accuracy of supporting actions related to detecting and preventing intrusions, providing analytic services, and sharing cyber-related information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the Office of Cyber Security and Communications (CS&C) had developed, refined, and were baselining a first set of measures that relate to the Einstein 3A program. Further, they are considering adding one of these measures as an addition to the measures tracked in support of the yearly Government Performance and Results Act (GPRA) required reporting in FY 2018. Additionally, DHS officials stated they are developing information sharing related measures, including exploring how its public and private sector recipients of information measure the value cyber threat indicators and defensive measures. In March 2017, we requested a copy of the developed measures, when they became available. This recommendation will remain open until we are able to review the developed metrics and the subsequent data they are to measure.
    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop clearly defined requirements for detecting threats on agency internal networks and at cloud service providers to help better ensure effective support of information security activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS provided memos that gave an overview of the planned enhancements to the Continuous Diagnostics and Mitigation (CDM) program that included references to cloud providers. However, DHS did not provide any specific requirements for us to review. We have requested a follow-up meeting to review the specific requirements developed in support of the planned enhancements described in the provided memos. We will not be able to close this recommendation until we can review the developed requirements and determine that cloud providers are appropriately covered.
    Recommendation: The Secretary of Homeland Security should direct NSD to develop processes and procedures for using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, to help ensure DHS is using a risk-based approach for the selection/development of future NCPS intrusion prevention capabilities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS stated that the NCPS Program Management Office has made enhancements to the Continuous Diagnostics and Mitigation (CDM) dashboard, but had yet to fully develop the CDM/NCPS data correlation. In March 2017, we asked for update on the status of data correlation, once available. In order to close this recommendation, we would need to review this model and determine how, if at all, the vulnerability information was used as part of a risk-based approach to intrusion prevention.
    Recommendation: The Secretary of Homeland Security should direct NSD to work with their customer agencies and the Internet service providers to document secure routing requirements in order to better ensure the complete, safe, and effective routing of information to NCPS sensors.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the agency worked with the Office of Management and Budget to develop a draft Trusted Internet Connections Reference Architecture. This architecture is to serve as the new guidance for agencies on perimeter security capabilities as well as alternative routing strategies. In March 2017, we requested a copy of the guidance to review the alternative routing guidance. This recommendation will remain open until we have been able to review the information above.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To better facilitate adoption of the NIST Framework for Improving Critical Infrastructure Cybersecurity, the Secretary of Homeland Security should direct officials responsible for the Critical Infrastructure Cyber Community Voluntary Program to develop metrics for measuring the effectiveness of efforts to promote and support the framework.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In December 2016, DHS officials stated that they will continue to work with sector-specific agency partners and NIST to determine how to develop measurement activities and collect information on C3VP outreach and its effectiveness in promoting and supporting the Cybersecurity Framework. We will continue to monitor their efforts and verify whether implementation of metrics has occurred.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    7 open recommendations
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of Homeland Security should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear sectors' cybersecurity progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS has released updated sector-specific plans for the chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear reactors sectors. The plans include a section on measuring effectiveness based on the plan development guidance. The plans provide expected metrics to track the progress of sector activities and state that the outcomes will be reported through the National Annual Reporting process as well as through the quadrennial plan update. Because the metrics are new and annual reporting has not yet occurred, DHS has not provided evidence of metrics data collected and reported to address the challenges. We will continue to follow-up to determine how performance measures have been implemented and what reporting is available based on those measures.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of the Treasury should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the financial services sector's cybersecurity progress.

    Agency: Department of the Treasury
    Status: Open

    Comments: The 2015 sector-specific plan for the financial services sector includes a section on measuring the effectiveness of sector activities; however, the plan does not include specific metrics. The plan refers to working groups and meetings of sector stakeholders as mechanisms to track sector progress. No specific metrics and associated reports of outcomes have been provided to address overcoming the challenges of monitoring the sector's cybersecurity progress. We will continue to monitor financial services sector activities and determine any specific metrics and related reports developed and implemented to track and report on the sector's cybersecurity progress.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Departments of Agriculture and Health and Human Services released an update to the food and agriculture sector-specific plan for 2015. The plan states the sector's lack of an overarching mechanism to measure and evaluate risk mitigation activities and the challenge of obtaining performance measurement data from non-federal partners. However, the plan notes a goal of evaluating the progress of individual protective programs and strategies. No metrics or reports of outcomes have been provided to address the challenge of monitoring the sector's cybersecurity progress. We will continue to follow up to determine whether USDA and HHS have developed and implemented mechanisms to measure the outcomes of their sector cybersecurity-related activities.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Departments of Agriculture and Health and Human Services released an update to the food and agriculture sector-specific plan for 2015. The plan states the sector's lack of an overarching mechanism to measure and evaluate risk mitigation activities and the challenge of obtaining performance measurement data from non-federal partners. However, the plan notes a goal of evaluating the progress of individual protective programs and strategies. No metrics or reports of outcomes have been provided to address the challenge of monitoring the sector's cybersecurity progress. We will continue to follow up to determine whether HHS has developed and implemented mechanisms to measure the outcomes of its sector cybersecurity-related activities.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Homeland Security and Transportation (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the transportation systems sector's cybersecurity progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The co-Sector-Specific Agencies (SSAs) for the Transportation Systems Sector, DHS (TSA and Coast Guard) and the Department of Transportation, provided an update on efforts to develop sector cybersecurity metrics. The update described measures under consideration such as tracking the number of sector stakeholders receiving cybersecurity products, monitoring the usefulness of products through satisfaction surveys, and tracking attendance at sector events and seminars encompassing cybersecurity. The co-SSAs plan to report sector cyber activities, progress, and relevant metrics annually through the Critical Infrastructure National Annual Report and through quadrennial updates to the sector-specific plan. The latest sector-specific plan was released in 2015. The proposed metrics have not been formalized in a strategy or plan. We will continue to monitor and evaluate efforts to formalize and implement the proposed metrics to determine whether they address the intent of the recommendation.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Homeland Security and Transportation (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the transportation systems sector's cybersecurity progress.

    Agency: Department of Transportation
    Status: Open

    Comments: The co-Sector-Specific Agencies (SSAs) for the Transportation Systems Sector, DHS (TSA and Coast Guard) and the Department of Transportation, provided an update on efforts to develop sector cybersecurity metrics. The update described measures under consideration such as tracking the number of sector stakeholders receiving cybersecurity products, monitoring the usefulness of products through satisfaction surveys, and tracking attendance at sector events and seminars encompassing cybersecurity. The co-SSAs plan to report sector cyber activities, progress, and relevant metrics annually through the Critical Infrastructure National Annual Report and through quadrennial updates to the sector-specific plan. The latest sector-specific plan was released in 2015. The proposed metrics have not been formalized in a strategy or plan. We will continue to monitor and evaluate efforts to formalize and implement the proposed metrics to determine whether they address the intent of the recommendation.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Administrator of the Environmental Protection Agency should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the water and wastewater systems sector's cybersecurity progress.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The 2015 water and wastewater sector-specific plan includes a segment on measuring the effectiveness of sector activities that describes the overall principles for collecting data and using the National Annual Report data calls as a tool for assessing performance and reporting on progress within the sector. However, the plan does not state specific measures and the agency acknowledged in its response to our report that it does not collect performance metrics on the effectiveness of its cybersecurity programs for the sector. According to agency officials, the development of performance metrics in collaboration with sector partners is underway. We will continue to follow up to identify any specific metrics developed and implemented and resulting outcome-based reports.
    Director: Cary Russell
    Phone: (202) 512-5431

    4 open recommendations
    Recommendation: To better determine the costs needed to sustain the equipment to support a Marine Air Ground Task Force capability, the Commandant of the Marine Corps should direct the Deputy Commandant for Installations and Logistics to incorporate the four characteristics of reliable cost estimates in the Marine Corps' forthcoming prepositioning programs budget development policy, and specifically to ensure that estimates are accurate and well-documented, require all relevant departments and subordinate commands to provide documentation of cost-estimating details that include both source data and calculations.

    Agency: Department of Defense: United States Marine Corps
    Status: Open

    Comments: Based on our review of DOD's database on DOD's actions addressing GAO recommendations and follow up with DOD officials, as of September 1, 2017, DOD has not yet addressed this recommendation.
    Recommendation: To better determine the costs needed to sustain the equipment to support a Marine Air Ground Task Force capability, the Commandant of the Marine Corps should direct the Deputy Commandant for Installations and Logistics to incorporate the four characteristics of reliable cost estimates in the Marine Corps' forthcoming prepositioning programs budget development policy, and specifically to ensure that estimates are credible, implement management requirements to establish and conduct formal cross-checks of major cost elements among the relevant departments and subordinate commands to determine whether they are replicable.

    Agency: Department of Defense: United States Marine Corps
    Status: Open

    Comments: Based on our review of DOD's database on DOD's actions addressing GAO recommendations and follow up with DOD officials, as of September 1, 2017, DOD has not yet addressed this recommendation.
    Recommendation: To better determine the costs needed to sustain the equipment to support a Marine Air Ground Task Force capability, the Commandant of the Marine Corps should direct the Deputy Commandant for Installations and Logistics to incorporate the four characteristics of reliable cost estimates in the Marine Corps' forthcoming prepositioning programs budget development policy, and specifically to ensure that estimates are comprehensive, implement a standardized structure for collecting all the necessary details used to develop and support cost estimates from all relevant departments and subordinate commands.

    Agency: Department of Defense: United States Marine Corps
    Status: Open

    Comments: Based on our review of DOD's database on DOD's actions addressing GAO recommendations and follow up with DOD officials, as of September 1, 2017, DOD has not yet addressed this recommendation.
    Recommendation: As part of its quality assurance program for ensuring that the Marine Corps has accurate and reliable information on inventory data for stored assets used to support combatant commanders' requirements, the Commandant of the Marine Corps, in consultation with the Norwegian Defence Logistics Organization, should take steps to update the Technical Manual on Logistics Support for the Marine Corps Prepositioning Program - Norway and the Local Bilateral Agreement, to incorporate guidance and instructions on conducting a quality assurance review that assesses the accuracy and reliability of the Norwegian Equipment Information Management System.

    Agency: Department of Defense: United States Marine Corps
    Status: Open

    Comments: Based on our review of DOD's database on DOD's actions addressing GAO recommendations and follow up with DOD officials, as of September 1, 2017, DOD has not yet addressed this recommendation.
    Director: Lawrance Evans
    Phone: (202) 512-8678

    4 open recommendations
    Recommendation: To ensure that NCUA has adequate authority to determine the safety and soundness of credit unions, Congress should consider modifying the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions.

    Agency: Congress
    Status: Open

    Comments: In July 2015, we suggested that Congress modify the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions. As of October 2016, Congress had not granted NCUA such authority.
    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency: Department of the Treasury: Office of the Comptroller of the Currency
    Status: Open

    Comments: In July 2015, we recommended that the Office of the Comptroller of the Currency (OCC) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In September 2015, OCC stated that it is taking two actions to respond to our recommendation. First, the agency is integrating the Cybersecurity Assessment Tool (Tool), developed by OCC and other federal financial institution regulators, into OCC's ongoing IT examinations of national banks and federal savings associations. Officials believe that the Tool will provide OCC with a repeatable and measurable process for assessing both the level of risk and the maturity of risk management processes within and across OCC-supervised institutions. Also, officials believe that data gathered in this process will allow OCC to monitor industry trends and identify new or emerging weaknesses where additional guidance or supervisory actions may be needed. Furthermore, the Tool will help OCC allocate examiner resources and better target examiner training. OCC began integrating the Tool in selected examinations in December 2015. Second, OCC stated that it enhanced its guidance and procedures for examiners to identify and aggregate supervisory concerns into matters requiring attention (MRAs), which are the mechanism OCC uses to communicate supervisory concerns to bank management and directors. OCC believes that the enhancements will facilitate systemic categorization of supervisory concerns that strengthen recording, monitoring, and analyzing of volumes and trends across bank portfolios. Also, the enhanced guidance discusses the relationship between MRAs, interagency ratings, OCC's risk assessment system, and enforcement actions. OCC believes that these process enhancements combined with the integration of the Tool, will improve its ability to assess information security practices at medium and small institutions. We will continue to monitor OCC's progress in implementing the Tool and the resulting trend analyses that the Tool is intended to facilitate.
    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency: Federal Reserve System
    Status: Open

    Comments: In July 2015, we recommended that the Board of Governors of the Federal Reserve System (Board) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. As of October 2016, the Board had not provided an update on its efforts to address this recommendation.
    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency: National Credit Union Administration
    Status: Open

    Comments: In July 2015, we recommended that the National Credit Union Administration (NCUA) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In July 2016, NCUA told us that it and the other federal financial institution regulators issued the Cybersecurity Assessment Tool (Tool) in June 2015 to provide a comprehensive method for institutions to benchmark their cybersecurity programs. Officials believe that the Tool will allow examiners to consistently and methodically look at credit union risks and trends, as well as collect detailed information on the risks and mitigating controls employed by credit unions. When the Tool is fully implemented, officials expect to be able to aggregate risk indicators and program gaps across the credit union industry to improve resource deployment and enhance cybersecurity supervisory oversight. NCUA plans to begin pilot testing the Tool in late 2016 with program integration targeted for July 2017. We will continue to monitor NCUA's progress with this program and revisit our recommendation in July 2017.
    Director: Gerald L. Dillingham, Ph.D.
    Phone: (202) 512-2834

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To better ensure that cybersecurity threats to NextGen systems are addressed, given the challenges FAA faces in meeting the Office of Management and Budget's (OMB) guidance to implement the latest security controls in the National Institute of Standards and Technology's (NIST) revised guidelines within one year of issuance, the Secretary of Transportation should instruct the FAA Administrator to develop a plan to fund and implement the NIST revisions within OMB's time frames.

    Agency: Department of Transportation
    Status: Open
    Priority recommendation

    Comments: DOT concurred with this recommendation. FAA officials told us the agency is unable to implement all requirements within OMB's one-year time frame based on resource availability to address the number of FAA's FISMA reportable systems and NIST's newly revised requirements. As such, FAA's approach to achieve compliance with the most current NIST security controls (NIST SP 800-53 Revision 4) is to adopt a three-year assessment cycle where at least one-third (1/3) of these controls for all systems are assessed each year over a three year period. Each system will be fully assessed against all new and modified security controls in the current revision by the end of fiscal year 2017. Systems with weaknesses that could be exploited by adversaries may be at increased risk if relevant controls are not implemented. A three-year assessment cycle may not be adequate to maintain currency with NIST standards as future revisions are released. Therefore, FAA should report to OMB on how its alternative plan for implementing revised NIST standards will be adequate to protect the security of NextGen systems. As of October 2016, FAA is in the final stages of developing a plan to fund and implement the NIST revisions within OMB's time frames. FAA said it plans to implement the recommendation in 2017. The agency will request closure for the recommendation once the plan has been completed.
    Director: Kingsbury, Nancy R
    Phone: (202) 512-2700

    3 open recommendations
    including 2 priority recommendations
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure contractors receive security awareness training within 5 business days of being granted access to an IRS information system.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: During the audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure that control testing methodology and results fully meet the intent of the control objectives being tested.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed these actions. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should update the remedial action verification process to ensure actions are fully implemented.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed actions to implement the recommendation. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    12 open recommendations
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that all contractor staff complete annual security awareness training as required by federal law and FAA policy.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. However, as of July 2017, FAA has provided partial documentation, but has not yet provided GAO with sufficient evidence to validate FAA's actions to establish a mechanism to ensure that all contractor staff complete annual security awareness training as required by federal law and FAA policy. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that all staff with significant security responsibilities receive appropriate role-based training.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has provided partial documentation, but has not yet provided GAO sufficient evidence necessary to validate FAA's actions to establish a mechanism to ensure that all staff with significant security responsibilities receive appropriate role-based training. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that personnel with incident response roles and responsibilities take appropriate training, and that training records are retained.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has provided partial documentation, but has not yet provided GAO sufficient evidence necessary to validate FAA's actions to establish a mechanism to ensure that personnel with incident response roles and responsibilities take appropriate training, and that training records are retained. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to take steps to ensure that testing of security controls is comprehensive enough to determine whether security controls are in place and operating effectively, by, for example, examining artifacts such as audit reports, change tickets, and approval documents.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has updated its NAS testing policy and has provided evidence indicating that it has made progress toward ensuring that testing of security controls is comprehensive enough to determine whether security controls are in place and operating effectively. Subsequent to FAA providing additional evidence showing that its corrective actions have been fully implemented, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to take steps to ensure that identified corrective actions for security weaknesses are implemented within prescribed timeframes.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has updated its NAS Remediation Management Plan to include new risk management processes for identified security weaknesses. However, it has not yet provided GAO sufficient evidence necessary to show that the agency has taken steps to ensure that identified corrective actions for security weaknesses are implemented within prescribed timeframes. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NAS Cyber Operations (NCO) with full network packet capture capability for analyzing network traffic and detecting anomalies at major network interface points at FAA operational facilities.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by May 2018. As of July 2017, FAA has not provided GAO with documentation of the agency's actions to provide NCO with full network packet capture capability for analyzing network traffic and detecting anomalies at major network interface points at FAA operational facilities. Subsequent to FAA informing us that it has implemented the recommendation, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to integrate network traffic flow data into NCO's ad-hoc query systems.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by May 2018. As of July 2017, FAA has not provided GAO with documentation of the agency's actions to integrate network traffic flow data into NCO's ad-hoc query systems. Subsequent to FAA informing us that it has implemented the recommendation, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NCO with access to network sensors on key network gateways for reviewing intrusion detection, network traffic, and network session data.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by December 2018. As of July 2017, FAA had developed a coordinated procedure with the FTI Security Operations Center to provide packet capture information from network sensors based on identified incidents. However, it has not provided GAO with sufficient documentation to demonstrate that the procedure has been implemented. Subsequent to FAA providing additional evidence, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to ensure that NAS incident response capabilities are adequately tested, and that test results are sufficiently documented.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA provided evidence that it has taken steps to ensure that NAS incident response capabilities are adequately tested, and that test results are sufficiently documented. However, it has not yet provided sufficient evidence that it has fully implemented its corrective actions. Subsequent to FAA providing sufficient evidence, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to ensure that contingency plans for NAS systems are sufficiently documented, and that tests of contingency plans address key elements of the contingency plans, including notification procedures, recovering the system on an alternate platform, and system performance on alternate equipment.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it plans to implement the recommendation by September 2017. As of July 2017, FAA has not yet provided sufficient evidence that it has taken sufficient action to ensure that contingency plans for NAS systems are sufficiently documented and that tests of the plans address key plan elements. Subsequent to FAA providing additional evidence, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NCO with security event log data for all Internet Protocol (IP)-connected NAS systems.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by December 2018. As of August 2017, FAA has provided GAO with its planned actions to provide NCO with security event log data for all IP-connected NAS systems, which indicate that the agency still plans to complete its actions by December 2018. We plan to validate these actions subsequent to FAA informing us that it has completed them.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to finalize the incident response policy for the Air Traffic Organization and ensure that NAS system-level incident response policies specify incident reporting timeframes and the need for all incidents to be reported in accordance with FAA guidance.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has finalized the incident response policy for the Air Traffic Organization and updated one system-level incident response policy to specify incident reporting timeframes and the need for all incidents to be reported. However, it has not yet provided sufficient evidence showing that all system-level incident response policies specify reporting timeframes and the need for all incidents to be reported. Subsequent to FAA providing evidence that it has updated the remaining system-level incident response policies, we plan to validate FAA's actions.
    Director: Mctigue Jr, James R
    Phone: (202) 512-7968

    2 open recommendations
    Recommendation: To improve the reliability of Taxonomy estimates for future filing seasons, the Commissioner of Internal Revenue should follow relevant best practices outlined in the GAO Cost Guide by documenting the underlying analysis justifying cost-influencing assumptions.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of April 2017, IRS has taken steps to update its methodology for calculating and reporting its Taxonomy estimates. IRS provided GAO with updated Taxonomy estimates for 2015; GAO is reviewing these estimates to determine the extent to which IRS has implemented GAO's recommendation.
    Recommendation: To improve the reliability of Taxonomy estimates for future filing seasons, the Commissioner of Internal Revenue should follow relevant best practices outlined in the GAO Cost Guide by reporting the inherent imprecision and uncertainty of the estimates. For example, IRS could provide a range of values for its Taxonomy estimates.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of April 2017, IRS has taken steps to update its methodology for calculating and reporting its Taxonomy estimates. IRS provided GAO with updated Taxonomy estimates for 2015; GAO is reviewing these estimates to determine the extent to which IRS has implemented GAO's recommendation.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    2 open recommendations
    including 1 priority recommendation
    Recommendation: The Secretary of Homeland Security, in consultation with GSA, should develop and implement a strategy to address cyber risk to building and access control systems that, among other things: (1) defines the problem; (2) identifies roles and responsibilities; (3) analyzes the resources needed; and (4) identifies a methodology for assessing this cyber risk.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the Department has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of the General Services Administration should assess the building and access control systems that it owns in FPS-protected facilities in a manner that is fully consistent with FISMA and its implementation guidelines.

    Agency: General Services Administration
    Status: Open
    Priority recommendation

    Comments: As of October 2016, GSA recently provided documentation about its assessments of the control systems that the agency owns in FPS-protected facilities. We are reviewing this information to determine whether GSA has implemented the recommendation.
    Director: Mark Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: To ensure that application of UBP for fixed Internet access does not conflict with the public interest, the FCC should make use of existing data collection sources to track fixed-Internet UBP implementation and its effects on consumers nationwide so that FCC can take actions, if necessary, to protect consumer interests.

    Agency: Federal Communications Commission
    Status: Open

    Comments: When we confirm what actions FCC has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To address previously identified security vulnerabilities, the Secretary of Veterans Affairs should scan non-Windows network devices in authenticated mode.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Stephen Caldwell
    Phone: (202) 512-8777

    4 open recommendations
    Recommendation: Within DHS, to promote efficiency and harmonize the various assessments to advance security and resilience across the spectrum of CI in a manner consistent with the Homeland Security Act of 2002, PPD-21, and the NIPP, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate work with other DHS offices and components to develop and implement ways that DHS can facilitate data sharing and coordination of vulnerability assessments to minimize the risk of potential duplication or gaps in coverage.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS has taken action in response to GAO's September 2014 recommendation to develop a department-wide process to facilitate data sharing and coordination among the various DHS components that conduct or require vulnerability assessments, but has not fully implemented the recommendation. DHS first reported to GAO in August 2015 that its Office of Infrastructure Protection (IP) and the Sector Outreach and Programs Division Innovation Center had formed a vulnerability assessment working group comprised of a variety of federal stakeholders, both within and outside DHS, to enhance overall integration and coordination of vulnerability assessment efforts. In December 2015, DHS stated that IP was conducting pilot projects to expand access to its IPGateway portal--IP's system that houses infrastructure data and identifies facilities that have been assessed by IP. In a July 2016 update, DHS reported that IP had reached agreement with DHS components to expand access to its IP Gateway portal to those partners as a means to share IP's vulnerability assessment information and help coordinate assessment visits and related activities. DHS also noted in its update that IP had begun providing access to IP Gateway to components within DHS but did not provide a date as to when that step would be complete. These are positive steps toward implementing a systematic and integrated approach for facilitating data sharing and coordination of vulnerability assessments throughout the department. However, developing a department-wide process to facilitate data sharing and coordination among the DHS offices and components that conduct or require vulnerability assessments would better enable DHS to minimize the risk of potential duplication and gaps by its offices and components in the vulnerability assessments they conduct. Because DHS is still in the process of completing these steps, the recommendation has not yet been fully implemented.
    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to identify key CI security-related assessment tools and methods used or offered by SSAs and other federal agencies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2016, DHS has established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and has designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, is collaborating to enhance the integration and coordination of vulnerability assessment efforts. This working group is intended to serve as an interagency forum to address several recommendations from GAO Report 14-507. However, the effort is ongoing and it is too early to determine if it will successfully address the recommendation.
    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to analyze the key CI security-related assessment tools and methods offered by sector-specific agencies (SSA) and other federal agencies to determine the areas they capture.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2016, DHS has established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and has designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, is collaborating to enhance the integration and coordination of vulnerability assessment efforts. This working group is intended to serve as an interagency forum to address several recommendations from GAO Report 14-507. However, the effort is ongoing and it is too early to determine if it will successfully address the recommendation.
    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to develop and provide guidance for what areas should be included in vulnerability assessments of CI that can be used by DHS, SSAs, and other CI partners in an integrated and coordinated manner, among and across sectors, where appropriate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2016, DHS has established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and has designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, is collaborating to enhance the integration and coordination of vulnerability assessment efforts. This working group is intended to serve as an interagency forum to address several recommendations from GAO Report 14-507. However, the effort is ongoing and it is too early to determine if it will successfully address the recommendation.
    Director: Jennifer A. Grover
    Phone: (202) 512-7141

    1 open recommendations
    Recommendation: To assess the progress of the Secure Flight program toward achieving its goals, the Transportation Security Administration's Administrator should develop additional measures to address key performance aspects related to each program goal, and ensure these measures clearly identify the activities necessary to achieve progress toward the goal.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions that DHS TSA has taken in response to this recommendation, we will provide updated information. Status last confirmed on 10/26/15.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    16 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test plan is developed.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, an independent assessor is selected to assess the system.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned to resolution are maintained.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA concurred with our recommendation. However, EPA has not yet provided evidence that it has implemented the recommendation. We plan to validate the department's actions when EPA informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA concurred with our recommendation. However, EPA has not yet provided evidence that it has implemented the recommendation. We plan to validate the department's actions when EPA informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Director of the Office of Personnel Management should develop, document, and implement oversight procedures for ensuring that a system test is fully executed for each contractor-operated system.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM concurred with our recommendation. However, as of April 2017, OPM had not implemented the recommendation to develop, document and implement oversight procedures to ensure that a system test is fully executed for each contractor-operated system. We will monitor OPM's efforts and validate OPM actions when evidence discloses that the recommendation has been implemented.
    Recommendation: To be able to effectively assist agencies with their contractor oversight programs, the Director of the Office of Management and Budget, in collaboration with the Secretary of Homeland Security, should develop and clarify reporting guidance to agencies for annually reporting the number of contractor-operated systems.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We requested comments on a draft of this report from the Office of Management and Budget, but none were provided. In June 2017, OMB stated that its and DHS's annual reporting requirements now contain an expanded list of criteria for contractor-operated systems, including definitions in related guidance from the National Institute of Standards and Technology. However, although the reporting requirements call for agencies to report on their total number of contractor-operated systems, neither the requirements or related guidance clarify which agency systems that have contractor relationships should be categorized as contractor-operated. The lack of clear instructions may continue to result in incomplete information regarding the number of contractor-operated systems within the government.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To improve the consistency and effectiveness of government-wide implementation of information security programs and privacy requirements at small agencies, the Director of OMB should include in the annual report to Congress on agencies' implementation of the Federal Information Security Management Act (FISMA): a list of agencies that did not report on implementation of their information security programs.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: OMB concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal partners to ensure that the maritime risk assessment includes cyber-related threats, vulnerabilities, and potential consequences.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that the National Maritime Strategic Risk Assessment (NMSRA) was still being finalized. The agency stated that they expected this to be completed by July 2017. Once completed, we will analyze the results of the NMSRA in order to validate the extent to which its contents implement our recommendation.
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to use the results of the risk assessment to inform how guidance for area maritime security plans, facility security plans, and other securityrelated planning should address cyber-related risk for the maritime sector.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that it had developed a draft Navigation and Vessel Inspection Circular (NVIC) to provide guidance on assessment methods that assist vessel and facility owners and operators identify and address cybersecurity vulnerabilities. USCG stated that the draft NVIC would be published in the Federal Register for 60 days, to enable maritime stakeholders to review and provide comment. Once USCG provides us a final copy of the NVIC, we will analyze it to determine if it provides guidance for addressing cyber-related risk in the maritime sector.
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal stakeholders to determine if the Maritime Modal Sector Coordinating Council should be reestablished to better facilitate stakeholder coordination and information sharing across the maritime environment at the national level.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, the U.S. Coast Guard (USCG) stated that the tasking for the National Maritime Security Advisory Committee to explore the issue of information sharing mechanisms in regards to cyber information had been completed. However, USCG did not mention any decision related to the reestablishment of the sector coordinating council.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to develop procedures for officials at the field review level (i.e., captains of the port) and national review level (i.e., the National Review Panel and FEMA) to consult cybersecurity subject matter experts from the Coast Guard and other relevant DHS components, if applicable, during the review of cybersecurity grant proposals for funding.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information we receive and update status of implementation efforts.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to use any information on cyberrelated threats, vulnerabilities, and consequences identified in the maritime risk assessment to inform future versions of funding guidance for grant applicants and reviews at the field and national levels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information received and update status of implementation efforts.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To effectively implement key components of the IRS information security program, the Commissioner of Internal Revenue should update access request policies and procedures to ensure that they contain sufficiently detailed information of access requests and access assignments to facilitate effective review and verification of appropriate access privileges.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    17 open recommendations
    Recommendation: To make government-wide computer matching program planning efforts more consistent, the Director of OMB should revise guidance on computer matching to clarify whether front-end verification queries are covered by the Computer Matching Act.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To make government-wide computer matching program planning efforts more consistent, the Director of OMB should direct agencies to address all key elements when preparing cost-benefit analyses.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To make government-wide computer matching program planning efforts more consistent, the Director of OMB should ensure that agencies receive assistance in implementing computer matching programs as envisioned by the act.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Agriculture should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Agriculture
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Agriculture should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Agriculture
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Agriculture should ensure the DIB performs annual reviews and submits annual reports on the agency's computer matching activities, as required by the act.

    Agency: Department of Agriculture
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Education should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Education
    Status: Open

    Comments: We have not yet received sufficient information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Health and Human Services should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Health and Human Services should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet received information needed to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Labor should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Labor
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Labor should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Labor
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Labor should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Labor
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Veterans Affairs should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Administrator of Social Security should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Social Security Administration
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    8 open recommendations
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require documentation of the reasoning behind risk determinations for breaches involving PII.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to document the number of affected individuals associated with each incident involving PII.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should document the number of affected individuals associated with each incident involving PII.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Director: Caldwell, Stephen L
    Phone: (202)512-9610

    1 open recommendations
    Recommendation: To better ensure consistent implementation of and accountability for DHS's resilience policy, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to develop an implementation strategy for this new policy that identifies the following characteristics and others that may be deemed appropriate: (1) steps needed to achieve results, by developing priorities, milestones, and performance measures; (2) responsible entities, their roles compared with those of others, and mechanisms needed for successful coordination; and (3) sources and types of resources and investments associated with the strategy, and where those resources and investments should be targeted.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In the 60-day letter provided in January 2013, DHS indicated that the Resilience Integration Team (RIT) was developing a draft implementation plan to be circulated among relevant stakeholders for review. On 10/30/13, we notified DHS that we would like to see a copy of the resilience policy implementation plan (if developed), or any other related documentation if the plan is still in development. We were informed later that day that a draft plan had been developed, and DHS needed to confirm its status. In May of 2015, we were told again that a draft plan had been developed but never finalized. As of August 2015, DHS's Policy Office is looking into the status of plan development. We await their response. DHS response still pending as of 10/4/16.
    Director: Wilshusen, Gregory C
    Phone: (202)512-3000

    4 open recommendations
    Recommendation: To ensure that PIV cards do not remain in the possession of staff whose employment or contract with the federal government is over, the Secretary of Commerce should establish controls, in addition to time frames for implementing a new tracking system, to ensure that PIV cards are revoked in a timely fashion.

    Agency: Department of Commerce
    Status: Open

    Comments: As of June 2017, Commerce had not submitted information or plans regarding revoking PIV cards in a timely fashion.
    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of the Interior should develop specific implementation plans for enabling PIV-based access to the department's major facilities, including identifying necessary infrastructure upgrades and time frames for deployment.

    Agency: Department of the Interior
    Status: Open

    Comments: As of June 2017, Interior had not yet provided specific implementation plans for enabling PIV access to the department's major facilities.
    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Labor should ensure that the department's plans for PIV-enabled physical access at major facilities are implemented in a timely manner.

    Agency: Department of Labor
    Status: Open

    Comments: As of June 2017, Labor had not provided any information about whether the department's plans for PIV-enabled physical access at major facilities were being implemented in a timely manner.
    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal networks and systems, the Administrator of NASA should develop and implement procedures for PIV-based logical access when using Apple Mac and mobile devices that do not rely on direct interfaces with PIV cards, which may be impractical.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: As of March 2017, NASA reported that it had begun implementing procedures for PIV-based logical access for the Apple Mac computers and mobile devices in its computing environment. NASA procured software to begin the transition of the Apple computers, but due to configuration issues the transition was not scheduled to be completed until December 2017. Further, NASA had begun the transition for mobile devices, which was scheduled to be completed by September 2017.
    Director: Aloise, Eugene E
    Phone: (202)512-6870

    2 open recommendations
    Recommendation: To ensure that NNSA functions as a separately organized agency, the Secretary of Energy and the Administrator, NNSA, should clearly define NNSA's status as a separately organized agency within the department.

    Agency: Department of Energy
    Status: Open

    Comments: In his 31 USC Section 720 response to our report, the Deputy Secretary of Energy stated that he did not concur with this recommendation. He stated that elements of the Department and the NNSA had executed memoranda of understanding specifying how certain Department-wide functions would be performed while respecting the statutory insulation of NNSA personnel. He also stated that the Department will consider issuing circumstance-specific guidance where required to correct misperceptions about the effect of the NNSA's act limitations. NNSA's relationship with DOE continues to evolve. NNSA asserted its independence aggressively through July 2012 when an important security incident took place at the Y-12 plant. Since that time, NNSA has been less independent.
    Recommendation: To ensure that NNSA functions as a separately organized agency, the Secretary of Energy and the Administrator, NNSA, should clearly define NNSA's status as a separately organized agency within the department.

    Agency: Department of Energy: National Nuclear Security Administration
    Status: Open

    Comments: In his 31 USC Section 720 response to our report, the Deputy Secretary of Energy stated that he did not concur with this recommendation. He stated that elements of the Department and the NNSA had executed memoranda of understanding specifying how certain Department-wide functions would be performed while respecting the statutory insulation of NNSA personnel. He also stated that the Department will consider issuing circumstance-specific guidance where required to correct misperceptions about the effect of the NNSA's act limitations. Since we received the letter, there have been instances where the DOE/NNSA relationship has become less clear.