Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Confidential communications"

    11 publications with a total of 19 open recommendations including 2 priority recommendations
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: To effectively manage its information security program, the Chairman of the SEC should maintain up-to-date network diagrams and asset inventories in the system security plans for General Support System and a key financial system to accurately and completely reflect the current operating environment.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To effectively manage its information security program, the Chairman of the SEC should perform continuous monitoring using automated configuration and vulnerability scanning on the operating systems, databases, and network devices.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Nick Marinos
    Phone: (202) 512-9342

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer to update the procedure for granting access to the key financial application, to include responsibilities and steps for ensuring that the access privileges granted have been approved by the users' supervisor.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    3 open recommendations
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to update security plans to ensure the plans fully and accurately document the controls selected and intended for protecting each of the six systems.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to implement a process to effectively monitor and track training for personnel with significant security roles and responsibilities.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to ensure that personnel with significant security responsibilities receive role-based training.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer develop and implement a policy that requires monitoring changes to critical files for the platforms identified during the audit.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: According to officials in FDIC's Division of Information Technology, the corporation plans to implement a new solution in 2017 to enable security personnel to identify users making file system changes. Subsequent to FDIC implementing a new solution, we plan to validate FDIC's actions.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update system and application audit plans based on the current version of referenced policies and guidelines and when significant changes are made to a system or application.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: The IRS concurred with the recommendation and stated that it plans to implement it. Subsequent to IRS informing us that it has taken action on this recommendation, we plan to evaluate their implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update the security plan for systems that provide network infrastructure services to IRS personnel and information systems to reflect changes to the operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: On March 28, 2017, IRS officials informed us of the actions they were taking to address this recommendation. Upon receiving information from IRS, we plan to evaluate IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Director: Kingsbury, Nancy R
    Phone: (202) 512-2700

    3 open recommendations
    including 2 priority recommendations
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure contractors receive security awareness training within 5 business days of being granted access to an IRS information system.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: During the audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure that control testing methodology and results fully meet the intent of the control objectives being tested.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed these actions. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should update the remedial action verification process to ensure actions are fully implemented.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed actions to implement the recommendation. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Director: Linda T. Kohn
    Phone: (202) 512-7114

    2 open recommendations
    Recommendation: To address challenges that affect the ability of providers to electronically exchange health information, the Secretary of Health and Human Services should direct CMS and ONC to develop and prioritize specific actions that HHS will take consistent with the principles in HHS's strategy to advance health information exchange.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: As of August 28, 2014, HHS provided some information indicating that it had begun the process of developing milestones with time frames for its actions toward advancing exchange, and that it plans to make them publicly available. Because HHS has only just begun the process and has not provided documentation, these actions are in progress and therefore not complete. We will follow up in fiscal year 2015 to gather additional information to determine if the actions fully address the recommendation.
    Recommendation: To address challenges that affect the ability of providers to electronically exchange health information, the Secretary of Health and Human Services should direct CMS and ONC to develop milestones with time frames for the actions to better gauge progress toward advancing exchange, with appropriate adjustments over time.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: As of August 28, 2014, HHS provided some information indicating that it had begun the process of developing milestones with time frames for its actions toward advancing exchange, and that it plans to make them publicly available. Because HHS has only just begun the process and has not provided documentation, these actions are in progress and therefore not complete. We will follow up in fiscal year 2015 to gather additional information to determine if the actions fully address the recommendation.
    Director: Cackley, Alicia P
    Phone: (202) 512-8678

    1 open recommendations
    Recommendation: Congress should consider strengthening the current consumer privacy framework to reflect the effects of changes in technology and the marketplace--particularly in relation to consumer data used for marketing purposes--while also ensuring that any limitations on data collection and sharing do not unduly inhibit the economic and other benefits to industry and consumers that data sharing can accord. Among the issues that should be considered are: (1) the adequacy of consumers' ability to access, correct, and control their personal information in circumstances beyond those currently accorded under FCRA; (2) whether there should be additional controls on the types of personal or sensitive information that may or may not be collected and shared; (3) changes needed, if any, in the permitted sources and methods for data collection; and (4) privacy controls related to new technologies, such as web tracking and mobile devices.

    Agency: Congress
    Status: Open

    Comments: As of April 2017, Congress has not taken action on this matter.
    Director: Wilshusen, Gregory C
    Phone: (202)512-6244

    2 open recommendations
    Recommendation: To effectively implement key components of the IRS information security program, the Acting Commissioner of Internal Revenue should update policies and procedures to ensure that they address (1) both methods available for granting all users access to mainframe resources, (2) audit and monitoring of access from one processing environment to another, (3) use of appropriate accounts by multiple databases on a single server, (4) data storage shared between systems, (5) out-of-date security standards, and (6) reconciliation of access privileges.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: We are evaluating IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Recommendation: To effectively implement key components of the IRS information security program, the Acting Commissioner of Internal Revenue should update mainframe test and evaluation processes to improve periodic monitoring of compliance with IRS policies.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: We are evaluating IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To help mitigate vulnerabilities in mobile devices, the Chairman of the Federal Communications Commission should monitor progress of wireless carriers and device manufacturers in achieving their milestones and time frames once an industry baseline of mobile security safeguards has been implemented.

    Agency: Federal Communications Commission
    Status: Open

    Comments: FCC plans on monitoring the progress of wireless carriers and device manufacturers in achieving their milestones and time frames through one-on-one cyber risk management assurance meetings with service providers. FCC stated that it anticipates the meetings will begin within the next year pending the Commission's adoption of the policy statement for conducting the recommended meetings. We will validate these actions in the coming year.
    Director: Mccool, Thomas J
    Phone: (202)512-8678

    1 open recommendations
    Recommendation: In developing legislation for a national reporting system for the biological laboratory community, Congress may wish to consider provisions for the agency it designates as responsible for the system to take into account the following in design and implementation: (1) including stakeholders in setting system goals; (2) assessing labs' organizational culture to guide design and implementation decisions; (3) making reporting voluntary, with open-reporting formats that allow workers to report events in their own words and that can be submitted by all workers in a variety of modes (Web or postal), with the option to report to either an internal or external entity; (4) incorporating strong reporter protections, data deidentification measures, and other incentives for reporting; (5) developing feedback mechanisms and an industry-level entity for disseminating safety data and safety recommendations across the lab community; and (6) ensuring ongoing monitoring and evaluation of the safety reporting system and safety culture.

    Agency: Congress
    Status: Open

    Comments: Congress has not taken action on this recommendation.