Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Contingency plans"

    14 publications with a total of 60 open recommendations including 1 priority recommendation
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: The Director of the Office of Management and Budget, in consultation with the Secretary of Homeland Security, and the Chief Information Officers Council, should evaluate whether the full implementation of the capability maturity model developed by the Council of the Inspectors General on Integrity and Efficiency ensures that consistent and comparable results are achieved across all federal agencies. (Recommendation 1)

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Asif A. Khan
    Phone: (202) 512-9869

    2 open recommendations
    Recommendation: The DHS Under Secretary for Management should develop and implement effective processes and improve guidance to reasonably assure that future AAs fully follow AOA process best practices and reflect the four characteristics of a reliable, high-quality AOA process. (Recommendation 1)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The DHS Under Secretary for Management should improve the Risk Management Planning Handbook and other relevant guidance for managing risks associated with financial management system modernization projects to fully incorporate risk management best practices, including (1) defining thresholds to facilitate review of performance metrics to determine when risks become unacceptable; (2) identifying and analyzing risks to include periodically reconsidering risk sources, documenting risks specifically related to the lack of sufficient, reliable cost and schedule information needed to help properly manage and oversee the project, and timely disposition of IV&V contractor-identified risks; (3) developing risk mitigation plans with specific risk-handling activities, the costs and benefits of implementing them, and contingency plans for selected critical risks; and (4) implementing risk mitigation plans to include establishing periods of performance for risk-handling activities and defining time intervals for updating and certifying the accuracy and completeness of information on risks in DHS's risk register. (Recommendation 2)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    10 open recommendations
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement the audit plans for the 12 systems and applications that we reviewed in the production computing environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that system administrators and security operations analysts are alerted in the event of audit processing failures.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should update information contingency plan test procedures to include updating contingency plans to reflect changes to the current operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that approved risk-based decisions pertaining to database configurations are based on suitable justification.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop, document, and implement the use of detailed procedures to facilitate the periodic review and analysis of audit records for its financial systems.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop an enterprise-wide system owner procedural document to control critical mainframe operating system commands.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should regularly update configuration standards and guidelines for network devices to incorporate recommendations from industry leaders, security agencies, and key practices from IRS partners to address known vulnerabilities applicable to IRS's environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement a compliance verification application, or other appropriate process, to ensure configuration policies are comprehensively tested on the mainframe.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that all known significant audit findings and recommendations related to financial reporting, which includes those in GAO's public and limited official use only reports, that directly relate to the objective of A-123 internal control tests are reviewed and monitored.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should identify and review service organizations' listing of user controls that are deemed relevant and test those controls to appropriately draw conclusions about the operating effectiveness of controls.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Cary Russell
    Phone: (202) 512-5431

    6 open recommendations
    Recommendation: To enable the department to enhance its visibility over contractor personnel for whom it may become responsible in the event of contingency and other applicable operations, the Secretary of Defense should, in coordination with the Chairman of the Joint Chiefs of Staff, update accountability guidance clarifying the types of contractor personnel that are to be accounted for in a steady-state environment.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enable PACOM to consistently account for contractor personnel in its area of responsibility, the Secretary of Defense should direct the PACOM Commander to clarify contractor personnel accountability guidance for the collection of all contractor personnel data in a steady-state environment and specify a system of record, such as SPOT, for the collection of this information.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To ensure that combatant commands are not contracting with entities that may be connected to or supporting prohibited organizations, the Secretary of Defense should, in coordination with the Chairman of the Joint Chiefs of Staff, develop and issue guidance that clarifies the foreign-vendor vetting steps or process that should be established at each combatant command, including the operational conditions under which a foreign-vendor vetting cell should be established.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To ensure that PACOM is not contracting with entities that may be connected to or supporting prohibited organizations, while awaiting DOD guidance on vendor vetting, the Secretary of Defense should direct the PACOM commander to consider developing vendor vetting guidance as other combatant commands have done, to prepare for the event that PACOM becomes actively engaged in hostilities.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enable OCS to be fully embedded in the command structure at the command and continue to build upon the progress of integrating OCS into the command, as PACOM updates OCS guidance, the Secretary of Defense should direct the PACOM Commander to consider ways to ensure all joint staff functions beyond the logistics area are fully integrated into its OCS organizational structure and OCS Integration Cell.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enable PACOM to better identify OCS requirements and incorporate those requirements into Annex Ws and their appendixes, the Secretary of Defense should direct the PACOM Commander to develop guidance that clarifies roles and responsibilities and the process that should be followed for OCS requirements development.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Kathy King
    Phone: (202) 512-7114

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To help ensure that quality care is provided to AI/AN people, as part of the implementation of its quality framework, the Secretary of HHS should direct the Director of IHS to ensure that agency-wide standards for the quality of care provided in its federally operated facilities are developed, that facility performance in meeting these standards is systematically monitored over time, and that enhancements are made to its adverse event reporting system.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: HHS agreed with our recommendation and cited steps it already has underway to improve the quality of care in IHS's federally-operated facilities. HHS described the development of the IHS Quality Framework and Implementation Plan released in November 2016. However, as of June 2017, IHS had not developed agency-wide standards for the quality of care provided in its federally operated facilities.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    3 open recommendations
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to update security plans to ensure the plans fully and accurately document the controls selected and intended for protecting each of the six systems.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to implement a process to effectively monitor and track training for personnel with significant security roles and responsibilities.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to ensure that personnel with significant security responsibilities receive role-based training.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    22 open recommendations
    Recommendation: To assist CISOs in carrying out their responsibilities, the Director of OMB should issue guidance for agencies' implementation of the FISMA 2014 requirements to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) partially concurred with this recommendation, but does not intend to directly issue guidance as recommended. Instead, we are reviewing the relevant OMB memoranda that officials believe address the intent of the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with the FISMA 2014, the Secretary of Commerce should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce concurred with the recommendation, stating that the department's policy documents are expected to be updated by the end of the 4th Quarter in 2017. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the senior information security officer (SISO) is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that information security policies and procedures are developed and maintained.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) did not concur with our recommendation, nor has it provided evidence that it has implemented the recommendations.
    Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) partially concurred with our recommendation, but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) partially concurred with our recommendation, but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that all users receive information security awareness training.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that the department has a process for planning implementing, evaluating, and documenting remedial actions.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy in the periodic authorization of the department's information systems.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain Departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Health and Human Services should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Attorney General should define the CISO's role in department policy for ensuring that information security policies and procedures are developed and maintained.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Attorney General should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of State should define the CISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

    Agency: Department of State
    Status: Open

    Comments: The Department of State (State) concurred with this recommendation. We are currently reviewing the evidence provided by State to determine whether the role of the CISO has been defined in its policy to for ensuring that State has procedures for incident detection, response, and reporting.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2018. However, the department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that security controls are tested periodically.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2018. However, the department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the senior agency information security officer (SAISO) is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in its policy to for ensuring that subordinate security plans are documented for the agency's information systems.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in its policy to ensure recovery and continued operations of the agency's information systems in the event of a disruption.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy in the periodic authorization of the department's information systems.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in agency policy for the periodic authorization of the department's information systems.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the National Aeronautics and Space Administration should define the SAISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. We are currently reviewing the evidence provided by NASA to determine whether the role of the SAISO has been defined in agency policy for oversight of security for information systems that are operated by contractors on NASA's behalf.
    Recommendation: To ensure that the role of the CISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Small Business Administration should define the CISO's role in agency policy for ensuring that personnel with significant security responsibilities receive appropriate training.

    Agency: Small Business Administration
    Status: Open

    Comments: The Small Business administration (SBA) concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Anne-Marie Fennell
    Phone: (202) 512-3841

    2 open recommendations
    Recommendation: To help improve the efficiency of Corps operations at reservoir projects and to assist the Corps in meeting the requirement of the Water Resources Reform and Development Act of 2014 to update the Corps' 1992 reservoir report, the Secretary of Defense should direct the Secretary of the Army to direct the Chief of Engineers and Commanding General of the U.S. Army Corps of Engineers to develop guidance on what activities constitute a review of a water control manual and how to document that review.

    Agency: Department of Defense
    Status: Open

    Comments: The agency agreed with our recommendation. We will provide updates when the agency takes action.
    Recommendation: To help improve the efficiency of Corps operations at reservoir projects and to assist the Corps in meeting the requirement of the Water Resources Reform and Development Act of 2014 to update the Corps' 1992 reservoir report, the Secretary of Defense should direct the Secretary of the Army to direct the Chief of Engineers and Commanding General of the U.S. Army Corps of Engineers to track consistent information on the status of water control manuals, including whether they need revisions, and prioritize revisions as needed.

    Agency: Department of Defense
    Status: Open

    Comments: The agency agreed with our recommendation. We will provide updates when the agency takes action.
    Director: Chaplain, Cristina T
    Phone: (202)512-4841

    1 open recommendations
    Recommendation: To help ensure DOD is sufficiently informed about the availability and reliability of data from U.S. civil government and international partner satellites as it plans for future SBEM capabilities that rely on such satellites, the Secretary of Defense should ensure the leads of future SBEM planning efforts establish formal mechanisms for coordination and collaboration with NOAA that specify roles and responsibilities and ensure accountability for both agencies.

    Agency: Department of Defense
    Status: Open

    Comments: In January 2017, the Air Force and NOAA signed a memorandum of agreement under which the parties are to establish annexes for interagency acquisitions or support on SBEM efforts. The Air Force and NOAA are in the process of drafting two annexes for collecting SBEM data, expected to be completed by the winter of 2017, according to the Air Force. This effort does not cover collaboration between NOAA and DOD entities outside the Air Force, but NOAA is engaged in a separate memorandum of agreement with the Navy, which includes one annex that involves sharing data for SBEM-related activities. According to the Navy, additional draft annexes that would further SBEM-related data sharing are being considered. In addition, DOD and NOAA are in the process of responding to section 1607 of the National Defense Authorization Act for Fiscal Year 2017, which directs the agencies to jointly establish mechanisms to collaborate and coordinate in defining roles and responsibilities to carry out SBEM activities and plan for future nongovernmental SBEM capabilities, and to submit a report on the mechanism established.
    Director: Cristina Chaplain
    Phone: (202) 512-4841

    4 open recommendations
    Recommendation: To better position DOD as it continues pursuing GPS modernization, to have the information necessary to make decisions on how best to improve that modernization, and to mitigate risks to sustaining the GPS constellation, the Secretary of Defense should convene an independent task force comprising experts from other military services and defense agencies with substantial knowledge and expertise to provide an assessment to the Under Secretary of Defense for Acquisition, Technology, and Logistics of the OCX program and concrete guidance for addressing the OCX program's underlying problems, particularly including: (1) A detailed engineering assessment of OCX defects to determine the systemic root causes of the defects; (2) Whether the contractor's software development procedures and practices match the levels described in the OCX systems engineering and software development plans; and (3) Whether the contractor is capable of executing the program as currently resourced and structured.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with this recommendation. Prior to the program declaring a Nunn-McCurdy breach on June 30, 2016, the only independent assessment was conducted by Defense Digital Services and was limited in focus to software development. Air Force notes a completion date of independent assessment on Sept 29, 2017. Once received, we will evaluate whether that meets the intent of the recommendation.
    Recommendation: To better position DOD as it continues pursuing GPS modernization, to have the information necessary to make decisions on how best to improve that modernization, and to mitigate risks to sustaining the GPS constellation, the Secretary of Defense should develop high confidence OCX cost and schedule estimates based on actual track record for productivity and learning curves.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with this recommendation. Prior to the program declaring a Nunn-McCurdy breach on June 30, 2016, no high confidence cost assessment was completed. The Air Force and contractor provided schedule assessments that were not evaluated and considered low-risk, but were directed to execute a 24 month schedule extension with no assessment of its feasibility and that did not take into account past contractor performance. Pending Nunn-McCurdy documentation and repeat of Milestone B, there is no evidence a high confidence cost or schedule has been put in place. Once we receive documentation on approval of Milestone B, we will reevaluate.
    Recommendation: To better position DOD as it continues pursuing GPS modernization, to have the information necessary to make decisions on how best to improve that modernization, and to mitigate risks to sustaining the GPS constellation, the Secretary of Defense should direct the Air Force to retain experts from the independent task force as a management advisory team to assist the OCX program office in conducting regular systemic analysis of defects and to help ensure OCX corrective measures are implemented successfully and sustained.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with this recommendation. Prior to the program declaring a Nunn-McCurdy breach on June 30, 2016, Defense Digital Services were initially retained for a month and subsequently remain embedded with contractor software developers to provide advice on development and process improvements. Upon completion of the Nunn-McCurdy review and continued involvement of Defense Digital Services, we will examine the extent to which the program has met this recommendation if the program is recertified to determine if this recommendation was met. Air Force did not provide an update to this recommendation in 2017, but program still has not had Milestone B approved and the Defense Digital Services group is no longer engaged on OCX.
    Recommendation: To better position DOD as it continues pursuing GPS modernization, to have the information necessary to make decisions on how best to improve that modernization, and to mitigate risks to sustaining the GPS constellation, the Secretary of Defense should put in place a mechanism for ensuring that the knowledge gained from the OCX assessment is used to determine whether further programmatic changes are needed to strengthen oversight.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with this recommendation. Senior quarterly reviews continue of the OCX program and have been in place since December 2015. Documentation still pending on Milestone B to see if these reviews have informed programmatic changes that better position DOD to complete this acquisition.
    Director: James R. McTigue, Jr.,
    Phone: (202) 512-9110

    3 open recommendations
    Recommendation: To strengthen oversight of the individual shared responsibility and premium tax credit provisions, the Commissioner of Internal Revenue should assess whether or not the data received from the health insurance marketplaces are sufficiently complete and accurate to enable effective correction of tax returns at-filing based on matching with the marketplace data and, if the assessment determines that such corrections would be effective, seek legislative authority to correct tax returns at-filing based on the marketplace data.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: The Internal Revenue Service (IRS) agreed with GAO's recommendation. IRS reports that the quality of data submitted by health insurance marketplaces has improved since the 2015 return filing season, and it continues to use its correspondence process for resolving discrepancies between marketplace data and that reported by the taxpayer after the return has been filed. IRS has not considered requesting legislative authority to correct tax returns at the time of filing based specifically on discrepancies between the data submitted by the health insurance marketplace and reported by the taxpayer. Agency officials believe that would be premature at this time. They noted that a broader legislative initiative has already been proposed that would grant IRS with correctable error authority in cases where the information provided by the taxpayer does not match the information contained in government databases. Should this broad authority be granted in the future, IRS will then consider how to approach correction of tax returns at the time of filing based on discrepancies with health insurance marketplace data. Such authority was also included in the Administration's 2018 budget.
    Recommendation: To strengthen oversight of the individual shared responsibility and premium tax credit provisions, the Commissioner of Internal Revenue should work with CMS to get the total amount of advance PTC paid for the 2014 tax year and establish, as a baseline, the aggregate amount of the gap between advance PTC paid and advance PTC reported for the 2014 tax year, and track this aggregate gap for future tax years to help in evaluating the effectiveness of IRS's PTC education and compliance efforts.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: The Internal Revenue Service (IRS) agreed with GAO's recommendation in part. As one of the ongoing efforts by the IRS to evaluate the effectiveness of its implementation of the premium tax credit (PTC) provision for tax year 2014, IRS plans to perform as analysis of reporting of advance payments of the PTC by the Marketplaces. The results of this analysis and other efforts will help inform the IRS of potential areas for improvement in education, tax filing and compliance activities. IRS has been tracking the amount of advance PTC paid based on summary data provided by the Centers for Medicare & Medicaid Services (CMS) for 2014 and 2015 as well as the gap between the amounts paid compared to the amount reported by taxpayers. However, IRS has not yet resolved all issues with CMS related to properly allocating all payments to 2014 and 2015. Complete data for 2016 are not yet available.
    Recommendation: To strengthen oversight of the individual shared responsibility and premium tax credit provisions, the Commissioner of Internal Revenue should evaluate IRS efforts to collaborate and communicate with key external stakeholders to inform efforts related to implementation of the new 2015 PPACA requirements.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: The Internal Revenue Service (IRS) agreed with GAO's recommendation but has not yet initiated an evaluation of collaboration and communication efforts with external stakeholders. IRS currently utilizes informal feedback processes to share information and identify opportunities for improvement with external stakeholders in implementing the shared responsibility payment and premium tax credit provisions. We continue to encourage IRS to evaluate its collaboration and communication efforts.
    Director: Irving, Susan J
    Phone: (202) 512-6806

    2 open recommendations
    Recommendation: To avoid serious disruptions to the Treasury market and to help inform the fiscal policy debate in a timely way, Congress should consider alternative approaches that better link decisions about the debt limit with decisions about spending and revenue at the time those decisions are made such as those described in this report.

    Agency: Congress
    Status: Open

    Comments: The Bipartisan Budget Act of 2015 temporarily suspended the debt limit until March 15, 2017. This allowed the Treasury to continue to borrow to meet the funding needs of the federal government but did not explicitly link decisions about the debt limit to legislation that is expected to increase borrowing needs or debate over specific tax or spending proposal and their effect on debt. We will continue to monitor legislation enacting future debt limit increases to see if it addresses our matter for congressional consideration. As of August 2017 no relevant legislation has been enacted.
    Recommendation: However, if Congress chooses to continue to temporarily suspend the debt limit, it should consider providing Treasury with more flexibility in the level of Treasury's operating cash so that it is based not on the level that it was just prior to a suspension period, but on the federal government's immediate borrowing needs. This would minimize some of the disruptions to Treasury's normal cash management and debt issuance.

    Agency: Congress
    Status: Open

    Comments: The Bipartisan Budget Act of 2015 temporarily suspended the debt limit until March 15, 2017, but did not provide Treasury with more flexibility in the level of Treasury's operating cash at the end of the suspension period. As result, absent future action, Treasury is expected to reduced its cash balance to approximately the level it was at on the date the suspension was enacted as it has following previous debt limit suspensions, regardless of cyclical or other cash management needs. We will continue to monitor legislation enacting future debt limit increases to see if it addresses our matter for congressional consideration. As of August 2017, no relevant legislation has been enacted.
    Director: Dave Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To address risks in the GOES-R program development and to help ensure that the satellite is launched on time, the Secretary of Commerce should direct the NOAA Administrator to address shortfalls in defect management identified in this report, including the lack of clear guidance on defect definitions, what defect metrics should be collected and reported, and how to establish a defect's priority or severity.

    Agency: Department of Commerce
    Status: Open

    Comments: NOAA agreed with this recommendation. The agency subsequently reported that contractors are required to report defects and that the agency can place a hold or put liens against contractors if defects are not addressed. NOAA also provided documentation to support its recurring meetings at which defects are addressed. Additionally, NOAA provided documentation on its defect reporting requirements and definitions. However, NOAA did not provide documentation showing what defect metrics should be collected and reported, and how to establish a defect's priority or severity. We will continue to monitor the agency's actions on this recommendation.
    Director: Cha, Carol R
    Phone: (202) 512-4456

    2 open recommendations
    Recommendation: To improve planning and execution of the next telecommunications transition, the Administrator of General Services, in coordination with the Office of Personnel Management, should examine potential government-wide telecommunications expertise shortfalls and use the study to shape the NS2020 strategic approach.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration (GSA) has not addressed this recommendation. In June 2014, the agency reported that it had coordinated with OPM to incorporate key objectives in its NS2020 strategy to address and mitigate challenges with regards to government-wide expertise needed to execute the NS2020 program. However, as of May 2017, GSA had not demonstrated that it had studied potential government-wide telecommunications expertise shortfalls or used the study to shape the NS2020 strategic approach.
    Recommendation: To improve planning and execution of the next telecommunications transition, the Administrator of General Services should ensure that the lessons are applied, based on priority and available resources, to the next transition strategy.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration has not implemented this recommendation but has taken steps to address it. In April 2014, the agency developed a strategy for transitioning to the next telecommunications contract vehicle. The strategy described the lessons learned that contributed to the delay in the prior transition and identified approaches the agency planned to take to apply the lessons learned. For example, it identified high level plans for addressing the need for improved management of the complex acquisition process and the need for technical and contracting telecommunications expertise across the government. As of August 2016, GSA had prioritized the lessons learned and considered the resources needed to apply them. However, as of May 2017, the agency had not demonstrated that it had ensured that the lessons were applied, based on priority and available resources, to the next transition strategy. We will continue to monitor GSA's efforts to implement the recommendation.