Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Contract oversight"

    28 publications with a total of 92 open recommendations including 3 priority recommendations
    Director: Timothy J. DiNapoli
    Phone: (202) 512-4841

    7 open recommendations
    Recommendation: To enhance management attention to closing out contracts, the Secretary of Defense should develop a means for department-wide oversight into components' progress in meeting their goals on closing contracts and the status of contracts eligible for closeout. (Recommendation 1)

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enhance management attention to closing out contracts, the Secretary of Health and Human Services should develop a means for department-wide oversight into components' progress in meeting their goals on closing contracts and the status of contracts eligible for closeout. (Recommendation 2)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enhance management attention to closing out contracts, the Secretary of Homeland Security should develop a means, either at the agency or the component level, to track where the contracts are in the closeout process, and establish goals and performance measures for closing contracts. (Recommendation 3)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enhance management attention to closing out contracts, the Attorney General should direct the Senior Procurement Executive to ensure the development of a means to track data on the number and type of contracts eligible for closeout and where the contracts are in the closeout process, as well as a means to assess--at the agency or component level--progress by establishing goals and performance measures for closing contracts. (Recommendation 4)

    Agency: Department of Justice
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enhance management attention to closing out contracts, the Secretary of State should develop a means at the agency level to track data on the entirety of the number and type of contracts eligible for closeout, where the contracts are in the closeout process, and establish goals and performance measures for closing contracts. (Recommendation 5)

    Agency: Department of State
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To manage its incurred cost inventory, the Director, DCAA should assess and implement options for reducing the length of time to begin incurred cost audit work and establish related performance measures. (Recommendation 6)

    Agency: Department of Defense: Defense Contract Audit Agency
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To manage its incurred cost inventory, the Director, DCAA should comprehensively assess the use and effect of multi-year audits on both DCAA and contractors and establish related performance measures. (Recommendation 7)

    Agency: Department of Defense: Defense Contract Audit Agency
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Timothy J. DiNapoli
    Phone: (202) 512-4841

    2 open recommendations
    Recommendation: To help foster strategic decision making and improvements in the acquisition of services, the Under Secretary of Defense for Acquisition, Technology, and Logistics should, as part of its effort to update the January 2016 instruction, reassess the roles, responsibilities, authorities, and organizational placement of key leadership positions, including functional domain experts, senior services managers, and component level leads.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help foster strategic decision making and improvements in the acquisition of services, the Under Secretary of Defense for Acquisition, Technology, and Logistics should, as part of its effort to update the January 2016 instruction, clarify the purpose and timing of the Services Requirements Review Board process to better align it with DOD's programming and budgeting processes.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    3 open recommendations
    Recommendation: The Chief Executive Officer should direct the Chief Information Officer to take steps needed to ensure that system requirements are defined to align with the business needs of CNCS's future risk-based grants monitoring process (Recommendation 1).

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that the system development project schedule identifies in the baseline both planned and actual dates for completing all project-level activities, and can be used to monitor and measure progress of the grant monitoring system project (Recommendation 2).

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that test plans are defined and implemented to include the second version of the grant monitoring system in all stages of testing during development, and results of initial stages are approved before conducting subsequent test stages (Recommendation 3).

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To more fully address stakeholder concerns and help ensure FirstNet's resources reflect expected changes in responsibilities, FirstNet should assess the long-term staffing needs in the Network Program Office prior to requesting to assume full responsibility from Interior for administering the network contract.

    Agency: Department of Commerce: National Telecommunications and Information Administration: First Responder Network Authority
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To more fully address stakeholder concerns and help ensure FirstNet's resources reflect expected changes in responsibilities, FirstNet should request that the Public Safety Advisory Committee's Tribal Working Group fully explore tribal concerns and propose actions, as needed, to address those concerns.

    Agency: Department of Commerce: National Telecommunications and Information Administration: First Responder Network Authority
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    6 open recommendations
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to update the department's IT Acquisition Review governance process to increase the number of contracts and agreements (associated with both major and non-major investments) that are reviewed by the CIO and appropriate delegates.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the specific staff or positions currently within the department's IT acquisition cadre; and (2) assessing whether these staff and positions address all of the specialized skills and knowledge needed, as outlined in OMB's Office of Federal Procurement Policy's guidance for developing an IT acquisition cadre.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Director: James Cosgrove
    Phone: (202) 512-7114

    1 open recommendations
    Recommendation: To strengthen CMS's oversight of MA contracts, the Administrator of CMS should review data on disenrollment by health status and the reasons beneficiaries disenroll as part of the agency's routine monitoring efforts.

    Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David C. Trimble
    Phone: (202) 512-3841

    6 open recommendations
    Recommendation: To allow DOE management to effectively monitor invoice reviews and have assurance that this control activity is operating as intended, the Secretary of Energy should establish a DOE-wide invoice review policy that includes requirements for sites to establish well-documented invoice review operating procedures.

    Agency: Department of Energy
    Status: Open

    Comments: DOE stated that it already has an established, detailed DOE-wide invoice review policy provided in DOE's Financial Management Handbook and in the DOE Acquisition Guide, and that they are updating the Financial Management Handbook to include additional procedures to address intra-governmental payment and collection transactions that they believe will allow the recommendation to be closed by September 30, 2017. However, DOE officials with the office of the CFO at DOE headquarters previously told us that they do not have department-wide invoice review policies and procedures, and that CFOs and contracting officials in DOE field offices are responsible to develop their own invoice review policies and procedures. In addition, we reviewed the Financial Management Handbook and the Acquisition Guide and found that these documents do not contain the detail necessary to serve as an invoice review policy. We will continue to review DOE's implementation of this recommendation to determine whether its actions meet the intent of the recommendation.
    Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including creating a structure with a dedicated entity within DOE to design and oversee fraud risk management activities.

    Agency: Department of Energy
    Status: Open

    Comments: DOE considers this recommendation to be closed without corrective action. Instead of establishing a dedicated entity within DOE to design and oversee fraud risk management activities, DOE will rely on the existing Office of Financial Policy and Internal Controls and on the DOE Office of Inspector General (OIG)to design and oversee financial fraud risk management activities. We disagree that reliance on these offices meets best practices because neither office is solely dedicated to designing or overseeing fraud risk management activities. Furthermore, according the best practices in GAO's Fraud Risk Framework, the dedicated entity should not be the OIG.
    Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including conducting fraud risk assessments that are tailored to each program and use the assessments to develop a fraud risk profile

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the substance of the recommendation; however they consider the recommendation to be closed without corrective action because its risk assessments meet the requirements of the Improper Payments Elimination and Recovery Improvement Act of 2012, as reported by the Office of Inspector General (OIG), and because it has implemented updates to OMB Circular A-123 that added requirements related to managing fraud risk and adherence to GAO's Fraud Risk Framework. However, we found that DOE has not conducted fraud risk assessments that are tailored to its programs and therefore do not allow the department to create a fraud risk profile. We also found that, although DOE updated its internal control assessment tools with a list of fraud risks as required by OMB Circular A-123, the list of risks were the same for all DOE sites and were not tailored to the sites' different programs.
    Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including developing and documenting an antifraud strategy that describes the programs' approaches for addressing the prioritized fraud risks identified during the fraud risk assessment.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with this recommendation but considers the recommendation closed without corrective action because DOE has implemented the updated OMB Circular A-123 and because DOE's anti-fraud strategy is imbedded in the DOE internal control program. However, DOE officials told us that they have not developed or documented a DOE-wide antifraud strategy or directed individual programs to develop program-specific strategies. Furthermore, DOE's implementation of OMB Circular A-123 included adding a list of potential risks to their internal control assessment tool that were the same for all DOE sites and were not tailored to the sites' different programs.
    Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including designing and implementing specific control activities, including fraud awareness training and data analytics, to prevent and detect fraud and other improper payments.

    Agency: Department of Energy
    Status: Open

    Comments: DOE believes that they are either implementing or have already implemented this recommendation and considers the recommendation closed without additional action. Specifically, DOE stated that the Office of Inspector General (OIG) already provides fraud awareness training and that the OIG provided expanded fraud risk training on June 12, 2017 through a CFO-hosted webinar. However, of the 10 field offices responsible for overseeing contractor costs, none required employees responsible for overseeing contractor costs to attend fraud awareness training.
    Recommendation: To help ensure that necessary data are available to employ data analytics as a tool to perform contractor cost-surveillance activities, the Secretary of Energy should require contractors to maintain sufficiently detailed transaction-level cost data that are reconcilable with amounts charged to the government, including (1) cost data that, at a minimum, represent a full data population and (2) the details necessary to determine the nature of each cost transaction, with such identifiers as transaction date, dollar amount, item or service description, and transaction codes to indicate the type of cost represented (e.g., construction materials, property lease, and office supplies).

    Agency: Department of Energy
    Status: Open

    Comments: DOE did not agree to implement this recommendation because they believe that the recommendation establishes agency-specific requirements for DOE contractors that are more prescriptive than current federal requirements. DOE states that they plan to evaluate the merits of government-wide guidance for applying data-analytics to contract costs only if an OMB working group--established as a requirement of the Fraud Reduction and Data Analytics Act of 2015 to promote interagency coordination on fraud reduction and data analytics--requires them to do so. However, the purpose of the working group is to share fraud management best practices. It is not an implementing body and agencies do not need its permission before proceeding with fraud risk reduction efforts.
    Director: David Trimble
    Phone: (202) 512-3841

    2 open recommendations
    Recommendation: To help ensure that NNSA effectively manages the performance of its programs, the Secretary of Energy should establish a program management policy that (1) assigns responsibilities and delegates authority to program managers and establishes expectations of competence for them, in accordance with federal internal control standards, and (2) addresses leading program management practices, such as developing program plans.

    Agency: Department of Energy
    Status: Open

    Comments: As of January 2017, DOE stated that it will address our recommendation as part of its effort to meet the requirements of the Program Management Improvement Accountability Act of 2016. This Act requires the Office of Management and Budget (OMB) to adopt government-wide standards, policies, and guidelines for program and project management for agencies. It also requires agencies to appoint program management improvement officers, establishes training competencies for program managers, and creates a job series and career path for program managers. According to the Act, OMB will issue the standards, policies, and guidelines required under the Act no later than December 14, 2017.
    Recommendation: To help ensure that NNSA develops and maintains a cadre of professional, effective, and capable program managers in accordance with leading program management practices and federal internal control standards, the Secretary of Energy should establish a training program for program managers.

    Agency: Department of Energy
    Status: Open

    Comments: As of January 2017, DOE stated that it will address our recommendation as part of its effort to meet the requirements of the Program Management Improvement Accountability Act of 2016. This Act requires the Office of Management and Budget (OMB) to adopt government-wide standards, policies, and guidelines for program and project management for agencies. It also requires agencies to appoint program management improvement officers, establishes training competencies for program managers, and creates a job series and career path for program managers. According to the Act, OMB will issue the standards, policies, and guidelines required under the Act no later than December 14, 2017.
    Director: Beryl H. Davis
    Phone: (202) 512-2623

    2 open recommendations
    Recommendation: To provide increased oversight of AOC and to keep the Architect and the Congress fully and currently informed, the AOC OIG should revise and implement policies and procedures to provide audit reports that are based on planning that includes an assessment of risk and the assignment of priorities, consistent with requirements in CIGIE's Quality Standards for Federal Offices of Inspector General.

    Agency: Architect of the Capitol
    Status: Open

    Comments: The AOC OIG has met the intent of GAO recommendation related to "revising" policies and procedures. We have verified that AOC OIG's policies (dated February 2017) have been revised and now require an assessment of risk and the assignment of priorities, consistent with requirements in CIGIE's Quality Standards for Federal Offices of Inspector General. However, we do not believe AOC OIG has met the intent of GAO recommendation related to "implementing" policies and procedures. In June 2017, the AOC OIG informed us that it plans to complete a risk assessment in August 2017 and use the results from the risk assessment to aid in developing the AOC OIG fiscal year 2018 audit plan, which AOC OIG plans to complete by October 1, 2017. To fully implement the recommendation, we believe AOC OIG still needs to (1) complete the risk assessment and (2) show how it used the results of the risk assessment to improve the scope of what needs to be audited. We will continue to monitor AOC OIG's actions to address this recommendation.
    Recommendation: To reduce the risk that fraud, waste, and abuse and criminal activities are not detected or fully addressed, the AOC OIG should (1) work with CIGIE to obtain a peer review from another federal OIG of the AOC OIG's overall investigative operations, including consideration of the OIG's reliance on investigations performed by other entities, and (2) make any needed changes in its operating procedures based on the results of the review to help ensure that investigations of AOC are conducted in accordance with CIGIE standards for investigations and AOC Inspector General Act of 1978 (IG Act) requirements.

    Agency: Architect of the Capitol
    Status: Open

    Comments: On April 27, 2017, the OIG informed us that it has scheduled with CIGIE an external peer review of AOC investigative operations. The Federal Housing Finance Agency OIG is scheduled to perform this review in August 2017. This external review will also include assessing the AOC OIG's reliance on other OIGs and the U.S. Capitol Police to complete certain investigations. Further, AOC OIG indicated that after they receive the results of this peer review, they will make needed changes in operating procedures consistent with the GAO recommendation. We will continue to monitor AOC OIG's actions to address this recommendation.
    Director: Elizabeth Curda
    Phone: (202) 512-7114

    1 open recommendations
    including 1 priority recommendation
    Recommendation: In order to ensure that veterans receive quality care from qualified physicians, the Secretary of Veterans Affairs should direct the Under Secretary for Health to develop and implement a comprehensive oversight strategy that includes ongoing monitoring and evaluations of the contractors' verification of PC3 and Choice physicians' credentials, as well as VHA staff's review of Choice physicians. VHA's oversight should include reviewing documentation and assessing whether the contractors' plans for improving their processes for Choice credentials verification are effective.

    Agency: Department of Veterans Affairs
    Status: Open
    Priority recommendation

    Comments: In June and July 2017, the Veterans Health Administration (VHA) completed separate audit evaluations of both contractors' verification of Patient-Centered Community Care (PC3) and Choice physicians' credentials. This supplements the ongoing monitoring that VHA already had in place for routinely and independently checking the credentials for a sample of PC3 and Choice providers. However, as of October 2017, VHA has not yet implemented a strategy to oversee VHA staff's review of Choice physicians through the VHA Choice Provider Agreement program.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    22 open recommendations
    Recommendation: To assist CISOs in carrying out their responsibilities, the Director of OMB should issue guidance for agencies' implementation of the FISMA 2014 requirements to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) partially concurred with this recommendation, but does not intend to directly issue guidance as recommended. Instead, we are reviewing the relevant OMB memoranda that officials believe address the intent of the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with the FISMA 2014, the Secretary of Commerce should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce concurred with the recommendation, stating that the department's policy documents are expected to be updated by the end of the 4th Quarter in 2017. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the senior information security officer (SISO) is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that information security policies and procedures are developed and maintained.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) did not concur with our recommendation, nor has it provided evidence that it has implemented the recommendations.
    Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) partially concurred with our recommendation, but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) partially concurred with our recommendation, but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that all users receive information security awareness training.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that the department has a process for planning implementing, evaluating, and documenting remedial actions.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy in the periodic authorization of the department's information systems.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain Departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Health and Human Services should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Attorney General should define the CISO's role in department policy for ensuring that information security policies and procedures are developed and maintained.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Attorney General should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of State should define the CISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

    Agency: Department of State
    Status: Open

    Comments: The Department of State (State) concurred with this recommendation. We are currently reviewing the evidence provided by State to determine whether the role of the CISO has been defined in its policy to for ensuring that State has procedures for incident detection, response, and reporting.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2018. However, the department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that security controls are tested periodically.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2018. However, the department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the senior agency information security officer (SAISO) is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in its policy to for ensuring that subordinate security plans are documented for the agency's information systems.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in its policy to ensure recovery and continued operations of the agency's information systems in the event of a disruption.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy in the periodic authorization of the department's information systems.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in agency policy for the periodic authorization of the department's information systems.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the National Aeronautics and Space Administration should define the SAISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. We are currently reviewing the evidence provided by NASA to determine whether the role of the SAISO has been defined in agency policy for oversight of security for information systems that are operated by contractors on NASA's behalf.
    Recommendation: To ensure that the role of the CISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Small Business Administration should define the CISO's role in agency policy for ensuring that personnel with significant security responsibilities receive appropriate training.

    Agency: Small Business Administration
    Status: Open

    Comments: The Small Business administration (SBA) concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Williamson, Randall B
    Phone: (202) 512-7114

    2 open recommendations
    Recommendation: To develop and maintain medical sharing expertise within the network contracting offices, the Secretary of Veterans Affairs should direct the Under Secretary for Health to create a plan for increasing the retention of contracting officers that work in medical sharing teams.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In March 2017, VHA reported that it is working on creating a plan for increasing the retention of contracting officers that work in medical sharing teams. The Medical Sharing Office (MSO) has taken several steps including conducting research on possible ways to minimize or eliminate steps within its existing plan and expanding the number of topical training provided virtually network contracting offices to develop competency in VHA Health Care 1102 staff. In addition, VHA reported they are developing a training schedule to ensure newly deployed interns have received the training and resource to successfully conduct health care contracts if they are assigned to health care resources team and continuing to collaborate with the field to ensure awareness of MSO support and assistance.
    Recommendation: To ensure VHA effectively communicates with its affiliates regarding SSACs, the Secretary of Veterans Affairs should direct the Under Secretary for Health to reach out to all of its affiliates, identify any concerns, and determine the most effective method of communicating with affiliates regarding SSAC development.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In March 2017, the VHA reported that it plans to have an Academic Affiliate Contracting Forum on August 15-16, 2017 in Nashville, TN or Dallas, TX for VHA staff responsible for health care contracts and University affiliates. The purpose of the Forum is to strengthen and advance the collaborative partnership for providing service to Veterans; share perspectives; and enhance awareness about processes, procedures and tools that will help make contracting processes faster and easier for all parties.
    Director: Seto Bagdoyan
    Phone: (202) 512-6722

    2 open recommendations
    Recommendation: The Administrator of SBA should direct the Associate Administrator of Business Development to document its planned method for tracking revenue generated under subsidiaries' primary and secondary lines of business, with milestones and timelines for when and how the method will be implemented.

    Agency: Small Business Administration
    Status: Open

    Comments: GAO is reviewing documentation that SBA provided regarding actions that it has taken to address this recommendation and is currently determining whether these actions fully address the recommendation.
    Recommendation: The Administrator of SBA should direct the Associate Administrator of Business Development to provide the appropriate level of access to and sharing of relevant subsidiary data across district offices, including primary and secondary North American Industry Classification System codes and revenue data, once SBA develops a database with the capabilities of collecting and tracking this revenue data as we recommended in 2012.

    Agency: Small Business Administration
    Status: Open

    Comments: GAO is reviewing documentation that SBA provided regarding actions that it has taken to address this recommendation and is currently determining whether these actions fully address the recommendation.
    Director: Melissa Emrey-Arras
    Phone: (617) 788-0534

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To strengthen management of the Direct Loan Program and ensure good customer service for borrowers, the Secretary of Education should direct the Office of Federal Student Aid's Chief Operating Officer to review its methods of providing instructions and guidance to servicers, identifying areas to improve clarity and sufficiency, and ensure consistent delivery of instructions and guidance to ensure program integrity and improve service to borrowers. For example, the Department could consider implementing a detailed, common servicing manual for the Direct Loan program.

    Agency: Department of Education
    Status: Open
    Priority recommendation

    Comments: The Department of Education agreed with this recommendation and has reviewed its guidance to servicers, as of October 2016. It has issued clarifications to servicers in several areas. In addition, the Department had been in the process of an acquisition for a new loan servicing solution but, as of September 2017, is reassessing its acquisition strategy. While the plan for the revised acquisition is not finalized, FSA expects its approach to significantly streamline the process of communicating instructions and guidance to servicers, as well as improve the overall experience for students and borrowers. Upon resolution of its acquisition strategy, Education needs to demonstrate that its final contract for a new loan servicing solution is structured to provide clear and consistent instructions and guidance to servicers to ensure program integrity and improve service to borrowers.
    Director: Michele Mackin
    Phone: (202) 512-4841

    3 open recommendations
    Recommendation: To improve coordination and communication between FEMA OCPO and region mission support officials region mission support officials, the FEMA Administrator should establish a plan to ensure that the agreement is reviewed on an annual basis as intended.

    Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
    Status: Open

    Comments: In commenting on this report, DHS concurred with this recommendation. According to FEMA officials, the Office of Procurement Operations has since formed a team that will address this recommendation. We will provide updated information as it becomes available.
    Recommendation: To improve coordination and communication between FEMA Office of the Chief Procurement Officer (OCPO) and region mission support officials region mission support officials, the FEMA Administrator should direct OCPO and the regional administrators to revisit the 2011 service level agreement to: add details about the extent of operational control headquarters and regional supervisors should exercise to minimize potential competing interests experienced by regional contracting officers; further detail headquarters and regional supervisors' roles and responsibilities for managing regional contracting officers to improve coordination and communication; and ensure that the agreement reflects any new requirements, including recent changes in training that may require travel funds.

    Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
    Status: Open

    Comments: In commenting on this report, DHS concurred with this recommendation. According to FEMA officials, the Office of Procurement Operations has since formed a team that will address this recommendation. We will provide updated information as it becomes available.
    Recommendation: To address PKEMRA, the Secretary of Homeland Security should take action to address the requirements of Section 692 to implement subcontractor limitations or request that Congress amend the law to delete Section 692.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In 2016, DHS took steps to ask Congress to repeal PKEMRA Section 692, which prohibits the use of subcontracts for more than 65 percent of the cost of cost-reimbursement type contracts that exceed the simplified acquisition threshold. DHS submitted a legislative change proposal to the Office of Management and Budget (OMB), who approves such proposals before they are submitted to Congress. OMB approved the proposed change for PKEMRA Section 692 in April 2016. We will provide additional updates as information becomes available.
    Director: William T. Woods
    Phone: (202) 512-4841

    3 open recommendations
    Recommendation: To ensure consistent implementation of the Buy Indian Act procurement authority across the agencies and to enhance oversight of implementation of the Act at regional offices, the Secretaries of the Interior and Health and Human Services should direct the Bureau of Indian Affairs and Indian Health Service respectively, to clarify and codify their policies related to the priority for use of the Buy Indian Act, including whether the Buy Indian Act should be used before other set-aside programs.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) has made progress towards addressing this recommendation. The Indian Health Service (IHS) is currently working on efforts to revise the Acquisition Management section of the Indian Health Manual to clarify and codify policies related to the priority for use of the Buy Indian Act. IHS plans for the revision to include implementation and reporting mechanisms for contracts awarded under the Buy Indian Act. HHS reported that IHS plans to issue new policy guidance relating to the Buy Indian Act and how it is to be implemented and prioritized in conjunction with other set asides.
    Recommendation: To ensure consistent implementation of the Buy Indian Act procurement authority across the agencies and to enhance oversight of implementation of the Act at regional offices, the Secretaries of the Interior and Health and Human Services should direct the Bureau of Indian Affairs and Indian Health Service respectively, to collect data on regional offices' implementation of key requirements, such as challenges to self-certification.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: Officials at the Department of Health and Human Services' Indian Health Service (IHS) told us they plan to continue oversight to ensure that contractors comply with key requirements such as (1) maintaining the proportion of Indian ownership, (2) not subcontracting more than half the work to other than Indian firms, and (3) providing a preference to Indians in employment, training, and subcontracting. However, as of July 2017, IHS had not provided evidence that they were collecting data on regional offices' implementation of these key requirements. IHS officials told us they plan to incorporate Buy Indian Act policy language and clauses into all contracts and track Buy Indian award actions and obligations. IHS officials also stated they will ensure that the contracting officer authenticates an Indian Economic Enterprise's categorization/credentials, before award and throughout the contract period.
    Recommendation: To ensure consistent implementation of the Buy Indian Act procurement authority across the agencies and to enhance oversight of implementation of the Act at regional offices, the Secretaries of the Interior and Health and Human Services should direct the Bureau of Indian Affairs and Indian Health Service respectively, to include Buy Indian Act contracts as a part of their regular procurement review process.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: Department of Health and Human Services officials told us initial on-site communications to raise awareness of the Buy Indian Act was included in the fiscal year 2017 Indian Health Service (IHS) Procurement Management Reviews (PMR) being conducted at all area offices. Starting in the fall of 2017, IHS plans to develop webinar training sessions to ensure that a large, diverse audience of contracting and management officials have access to the training. IHS will also incorporate the Buy Indian Act Policy into the established annual procurement management reviews beginning in fiscal year 2018 to ensure compliance.
    Director: Frank Rusco
    Phone: (202) 512-3841

    10 open recommendations
    Recommendation: To help agencies more consistently perform their oversight responsibilities and oversee contractors' measurement and verification activities, the Secretary of Energy should direct FEMP to monitor agencies' oversight of ESPC projects that agencies have awarded using the DOE contract vehicle, including whether agencies witnessed the contractors' measurement and verification activities and reviewed and certified acceptance of the measurement and verification report.

    Agency: Department of Energy
    Status: Open

    Comments: As of September 2017, DOE officials said that DOE had implemented process improvements to monitor agency annual measurement and verification (M&V) witnessing and annual M&V report review. After we confirm implementation of these actions, we will close the recommendation.
    Recommendation: To help ensure that agencies have sufficient information on the effects of changing circumstances on the performance of their ESPC portfolios, the Secretaries of Defense, Energy, and Veterans Affairs; the Attorney General; and the Administrator of the General Services Administration should establish a process to systematically evaluate their ESPC projects--including baseline assumptions about facilities' energy use, utility prices, and interest rates--to determine how their ESPC portfolios are performing and the extent to which they are achieving expected savings. Agencies could consider conducting such evaluations either after a certain number of years, or in response to events, such as changes in utility prices or market interest rates, or appropriations becoming available that could be used for modifications or terminations.

    Agency: Department of Defense
    Status: Open

    Comments: In its fiscal year 2017 update on the status of implementing the recommendations for this report, a DOD official said that DOD is developing methodologies to enable the assessment of energy savings performance contracts' (ESPC) expected savings and long-term viability. DOD expects to produce a best practices guide by May 2018.
    Recommendation: To help ensure that agencies have sufficient information on the effects of changing circumstances on the performance of their ESPC portfolios, the Secretaries of Defense, Energy, and Veterans Affairs; the Attorney General; and the Administrator of the General Services Administration should establish a process to systematically evaluate their ESPC projects--including baseline assumptions about facilities' energy use, utility prices, and interest rates--to determine how their ESPC portfolios are performing and the extent to which they are achieving expected savings. Agencies could consider conducting such evaluations either after a certain number of years, or in response to events, such as changes in utility prices or market interest rates, or appropriations becoming available that could be used for modifications or terminations.

    Agency: Department of Energy
    Status: Open

    Comments: As of September 2017, DOE planned to develop a draft policy for the periodic review of its ESPC portfolio, but had not yet done so. According to DOE officials, they plan to complete the draft policy in early 2018.
    Recommendation: To help ensure that agencies have sufficient information on the effects of changing circumstances on the performance of their ESPC portfolios, the Secretaries of Defense, Energy, and Veterans Affairs; the Attorney General; and the Administrator of the General Services Administration should establish a process to systematically evaluate their ESPC projects--including baseline assumptions about facilities' energy use, utility prices, and interest rates--to determine how their ESPC portfolios are performing and the extent to which they are achieving expected savings. Agencies could consider conducting such evaluations either after a certain number of years, or in response to events, such as changes in utility prices or market interest rates, or appropriations becoming available that could be used for modifications or terminations.

    Agency: Department of Justice
    Status: Open

    Comments: In comments on a draft of this report, the Department of Justice agreed with the recommendation. As of December 2016, we were working with Department of Justice officials to confirm the status of their actions to implement the recommendation.
    Recommendation: To help ensure that agencies have sufficient information on the effects of changing circumstances on the performance of their ESPC portfolios, the Secretaries of Defense, Energy, and Veterans Affairs; the Attorney General; and the Administrator of the General Services Administration should establish a process to systematically evaluate their ESPC projects--including baseline assumptions about facilities' energy use, utility prices, and interest rates--to determine how their ESPC portfolios are performing and the extent to which they are achieving expected savings. Agencies could consider conducting such evaluations either after a certain number of years, or in response to events, such as changes in utility prices or market interest rates, or appropriations becoming available that could be used for modifications or terminations.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on a draft of this report, the Department of Veterans Affairs agreed with the recommendation. As of December 2016, we were working with Department of Veterans Affairs officials to confirm the status of their actions to implement the recommendation.
    Recommendation: To help ensure that agencies have sufficient information on the effects of changing circumstances on the performance of their ESPC portfolios, the Secretaries of Defense, Energy, and Veterans Affairs; the Attorney General; and the Administrator of the General Services Administration should establish a process to systematically evaluate their ESPC projects--including baseline assumptions about facilities' energy use, utility prices, and interest rates--to determine how their ESPC portfolios are performing and the extent to which they are achieving expected savings. Agencies could consider conducting such evaluations either after a certain number of years, or in response to events, such as changes in utility prices or market interest rates, or appropriations becoming available that could be used for modifications or terminations.

    Agency: General Services Administration
    Status: Open

    Comments: In comments on a draft of this report, GSA agreed with the recommendation. As of December 2016, we were working with GSA officials to confirm the status of their actions to implement the recommendation.
    Recommendation: To help agencies decide whether to use ESPCs to consolidate federal data centers, the Director of the Office of Management and Budget should document, for the purposes of scoring ESPCs, (1) what qualifies as energy-related savings and (2) the allowable proportion of energy and energy-related cost savings.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: OMB did not comment on its plans to implement this recommendation in its review of a draft of the report and, as of December 2016, had not provided us with requested information on its actions to implement this recommendation. We will continue to follow-up on the status of this recommendation.
    Recommendation: To help ensure that agencies have sufficient information on ESPC performance to oversee whether future and current contracts are achieving their expected savings, the Secretaries of Defense, Energy, and Veterans Affairs; the Attorney General; and the Administrator of the General Services Administration should work with contractors to determine the best way to obtain estimates of cost and energy savings that are not achieved because of agency actions in order to include these estimates in future measurement and verification reports for existing contracts, in accordance with DOE guidance, and where economically feasible.

    Agency: Department of Justice
    Status: Open

    Comments: In comments on a draft of this report, the Department of Justice agreed with the recommendation. As of December 2016, we were working with Department of Justice officials to confirm the status of their actions to implement the recommendation.
    Recommendation: To help ensure that agencies have sufficient information on ESPC performance to oversee whether future and current contracts are achieving their expected savings, the Secretaries of Defense, Energy, and Veterans Affairs; the Attorney General; and the Administrator of the General Services Administration should work with contractors to determine the best way to obtain estimates of cost and energy savings that are not achieved because of agency actions in order to include these estimates in future measurement and verification reports for existing contracts, in accordance with DOE guidance, and where economically feasible.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on a draft of this report, the Department of Veterans Affairs did not agree with the recommendation, but suggested changes, which we incorporated. As of December 2016, we were working with Department of Veterans Affairs officials to confirm the status of their actions to implement the recommendation.
    Recommendation: To help ensure that agencies have sufficient information on ESPC performance to oversee whether future and current contracts are achieving their expected savings, the Secretaries of Defense, Energy, and Veterans Affairs; the Attorney General; and the Administrator of the General Services Administration should work with contractors to determine the best way to obtain estimates of cost and energy savings that are not achieved because of agency actions in order to include these estimates in future measurement and verification reports for existing contracts, in accordance with DOE guidance, and where economically feasible.

    Agency: General Services Administration
    Status: Open

    Comments: In comments on a draft of this report, GSA agreed with the recommendation. As of December 2016, we were working with GSA officials to confirm the status of their actions to implement the recommendation.
    Director: Lori Rectanus
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: To better understand attributable costs for individual Parcel Select NSAs, the Postmaster General should direct the appropriate staff to identify and implement cost-effective methods, such as using a sample, to collect and study information on the costs of delivering Parcel Select packages of varying characteristics in order to develop contract-specific attributable cost estimates.

    Agency: United States Postal Service
    Status: Open

    Comments: USPS developed analysis in response to this recommendation by using a proxy for package dimension rather than a sample of customer-specific dimension data, as GAO recommended. The assumptions used in the methodology by USPS result in only minor cost differences regardless of the dimension or weight of packages shipped under individual Parcel Select NSAs. As of June 13, 2017, this recommendation remains open pending additional discussions with USPS about its methodology and results.
    Director: David C. Trimble
    Phone: (202) 512-3841

    5 open recommendations
    Recommendation: To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and direct field office sites with responsibility for non-M&O contractor risk assessments to address risk factors as they relate to those sites and take steps to ensure sites implement it.

    Agency: Department of Energy
    Status: Open

    Comments: As of May 2017, DOE had revised its fiscal year 2015 and 2016 improper payments guidance. The revised guidance directs field office sites with responsibility for non-M&O contractor risk assessments to address risk factors as they relate to those sites. The guidance further requires each site Chief Financial Officer to certify to the accuracy of improper payments and risk rating. We will continue to monitor DOE's efforts to ensure sites implement this new guidance.
    Recommendation: To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and clarify how payment sites are to address risk factors and document the basis for their risk rating determinations and take steps to ensure sites implement it.

    Agency: Department of Energy
    Status: Open

    Comments: As of May 2017, DOE had revised its fiscal years 2015 and 2016 improper payments guidance requiring sites to prepare risk assessments using a new risk assessment format. The guidance states that the new format was developed to improve consistency among the sites and improve documentation supporting the risk ratings. In the new format, each risk factor includes a description of the risk factor, rating criteria and/or questions to consider during the evaluation to assist sites in determining a risk rating by payment type. The guidance also requires all sites to maintain supporting documentation for their risk assessment. We will continue to monitor DOE's efforts to ensure sites implement this new guidance.
    Recommendation: To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and clarify who is responsible at DOE for reviewing and approving risk assessments for consistency across sites and take steps to ensure those entities implement it.

    Agency: Department of Energy
    Status: Open

    Comments: As of May 2017, DOE had revised its fiscal years 2015 and 2016 improper payments guidance to require site Chief Financial Officers and the Director of Risk Management of the Loan Programs Office to provide a signed certification to DOE's Director of the Office of Finance and Accounting certifying to the accuracy of improper payments and the risk assessment and rating submitted. The guidance provides templates for these certifications. We will continue to monitor DOE's efforts to ensure sites implement this new guidance.
    Recommendation: To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and provide specific examples of other risk factors that present inherent risks likely to contribute to significant improper payments, in addition to the eight risk factors, direct payment sites to consider those when performing their improper payment risk assessments, and take steps to ensure sites implement it.

    Agency: Department of Energy
    Status: Open

    Comments: As of May 2017, DOE had revised its fiscal year 2015 and 2016 improper payments guidance. In addition to the required OMB risk factors, the guidance added the following additional risk factors to be included in the risk assessments: (1) contractor payment processing oversight and (2) segregation of duties. The guidance states these factors have been added to ensure that inherently high-risk areas that can contribute to a site's susceptibility to significant improper payments are properly evaluated. We will continue to monitor DOE's efforts to ensure sites implement this new guidance.
    Recommendation: To provide better transparency regarding its total known improper payments reported under IPERA, the Secretary of Energy should direct the department's Chief Financial Officer to improve public reporting on the amount of total known improper payments by disclosing additional information regarding this amount and the extent to which improper payments could be occurring.

    Agency: Department of Energy
    Status: Open

    Comments: As of May 2017, DOE had added supplemental information to its fiscal year 2016 Agency Financial Report. We will continue to gather additional information from DOE to determine the extent to which this information addresses the amount of total known improper payments.
    Director: Kathleen M. King
    Phone: (202) 512-7114

    1 open recommendations
    including 1 priority recommendation
    Recommendation: In order to improve the efficiency and effectiveness of Medicare postpayment claims review efforts and simplify compliance for providers, the Administrator of CMS should monitor the Recovery Audit Data Warehouse to ensure that all postpayment review contractors are submitting required data and that the data the database contains are accurate and complete.

    Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
    Status: Open
    Priority recommendation

    Comments: As of March 2017, CMS had taken initial steps to monitor the Recovery Audit Data Warehouse, including implementing a new process to monitor monthly compliance reports on the data that contractors enter into the Warehouse. However, CMS noted that as it is in the beginning stages of implementing these compliance reports, it does not currently verify that contractors upload all of the records that they reviewed, nor does it assess the accuracy of the records they entered into the Warehouse. Also, CMS indicated that it does not currently monitor whether certain contractors "suppress" claims in the Warehouse that those contractors are considering for review as part of an investigation. CMS said it was considering additional options for future monitoring of compliance reports, but did not indicate when it would determine what additional steps to take. To close this recommendation, CMS should take additional steps to improve its oversight of the Recovery Audit Data Warehouse, such as verifying that contractors upload all of the records that they reviewed and taking steps to assess the accuracy of the records they uploaded.
    Director: Goldstein, Mark L
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To improve the management and oversight of FPS's contract guard program, the Secretary of Homeland Security should direct the Under Secretary of National Protection and Programs Directorate (NPPD) and the Director of FPS to take immediate steps to determine which guards have not had screener or active-shooter scenario training and provide it to them and, as part of developing a national lesson plan, decide how and how often these trainings will be provided in the future.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FPS has indicated that they plan to implement this recommendation through its implementation of a training management system. FPS anticipates beginning implementation of this system in early 2018 and completing implementation by August 2018. GAO will continue to work with FPS to determine whether this recommendation has been implemented.
    Recommendation: To improve the management and oversight of FPS's contract guard program, the Secretary of Homeland Security should direct the Under Secretary of NPPD and the Director of FPS to require that contract guard companies' instructors be certified to teach basic and refresher training courses to guards and evaluate whether a standardized instructor certification process should be implemented.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FPS has indicated that they are currently assessing options for implementing a national lesson plan for guard training that addresses this recommendation. GAO will continue to work with FPS to determine whether this recommendation has been implemented.
    Director: Woods, William T
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To ensure that DOD organizations fully comply with interagency acquisition regulations, the Secretary of Defense should direct the Office of Defense Procurement and Acquisition Policy, as part of its ongoing interagency acquisition policy review, to ensure that its acquisition regulations, policies, and guidance on interagency contracting are updated to reflect new Federal Acquisition Regulation (FAR) rules, including those related to a best procurement approach determination.

    Agency: Department of Defense
    Status: Open

    Comments: In September 2014, DOD revised its acquisition regulations to incorporate additional guidance to ensure awareness of the total cost of interagency acquisitions, including fees, as part of making a determination that use of another agency's contract is in the best interest of DOD. However, DOD's regulations and guidance still do not reflect all of the factors described in the FAR which should be considered in making these determinations. In particular, DOD's regulations still do not mention assessing whether the requesting agency has the expertise to place orders and administer them against the selected contract vehicle throughout the acquisition lifecycle. In September 2017, DOD policy officials drafted new guidance to ensure that contracting officers document these factors, but this draft guidance is in the process of being reviewed and is not yet final.
    Director: Hutton, John P
    Phone: (202) 512-4841

    2 open recommendations
    Recommendation: To better focus agencies' efforts to manage the risks related to professional and management support service contracts, the Director of OMB, through the Office of Federal Procurement Policy (OFPP), should establish a near-term deadline for agencies to develop internal procedures required by OFPP Policy Letter 11-01, including for services that closely support inherently governmental functions.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In providing comments on our report, OFPP generally agreed with this recommendation. During follow-up discussions, OFPP agreed to provide additional information to confirm the actions they have taken to address the recommendation. However, we have yet to receive this information. We will continue to follow this recommendation and provide updated information when available.
    Recommendation: To ensure that the risks of professional and management support service contracts are more fully considered and addressed, the Director of OMB, through the Office of Federal Procurement Policy, should include contracts coded in the Federal Procurement Data System - Next Generation (FPDS-NG) as Other Professional Services and Other Management Support Services in the cost savings initiative for management support services and planned service contract inventory guidance to agencies for conducting analysis of special interest functions.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In providing comments on our report, OFPP generally agreed with this recommendation. We have had discussions with OFPP and they agreed to provide additional information on the actions taken to address the recommendation. However, we have yet to receive this information. We will continue to follow this recommendation and provide updated information when available.
    Director: St James, Lorelei
    Phone: (214)777-5719

    1 open recommendations
    Recommendation: To know whether its data on committed spending can be relied on to determine state DOTs' progress in meeting goals, to enhance FHWA's ability to know whether state DOTs meet their DBE goals, and to help increase transparency in the reporting of spending on DBEs, the Secretary of Transportation should direct the FHWA Administrator, in the information it provides to decision makers, including Congress, to include statements about potential limitations of the data it uses to determine state DOTs' progress towards goals.

    Agency: Department of Transportation
    Status: Open

    Comments: An official from the Department of Transportation said that the agency expects the recommendation to be met with a final rule regarding disadvantaged business enterprises, which will be signed by the Secretary of the Department of Transportation by the end of the calendar year.
    Director: Mackin, Michele
    Phone: (202) 512-7773

    1 open recommendations
    Recommendation: To capitalize on the increase in knowledge gained by creating new baselines for Deepwater assets, and to better manage acquisitions of further assets and capabilities, the Commandant of the Coast Guard should complete, and present to Congress, a comprehensive review of the Deepwater Program that clarifies the overall cost, schedule, quantities, and mix of assets that are needed to meet mission needs and what trade-offs need to be made considering fiscal constraints, given that the currently approved Deepwater baseline is no longer feasible.

    Agency: Department of Homeland Security: United States Coast Guard
    Status: Open

    Comments: In providing comments on this report, the agency concurred with this recommendation but has not yet taken actions necessary to implement it. Since this report, DHS and the Coast Guard have each completed studies examining the mix of assets that composed the Deepwater Program. To date, the Coast Guard has not yet provided the Congress with a comprehensive review that clarifies the program's cost, schedule, quantities, and mix of assets or takes into account the Coast Guard's needs and available resources and makes recommendations about what trade-offs may be necessary. In 2015, we found that the Coast Guard is currently conducting a fleet-wide analysis, including surface, aviation, and information technology, intended to be a fundamental reassessment of the capabilities and mix of assets the Coast Guard needs to fulfill its missions. The Coast Guard is undertaking this effort consistent with direction from Congress. Specifically, the Coast Guard plans first to rewrite its mission needs statement and concept of operations by 2016. Then, it will use a complex model to develop the full fleet mix study. Based on this, the Coast Guard plans to recommend a set of assets that best meets these needs in terms of capability and cost. The Coast Guard plans to complete the full study in time to inform the fiscal year 2019 budget, though specific dates for these events have not been set forth. As of July 2016, the Coast Guard informed GAO that the modeling is complete and the CONOPS report is being developed with a target date of September 30 for completion.
    Director: Mackin, Michele
    Phone: (202)512-7773

    1 open recommendations
    Recommendation: The Administrator of the Office of Federal Procurement Policy should direct agencies to require their competition advocates to actively involve program offices in highlighting opportunities to increase competition.

    Agency: Executive Office of the President: Office of Management and Budget: Office of Federal Procurement Policy
    Status: Open

    Comments: In July 2017, Office of Federal Procurement Policy (OFPP) officials confirmed that they do not plan to issue guidance on increasing the role of program officials in promoting competition, but stated that they have engaged with the Chief Acquisition Officers Council regarding the issue, and reminded them of GAO?s 2010 findings. In addition, OMB officials noted that they have developed agency-level benchmarks to better measure competition that are specifically focused on reducing financial risk to the government and on the level of competition where only one offer is received.
    Director: Clark, Cheryl E
    Phone: (202) 512-3000

    1 open recommendations
    Recommendation: To address other issues that may exist in IRS's master files that affect penalty calculations, the Commissioner of Internal Revenue should direct appropriate IRS officials to, in instances where programs are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: According to IRS, it had substantially completed its corrective actions to address 19 penalty programming issues it had identified from its internal assessment of penalty computation programs. However, as of September 30, 2016, IRS had not provided us with supporting documentation to validate that it completed the corrective actions. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 financial statement audit.
    Director: Aronovitz, Leslie G
    Phone: (312)220-7767

    1 open recommendations
    Recommendation: The Administrator of CMS should require the PSCs to develop thresholds for unexplained increases in billing--and use them to develop automated prepayment controls as one component of their manual medical review strategies.

    Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
    Status: Open

    Comments: Despite progress in identifying potentially improper groups of claims by provider, CMS has not developed thresholds for unexplained increases in billing by providers and used them to develop automated prepayment controls, as GAO recommended in January 2007. CMS took action in July 2011 to improve Medicare payment accuracy by introducing predictive analytics to help identify patterns of potentially improper claims and has some other prepayment controls in place. Specifically, the Small Business Jobs Act of 2010 requires CMS to use predictive modeling and other analytic techniques?known as predictive analytic technologies?to identify improper claims and prevent improper payments under the Medicare fee-for-service program. CMS is streaming every Medicare fee-for-service claim through a predictive modeling technology system, known as the Fraud Prevention System (FPS), prior to payment. The FPS uses a series of algorithms to identify potentially fraudulent claims. As each claim streams through the FPS, the system builds profiles of providers, networks, and billing patterns. Using these profiles, CMS estimates a claim's likelihood of being fraudulent and prioritizes providers with the most suspicious groups of claims for further investigation. CMS also has other prepayment controls in place, for example, to identify duplicate billing. As of December 2015, CMS did have algorithms in FPS to flag providers with unexpected increases in billings for investigation. CMS also instituted prepayment controls that can deny a claim before payment, however these controls are related to Medicare coverage requirements and do not address the issue of large increases in provider billing. Prepayment controls can suspend claims processing or deny claims before claims are paid, which would provide a greater assurance that Medicare funds are not going to potentially fraudulent providers. As of August 2016, HHS officials reported that they have not implemented this recommendation. GAO considers it to be open. We will update the status of this recommendation when we receive additional information.