Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Control systems"

    7 publications with a total of 26 open recommendations
    Director: Cristina Chaplain
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Acquisition, Technology, and Logistics, as part of M-code receiver card acquisition planning, assign an organization with responsibility for systematically collecting integration test data, lessons learned, and design solutions and making them available to all programs expected to integrate M-code receiver cards.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Kirschbaum, Joseph W
    Phone: (202) 512-9971

    2 open recommendations
    Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

    Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

    Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    9 open recommendations
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the extent to which the statutorily required implementing principles apply to NCCIC's cybersecurity functions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NCCIC is currently conducting an analysis of all mission functions to include the following goals: simplify the descriptions of NCCIC's mission functions, document all NCCIC functional capabilities, document the applicability of implementing principles to NCCIC mission functions, and map as appropriate. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that they were still in the process completing mission functional analysis described in DHS's response to Recommendation 1, which would serve as the basis of developing metrics. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NCCIC is updating existing policies and procedures for program management reviews (PMR) to include the metrics developed in recommendation two. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should integrate information related to security incidents to provide management with more complete information about NCCIC operations.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the NCCIC updated guidelines for incident reporting would be completed in May 2017. In addition, according to DHS, incident management system requirements were updated to support the new guidelines and are scheduled to be implemented in June 2017. DHS stated that these steps will enable the successful implementation of the new National Cyber Incident Scoring Schema (NCISS), which the NCCIC Watch Operations uses to help facilitate the timely, actionable, and relevant dissemination of information to leadership. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. As of August 2017, DHS has not provided evidence that the new guidelines have been implemented. However, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NCCIC had completed initial mapping of information flows, as well as the roles and responsibilities for the incident management function. A plan to integrate or consolidate disparate incident reporting systems is scheduled to be completed in December 2017. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop and implement procedures to perform regular reviews of customer information to ensure that it is current and reliable.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NPPD is gathering the requirements for a customer relationship management (CRM) tool that will support regular reviews and updates to customer information. Additionally, DHS stated that NCCIC will establish and implement a standing operating procedure for capturing and regularly updating prioritized customer information including contact information in the event of an incident. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should take steps to ensure the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the Office of Cybersecurity and Communications is establishing integrated customer engagement activities that support cyber risk mitigation and incident response planning. In addition, NCCIC will develop standing operating procedures that leverage existing information sharing programs, activities and relationships to tailor engagements that support owners and operators of the most critical cyber-dependent infrastructure assets including designated lifeline sectors. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the Assistant Secretary of Office of Cybersecurity and Communications (CS&C) had consolidated the Enterprise Architecture role within the Office of the Chief Technology Officer (CTO). Working across CS&C, the CTO will establish a technology roadmap, to include consolidation of networks. In addition, NCCIC is working to determine the potential impact of network consolidation on mission functions, including mapping current data sources. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should identify alternative methods to collaborate with international partners, while ensuring the security requirements of high-impact systems.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the potential reduction in sharing cybersecurity products that may result from migrating the NCCIC Portal to HSIN should be minimal. Contingency information sharing plans will be developed to mitigate potential issues through alternate information sharing practices, particularly involving an actual incident during migration transition. Foreign partnerships will continued to be maintained by exercises, analytic exchanges with our closest partners, and continued participation in multilateral and bilateral engagements. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Director: Chris Currie
    Phone: (404) 679-1875

    5 open recommendations
    Recommendation: To enhance accountability for key risk-management activities and facilitate coordination with federal and industry stakeholders regarding electromagnetic risks, the Secretary of Homeland Security should designate roles and responsibilities within the department for addressing electromagnetic risks and communicate these to federal and industry partners.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In a June 2016 update to our proposed recommendation, DHS reported that the Cyber, Infrastructure and Resilience (CIR) Policy Office within the DHS Office of Policy is working with DHS components to identify and articulate the roles of the National Protection and Programs Directorate, Federal Emergency Management Agency, Science and Technology Directorate, and others regarding to address electromagnetic risks. As part of this effort, CIR is to coordinate the development of a joint roles and responsibilities document to be communicated through existing partnership structures with internal and external entities.
    Recommendation: To more fully leverage critical infrastructure expertise and address responsibilities to identify critical electrical infrastructure assets as called for in the National Infrastructure Protection Plan, the Secretary of Homeland Security and the Secretary of Energy direct responsible officials to review FERC's electrical infrastructure analysis and collaborate to determine whether further assessment is needed to adequately identify critical electric infrastructure assets, potentially to include additional elements of criticality that might be considered.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In a June 2016 update to our proposed recommendation, DHS reported that the National Protection and Programs Directorate (NPPD) will increase collaborative outreach activities with FERC staff that will include a review of identified critical substations developed by FERC. The intended outcome of this review is to inform DHS activities regarding identification and prioritization of critical infrastructure assets for use during steady state and response activities. NPPD is also to inform FERC of its criticality modeling capabilities through the National Infrastructure Simulation and Analysis Center (NISAC) to enhance engagement with FERC's electric power subject matter expertise and inform future capability developments regarding response to and recovery from events such as electromagnetic pulse.
    Recommendation: To more fully leverage critical infrastructure expertise and address responsibilities to identify critical electrical infrastructure assets as called for in the National Infrastructure Protection Plan, the Secretary of Homeland Security and the Secretary of Energy direct responsible officials to review FERC's electrical infrastructure analysis and collaborate to determine whether further assessment is needed to adequately identify critical electric infrastructure assets, potentially to include additional elements of criticality that might be considered.

    Agency: Department of Energy
    Status: Open

    Comments: In June 2016, DOE provided an update (60-day letter) reiterating their intent to continue with actions identified previously to address the GAO recommendation, namely that the Office of Electricity Delivery and Energy Reliability was to review the Federal Energy Regulatory Commission's electrical infrastructure analysis, and subsequently engage with FERC and DHS to identify if any additional elements of criticality should be considered.
    Recommendation: To enhance federal efforts to assess electromagnetic risks and help determine protection priorities, the Secretary of Homeland Security should direct the Under Secretary for National Protection and Programs Directorate and the Assistant Secretary for the IP to work with other federal and industry partners to collect and analyze key inputs on threat, vulnerability, and consequence related to electromagnetic risks--potentially to include collecting additional information from DOD sources and leveraging existing assessment programs such as the Infrastructure Survey Tool, Regional Resiliency Assessment Program, and DCIP.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In a June 2016 update, DHS reported that the department had completed the planned refresh of the Strategic National Risk Assessment, which was intended to incorporate potential impacts to the power system from electromagnetic events. In addition, DHS reported that the Electricity Sub-sector Coordinating Council created an Electromagnetic pulse (EMP) task force, which met in April 2016 and is currently working to develop a joint industry and government approach to address EMP. It was further noted that DHS and DOE initiated a joint study on the effects of EMP on the electric power sector - led by Los Alamos National Laboratory and the National Infrastructure Simulation and Analysis Center (NISAC) - to analyze the hazard environments, impacts, and consequences of EMP and GMD on U.S. electric power infrastructure. In addition, DHS noted their support of a new effort by the Electric Power Research Institute and 39 industry partners to further study EMP vulnerabilities.
    Recommendation: To facilitate federal and industry efforts to coordinate risk-management activities to address an EMP attack, the Secretary of Homeland Security and the Secretary of Energy should direct responsible officials to engage with federal partners and industry stakeholders to identify and implement key EMP research and development priorities, including opportunities for further testing and evaluation of potential EMP protection and mitigation options.

    Agency: Department of Energy
    Status: Open

    Comments: On March 9, 2016 DOE provided agency comments on GAO-16-243 concurring with the recommendation and identifying related actions. Specifically, DOE reported collaboration with the Electric Power Research Institute to develop a joint DOE/Industry EMP Strategy to include key goals and objectives and identification of R&D priorities. The Strategy is expected to be completed by August 31, 2016 to be followed by more detailed action plans. DOE reported that they will collaborate with DHS and DOD in development of the Strategy and action plans. DOE further noted that a report by the Idaho National Laboratory report also identifies potential technology gaps and includes recommendations for further R&D efforts, which will be incorporated when developing the forthcoming action plans.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    7 open recommendations
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of Homeland Security should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear sectors' cybersecurity progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS has released updated sector-specific plans for the chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear reactors sectors. The plans include a section on measuring effectiveness based on the plan development guidance. The plans provide expected metrics to track the progress of sector activities and state that the outcomes will be reported through the National Annual Reporting process as well as through the quadrennial plan update. Because the metrics are new and annual reporting has not yet occurred, DHS has not provided evidence of metrics data collected and reported to address the challenges. We will continue to follow-up to determine how performance measures have been implemented and what reporting is available based on those measures.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of the Treasury should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the financial services sector's cybersecurity progress.

    Agency: Department of the Treasury
    Status: Open

    Comments: The 2015 sector-specific plan for the financial services sector includes a section on measuring the effectiveness of sector activities; however, the plan does not include specific metrics. The plan refers to working groups and meetings of sector stakeholders as mechanisms to track sector progress. No specific metrics and associated reports of outcomes have been provided to address overcoming the challenges of monitoring the sector's cybersecurity progress. We will continue to monitor financial services sector activities and determine any specific metrics and related reports developed and implemented to track and report on the sector's cybersecurity progress.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Departments of Agriculture and Health and Human Services released an update to the food and agriculture sector-specific plan for 2015. The plan states the sector's lack of an overarching mechanism to measure and evaluate risk mitigation activities and the challenge of obtaining performance measurement data from non-federal partners. However, the plan notes a goal of evaluating the progress of individual protective programs and strategies. No metrics or reports of outcomes have been provided to address the challenge of monitoring the sector's cybersecurity progress. We will continue to follow up to determine whether USDA and HHS have developed and implemented mechanisms to measure the outcomes of their sector cybersecurity-related activities.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Departments of Agriculture and Health and Human Services released an update to the food and agriculture sector-specific plan for 2015. The plan states the sector's lack of an overarching mechanism to measure and evaluate risk mitigation activities and the challenge of obtaining performance measurement data from non-federal partners. However, the plan notes a goal of evaluating the progress of individual protective programs and strategies. No metrics or reports of outcomes have been provided to address the challenge of monitoring the sector's cybersecurity progress. We will continue to follow up to determine whether HHS has developed and implemented mechanisms to measure the outcomes of its sector cybersecurity-related activities.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Homeland Security and Transportation (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the transportation systems sector's cybersecurity progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The co-Sector-Specific Agencies (SSAs) for the Transportation Systems Sector, DHS (TSA and Coast Guard) and the Department of Transportation, provided an update on efforts to develop sector cybersecurity metrics. The update described measures under consideration such as tracking the number of sector stakeholders receiving cybersecurity products, monitoring the usefulness of products through satisfaction surveys, and tracking attendance at sector events and seminars encompassing cybersecurity. The co-SSAs plan to report sector cyber activities, progress, and relevant metrics annually through the Critical Infrastructure National Annual Report and through quadrennial updates to the sector-specific plan. The latest sector-specific plan was released in 2015. The proposed metrics have not been formalized in a strategy or plan. We will continue to monitor and evaluate efforts to formalize and implement the proposed metrics to determine whether they address the intent of the recommendation.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Homeland Security and Transportation (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the transportation systems sector's cybersecurity progress.

    Agency: Department of Transportation
    Status: Open

    Comments: The co-Sector-Specific Agencies (SSAs) for the Transportation Systems Sector, DHS (TSA and Coast Guard) and the Department of Transportation, provided an update on efforts to develop sector cybersecurity metrics. The update described measures under consideration such as tracking the number of sector stakeholders receiving cybersecurity products, monitoring the usefulness of products through satisfaction surveys, and tracking attendance at sector events and seminars encompassing cybersecurity. The co-SSAs plan to report sector cyber activities, progress, and relevant metrics annually through the Critical Infrastructure National Annual Report and through quadrennial updates to the sector-specific plan. The latest sector-specific plan was released in 2015. The proposed metrics have not been formalized in a strategy or plan. We will continue to monitor and evaluate efforts to formalize and implement the proposed metrics to determine whether they address the intent of the recommendation.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Administrator of the Environmental Protection Agency should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the water and wastewater systems sector's cybersecurity progress.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The 2015 water and wastewater sector-specific plan includes a segment on measuring the effectiveness of sector activities that describes the overall principles for collecting data and using the National Annual Report data calls as a tool for assessing performance and reporting on progress within the sector. However, the plan does not state specific measures and the agency acknowledged in its response to our report that it does not collect performance metrics on the effectiveness of its cybersecurity programs for the sector. According to agency officials, the development of performance metrics in collaboration with sector partners is underway. We will continue to follow up to identify any specific metrics developed and implemented and resulting outcome-based reports.
    Director: Brian J. Lepore
    Phone: (202) 512-4523

    1 open recommendations
    Recommendation: In order to improve the comprehensiveness and accuracy of certain data submitted by the military services to OSD and reported in the Energy Reports--such as potentially underreported data on mitigation costs and inaccurate data on both disruptions' duration and cost--the Secretary of Defense should direct the Secretaries of Army, Navy, and Air Force, the Commandant of the Marine Corps, and the Assistant Secretary of Defense for Energy, Installations and Environment to work together to improve the effectiveness of data validation steps in DOD's process for collecting and reporting utilities disruption data. For example, the military services and OSD could determine whether more time in the 5-month process should be devoted to data validation and whether equal priority should be given to validating all types of data included in the Energy Reports.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with the recommendation to improve the effectiveness of data validation steps in DOD's process for collecting and reporting utilities disruption data. In a memo from April 2016, DOD stated that it determined that focusing on the minimization of data input errors at the installation level was the most effective strategy to improve the effectiveness of data validation. Further, resolving initial input errors was determined to be the least resource and cost intensive approach to improve data quality. Therefore, DOD updated its data collection template for utility disruptions to include a dropdown menu so that users can use it to select the category of utility service that was disrupted. In addition, DOD stated that it expects to continue to work with the services and Defense Agencies in the next reporting cycle for the Annual Energy Management Report to improve the effectiveness of data validation steps.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Secretary of Homeland Security, in consultation with GSA, should develop and implement a strategy to address cyber risk to building and access control systems that, among other things: (1) defines the problem; (2) identifies roles and responsibilities; (3) analyzes the resources needed; and (4) identifies a methodology for assessing this cyber risk.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.