Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Federal Agency: "Department of Homeland Security"

    102 publications with a total of 253 open recommendations including 8 priority recommendations
    Director: Carol Harris
    Phone: (202) 512-4456

    14 open recommendations
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes and implements specific time frames for determining key strategic implementation details, including how the program will transition from the current state to the final TIM state. (Recommendation 1)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes a schedule that provides planned completion dates based on realistic estimates of how long it will take to deliver capabilities. (Recommendation 2)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes new time frames for implementing the actions identified in the organizational change management strategy and effectively executes against these time frames. (Recommendation 3)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office defines and documents the roles and responsibilities among product owners, the solution team, and any other relevant stakeholders for prioritizing and approving Agile software development work. (Recommendation 4)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes specific prioritization levels for current and future features and user stories. (Recommendation 5)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office implements automated Agile management testing and deployment tools, as soon as possible. (Recommendation 6)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office updates the Systems Engineering Life Cycle Tailoring Plan to reflect the current governance framework and milestone review processes. (Recommendation 7)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes thresholds or targets for acceptable performance-levels. (Recommendation 8)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office begins collecting and reporting on Agile-related cost metrics. (Recommendation 9)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office ensures that program velocity is measured and reported consistently. (Recommendation 10)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office ensures that unit test coverage for software releases is measured and reported accurately. (Recommendation 11)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Homeland Security should direct the Under Secretary for Management to ensure that appropriate DHS leadership reaches consensus on needed oversight and governance changes related to the frequency of reviewing Agile programs, and then documents and implements associated changes. (Recommendation 12)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Homeland Security should direct the Under Secretary for Management to ensure that the Office of the Chief Technology Officer completes guidance for Agile programs to use for collecting and reporting on performance metrics. (Recommendation 13)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Homeland Security should direct the Under Secretary for Management to ensure that DHS-level oversight bodies review key Agile performance and cost metrics for the TIM program and use them to inform management oversight decisions. (Recommendation 14)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Timothy J. DiNapoli
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To enhance management attention to closing out contracts, the Secretary of Homeland Security should develop a means, either at the agency or the component level, to track where the contracts are in the closeout process, and establish goals and performance measures for closing contracts. (Recommendation 3)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Asif A. Khan
    Phone: (202) 512-9869

    2 open recommendations
    Recommendation: The DHS Under Secretary for Management should develop and implement effective processes and improve guidance to reasonably assure that future AAs fully follow AOA process best practices and reflect the four characteristics of a reliable, high-quality AOA process. (Recommendation 1)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The DHS Under Secretary for Management should improve the Risk Management Planning Handbook and other relevant guidance for managing risks associated with financial management system modernization projects to fully incorporate risk management best practices, including (1) defining thresholds to facilitate review of performance metrics to determine when risks become unacceptable; (2) identifying and analyzing risks to include periodically reconsidering risk sources, documenting risks specifically related to the lack of sufficient, reliable cost and schedule information needed to help properly manage and oversee the project, and timely disposition of IV&V contractor-identified risks; (3) developing risk mitigation plans with specific risk-handling activities, the costs and benefits of implementing them, and contingency plans for selected critical risks; and (4) implementing risk mitigation plans to include establishing periods of performance for risk-handling activities and defining time intervals for updating and certifying the accuracy and completeness of information on risks in DHS's risk register. (Recommendation 2)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Lori Rectanus
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To ensure that current pilot programs related to electronic advance data provide insights that help in assessing USPS's effectiveness at providing mail targeted by CBP for inspection, the Secretary of Homeland Security should direct the Commissioner of CBP to, in conjunction with USPS, (1) establish measureable performance goals for pilot programs and (2) assess the performance of the pilots in achieving these goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To provide information on the costs and benefits of collecting electronic advance data for use in targeting inbound international mail for screening, the Secretary of Homeland Security should direct the Commissioner of CBP to, in conjunction with USPS, evaluate the relative costs and benefits of collecting electronic advance data for targeting mail for inspection in comparison to other methods.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    1 open recommendations
    Recommendation: To provide reasonable assurance that USRAP applicant fraud prevention and detection controls are adequate and effectively implemented, the Secretaries of Homeland Security and State should conduct regular joint assessments of applicant fraud risk across USRAP.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Chris Currie
    Phone: (404) 679-1875

    6 open recommendations
    Recommendation: In order to improve employee misconduct policies and procedures, the Secretary of Homeland Security should direct the FEMA Administrator to document policies and procedures to address potential Surge Capacity Force misconduct.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: In order to improve employee misconduct policies and procedures, the Secretary of Homeland Security should direct the FEMA Administrator to document Reservist disciplinary options and appeals policies and procedures that are currently in practice at the agency.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: In order to improve employee misconduct policies and procedures, the Secretary of Homeland Security should direct the FEMA Administrator to communicate the range of penalties for specific misconduct offenses to all employees and supervisors.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: In order to better identify and address trends in employee misconduct, the Secretary of Homeland Security should direct the FEMA Administrator to improve the quality and usefulness of the misconduct data it collects by implementing quality control measures, such as adding additional drop-down fields with standardized entries, adding unique case identifier fields, developing documented guidance for data entry, or considering the adoption of database software.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: In order to better identify and address trends in employee misconduct, the Secretary of Homeland Security should direct the FEMA Administrator to, once the quality of the data is improved, conduct routine reporting on employee misconduct trends.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: In order to ensure that all allegations of employee misconduct referred by DHS OIG are reviewed and addressed, the Secretary of Homeland Security should direct the FEMA Administrator to develop reconciliation procedures to consistently track referred cases.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    6 open recommendations
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to update the department's IT Acquisition Review governance process to increase the number of contracts and agreements (associated with both major and non-major investments) that are reviewed by the CIO and appropriate delegates.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the specific staff or positions currently within the department's IT acquisition cadre; and (2) assessing whether these staff and positions address all of the specialized skills and knowledge needed, as outlined in OMB's Office of Federal Procurement Policy's guidance for developing an IT acquisition cadre.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Director: Marie Mak
    Phone: (202) 512-4841

    2 open recommendations
    Recommendation: To ensure that IGCEs contain key information consistent with good cost estimating practices, the Secretaries of Defense and Homeland Security should take steps to ensure that IGCE guidance is followed by, for example, providing training or issuing reminders to officials.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS agreed with the recommendation and stated that it will take steps to determine why guidance on independent government cost estimates is not followed. In July, DHS reported that the Office of the Chief Procurement Officer(OCPO) reached out to the nine DHS contracting activities soliciting feedback on why program officials may not be developing IGCEs in accordance with existing policies. Feedback was received in late May 2017. OCPO is currently evaluating the feedback and identifying consistent themes which will lead to the development of IGCE policy compliance measures.
    Recommendation: To ensure that IGCEs are optimized as a tool in the procurement planning process, the Secretaries of Defense, Education, Health and Human Services, Homeland Security, Housing and Urban Development, and Labor should take steps to ensure that, when appropriate, contracting staff document differences between IGCE and final contract award value in the contract file.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS agreed with the recommendation. In July 2017, DHS reported that the Office of the Chief Procurement Officer (OCPO) disseminated a new draft policy on this issue and solicited feedback from the Component's contracting activities. The Components provided feedback on the draft policy and OCPO is currently adjudicating their comments and will incorporate, as appropriate.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    5 open recommendations
    Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP to assess and document how the alternative technological solutions being considered will fully meet operational needs related to ultralight aircraft.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation and stated that it plans to assess and document requirements related to ultralight aircraft threats and how technological solutions will address these requirements as part of U.S. Customs and Border Protection Air and Marine Operations air domain awareness efforts. DHS plans to complete these efforts by July 2018.
    Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP and the Director of ICE to jointly establish and monitor performance measures and targets related to cross-border tunnels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation and stated that U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement will review available information and develop performance measures and targets as deemed appropriate by February 2018.
    Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP to establish and monitor performance targets related to ultralight aircraft.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred and stated that within U.S. Customs and Border Protection, Air and Marine Operations and the U.S. Border Patrol are developing a joint performance measure and targets for interdicting ultralight aircraft. DHS plans to complete these efforts by October 2017.
    Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the U.S. Customs and Border Protection (CBP)-U.S. Immigration and Customs Enforcement (ICE) tunnel committee to convene and establish standard operating procedures for addressing cross-border tunnels, including procedures for sharing information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS did not concur with this recommendation. However, CBP and ICE agreed that strengthening operational procedures may be beneficial and stated that they will jointly review procedures and discuss revising and/or consolidating the procedures. We continue to believe that the recommendation is valid and will monitor DHS's efforts to address it.
    Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commandant of the Coast Guard, Commissioner of CBP, and the Director of ICE to establish and monitor Regional Coordinating Mechanisms performance measures and targets related to panga boat and recreational vessel smuggling.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS did not concur with this recommendation. DHS stated that that it believes that by establishing common terminology to address our first recommendation, the RECOMs will have more reliable, usable analyses to inform their maritime interdiction efforts. However, DHS did not believe that performance measures and targets related to smuggling by panga boats would provide the most useful strategic assessment of operations to prevent all illicit trafficking, regardless of area of operations or mode of transportation. DHS also cited the recent creation of the DHS Office of Policy, Strategy, and Plans that is to work with U.S. Coast Guard, U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, and other components and offices to better evaluate the effectiveness of all operations that work to prevent the illegal entry of goods and people into the country, as appropriate. We continue to believe that the recommendation is valid and will monitor DHS's efforts to address it.
    Director: Lori Rectanus
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: To facilitate the removal of underutilized vehicles, the Secretary of Homeland Security should direct the Commissioner of Customs and Border Protection to develop a written plan for how CBP will use newly available usage data to improve its utilization assessment processes. Such a plan would define utilization criteria that reflect CBP's mission and describe how CBP will review and individually justify vehicles that do not meet the utilization criteria established by either DHS or CBP.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Maurer, Diana C
    Phone: (202) 512-8777

    2 open recommendations
    Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to develop a cohesive strategy that includes measurable outcomes for CVE activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of May 2017, CVE Task Force officials stated that they are identifying concrete outputs and outcomes for CVE efforts outlined in the 2016 Strategic Implementation Plan. CVE Task Force officials also stated that they plan to develop short-term, medium-term, and long-term outcomes for these efforts. The Task Force plans to report to the White House Homeland Security Advisor on their implementation progress in January 2018. GAO will continue to monitor the CVE Task Force's progress in this area.
    Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to establish and implement a process to assess overall progress in CVE, including its effectiveness.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of May 2017, CVE Task Force officials stated that they have begun consulting with departments and agencies that have already invested in CVE program assessment and are developing a research-based framework for designing and assessing CVE metrics. The CVE Task Force plans to report to the White House Homeland Security Advisor on their implementation progress in January 2018. GAO will continue to monitor the CVE Task Force's progress in this area.
    Director: Michele Mackin
    Phone: (202) 512-4841

    3 open recommendations
    Recommendation: To mitigate the risk of poor acquisition outcomes and strengthen the department's investment decisions, the Secretary of Homeland Security should direct the Undersecretary for Management to update the acquisition policy to require that major acquisition programs' technical requirements are well defined and key technical reviews are conducted prior to approving programs to initiate product development and establishing Acquisition Program Baselines, in accordance with acquisition best practices.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to initiate a study to assess how to better align its processes for technical reviews and acquisition decisions. Upon completion of the study, DHS plans to update its acquisition policies, as appropriate.
    Recommendation: To mitigate the risk of poor acquisition outcomes and strengthen the department's investment decisions, the Secretary of Homeland Security should direct the Undersecretary for Management to update the acquisition policy to specify that acquisition decision memorandums clearly document the rationale of decisions made by DHS leadership, such as, but not limited to, the reasons for allowing programs to deviate from the requirement to obtain department approval for certain documents at Acquisition Decision Events and the results of considerations or trade-offs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it had begun expanding the content included in Acquisition Decision Memorandums (ADM) to include greater detail and that future ADMs would address the status of the acquisition documentation. DHS also said it had updated the guidance for writing ADMs in a handbook for Office of Program Accountability and Risk Management staff, thus making progress toward satisfying the recommendation. However, we did not close the recommendation because the updated guidance was not incorporated into the department's official acquisition policy, which may limit DHS's ability to implement the changes consistently over time. We will continue to review ADMs to assess whether the department's actions address the intent of this recommendation.
    Recommendation: To mitigate the risk of poor acquisition outcomes and strengthen the department's investment decisions, the Secretary of Homeland Security should direct the Undersecretary for Management to update the acquisition policy to specify at what point minimum standards for KPPs should be met, and clarify the performance data that should be used to assess whether or not a performance breach has occurred.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it had updated guidance related to its performance breaches in a handbook for Office of Program Accountability and Risk Management staff, thus moving toward satisfying the intent of this recommendation. Specifically, DHS identified that programs' KPPs should be met and verified no later than initial operational test and evaluation conducted prior to Acquisition Decision Event 3, the point at which DHS leadership approves the program to transition into sustainment. If programs have not met a KPP by this point, they will be required to declare a performance breach and submit a remediation plan documenting the root cause of the breach, along with how and when the breach will be resolved. However, we did not close the recommendation because the department's official acquisition policy has yet to be updated. DHS will fully address this recommendation when it incorporates the changes into its acquisition policy to ensure that the updated guidance on performance breaches is communicated and implemented consistently throughout the department.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    1 open recommendations
    Recommendation: To improve the usefulness of airport wait time data that CBP currently reports on its public website, the Secretary of Homeland Security should direct the Commissioner of U.S. Customs and Border Protection to report airport wait time data for different categories of travelers.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Marie A. Mak
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: The Secretaries of Commerce, Homeland Security, Interior, and State should develop policies and processes to help ensure that the FAR clause 52.203-17 is inserted in new contracts and major modifications as appropriate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In providing comments on this report, Homeland Security concurred with this recommendation. Officials have said they have taken steps to implement this recommendation with guidance and once GAO is provided with evidence of executing guidance, we will review these efforts to assess whether the recommendation was implemented.
    Director: Chris P. Currie
    Phone: (404) 679-1875

    2 open recommendations
    Recommendation: To enhance its ability to fulfill its role as the facilitator of cross-sector collaboration and best-practices sharing, the Secretary of Homeland Security should direct the Assistant Secretary of Infrastructure Protection, Office of Infrastructure Protection, to explore with key critical infrastructure partners, whether and what opportunities exist to harmonize federally-administered screening and credentialing access control efforts across critical infrastructure sectors.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure that SCO uses its time and resources to pursue the most efficient and effective screening and credentialing harmonization goals on behalf of the department, the Secretary of Homeland Security should direct the Deputy Assistant Secretary for Screening Coordination, Office of Policy, to establish goals and objectives to support its broader strategic framework for harmonization.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Kay Brown
    Phone: (202) 512-7215

    3 open recommendations
    Recommendation: To better ensure FEMA's regional activities effectively support individuals with disabilities, the Secretary of Homeland Security should direct the FEMA Administrator to take steps to establish written procedures for how regions should involve the Office of Disability Integration and Coordination in clarifying disability integration staff's roles, evaluating staff performance, and setting expectations for how staff communicate with headquarters and the regions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA agreed with this recommendation and FEMA's Office of Disability Integration and Coordination is in the process of establishing a working group that will clarify and codify the roles, responsibilities, and expectations among the various agency offices and personnel involved in carrying out the agency's disability integration mission. GAO will monitor the progress of these efforts. FEMA expects to complete these efforts by December 31, 2017. At that time, GAO will await documentation of the agency's procedures for carrying out its disability integration mission.
    Recommendation: To better position FEMA to expand access to key training on incorporating access and functional needs into emergency planning for state, local, and voluntary organization emergency management officials, the Secretary of Homeland Security should direct the FEMA Administrator to evaluate alternative cost-effective methods for delivering its course on access and functional needs, such as via virtual classes.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA agreed with this recommendation and reported that it will explore options for updating one of its existing online courses--IS-368 "Including People with Disabilities and Other with Access and Functional Needs in Disaster Operations"--to tailor the content for a broader audience, including members of the public. The agency also reported that it will evaluate the need for alternative cost-effective methods for delivering other courses on inclusive emergency management it currently offers, such as its classroom course, "Integrating Access and Functional Need into Emergency Planning." The agency anticipates completing these efforts by December 31, 2017. When these efforts are complete, GAO will await documentation that the agency has evaluated its delivery of key training on incorporating access and functional needs into emergency planning.
    Recommendation: To help ensure its key training on incorporating access and functional needs into emergency planning reaches a sufficiently wide audience, the Secretary should direct the FEMA Administrator to collect information about the potential pool of participants, set general goals for the number of state and local emergency managers that will take this course, and implement the delivery methods needed to meet these goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA agreed with this recommendation and reported that it will work with its regional staff to map potential training participants in each state and set goals for delivery of the course to state and local emergency managers. The agency also reported that it may be able to use data in the State Preparedness Report and states' self-reporting on the need for training on integrating the needs of people with access and functional needs into emergency management. GAO will monitor the progress of these efforts. The agency anticipates completing these efforts by December 31, 2017.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    9 open recommendations
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the extent to which the statutorily required implementing principles apply to NCCIC's cybersecurity functions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NCCIC is currently conducting an analysis of all mission functions to include the following goals: simplify the descriptions of NCCIC's mission functions, document all NCCIC functional capabilities, document the applicability of implementing principles to NCCIC mission functions, and map as appropriate. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that they were still in the process completing mission functional analysis described in DHS's response to Recommendation 1, which would serve as the basis of developing metrics. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NCCIC is updating existing policies and procedures for program management reviews (PMR) to include the metrics developed in recommendation two. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should integrate information related to security incidents to provide management with more complete information about NCCIC operations.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the NCCIC updated guidelines for incident reporting would be completed in May 2017. In addition, according to DHS, incident management system requirements were updated to support the new guidelines and are scheduled to be implemented in June 2017. DHS stated that these steps will enable the successful implementation of the new National Cyber Incident Scoring Schema (NCISS), which the NCCIC Watch Operations uses to help facilitate the timely, actionable, and relevant dissemination of information to leadership. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. As of August 2017, DHS has not provided evidence that the new guidelines have been implemented. However, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NCCIC had completed initial mapping of information flows, as well as the roles and responsibilities for the incident management function. A plan to integrate or consolidate disparate incident reporting systems is scheduled to be completed in December 2017. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop and implement procedures to perform regular reviews of customer information to ensure that it is current and reliable.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NPPD is gathering the requirements for a customer relationship management (CRM) tool that will support regular reviews and updates to customer information. Additionally, DHS stated that NCCIC will establish and implement a standing operating procedure for capturing and regularly updating prioritized customer information including contact information in the event of an incident. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should take steps to ensure the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the Office of Cybersecurity and Communications is establishing integrated customer engagement activities that support cyber risk mitigation and incident response planning. In addition, NCCIC will develop standing operating procedures that leverage existing information sharing programs, activities and relationships to tailor engagements that support owners and operators of the most critical cyber-dependent infrastructure assets including designated lifeline sectors. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the Assistant Secretary of Office of Cybersecurity and Communications (CS&C) had consolidated the Enterprise Architecture role within the Office of the Chief Technology Officer (CTO). Working across CS&C, the CTO will establish a technology roadmap, to include consolidation of networks. In addition, NCCIC is working to determine the potential impact of network consolidation on mission functions, including mapping current data sources. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should identify alternative methods to collaborate with international partners, while ensuring the security requirements of high-impact systems.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the potential reduction in sharing cybersecurity products that may result from migrating the NCCIC Portal to HSIN should be minimal. Contingency information sharing plans will be developed to mitigate potential issues through alternate information sharing practices, particularly involving an actual incident during migration transition. Foreign partnerships will continued to be maintained by exercises, analytic exchanges with our closest partners, and continued participation in multilateral and bilateral engagements. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    1 open recommendations
    Recommendation: The Secretary of Homeland Security should direct the Assistant Secretary of Immigration and Customs Enforcement and Commissioner of Customs and Border Protection to collaborate on sharing immigration enforcement and removal data to help Border Patrol account for the removal status of apprehended aliens in its recidivism rate measure.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Tim Persons
    Phone: (202) 512-6412

    1 open recommendations
    Recommendation: The Secretary of Homeland Security--in consultation with the Federal Bureau of Investigation--should conduct a formal bioforensics capability gap analysis to identify scientific and technical gaps and needs in bioforensics capabilities to help guide current and future bioforensics investments and update its analysis periodically.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Heather Krause
    Phone: (202) 512-6806

    2 open recommendations
    Recommendation: To help ensure that FLETC builds and maintains capacity to achieve its mission with existing levels of resources over the longer-term, the Secretary of Homeland Security should direct the Director of FLETC to complete a revised strategic plan that encompasses the agency's long-term goals and objectives to address emerging challenges.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure that FLETC builds and maintains capacity to achieve its mission with existing levels of resources over the longer-term, as part of its strategic planning process, the Secretary of Homeland Security should direct the Director of FLETC to finalize the plan, including the steps and time frames, needed to further implement its Online Campus initiative.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Homeland Security should direct the department's CIO to identify one high-cost function it could collect detailed cost, technical, and business information for and modify existing processes to collect and review this information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Director: Currie, Christopher P
    Phone: (202) 512-8777

    3 open recommendations
    Recommendation: To better assess the impact of the fire grants program, the Secretary of Homeland Security should direct the FEMA Administrator to establish measurable performance targets linked to AFG and SAFER program goals, such as the desired percentage of awardees who used grants to achieve compliance with equipment standards.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to officials, FEMA's Grant Programs Directorate is reviewing the current set of program metrics to determine the feasibility of establishing performance targets. FEMA plans to include approved targets in its annual report to Congress that will be issued for fiscal year 2016; the report was undergoing internal review for approval and release as of November 2016. Pending issuance of the report with measurable performance targets linked to AFG and SAFER program goals, this recommendation will remain open.
    Recommendation: To enhance FEMA's efforts to assess and integrate the fire grant programs' contributions to national preparedness, the Secretary of Homeland Security should direct the FEMA Administrator to use the National Preparedness Goal's definition of critical infrastructure as the basis of collecting information from applicants and using the National Critical Infrastructure Prioritization Program list to measure fire grant programs' performance in addressing national priorities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to officials, FEMA's Grant Programs Directorate plans to incorporate the National Preparedness Goal definition of national critical infrastructure into fire grant performance measures in FEMA's fiscal year 2017 Annual Report to Congress. Specifically, they said FEMA plans to conduct an assessment of data from AFG program application and awards in order to verify recipients are reporting infrastructure that aligns with the National Preparedness Goal definition of critical infrastructure. In addition, FEMA plans to meet as needed with the National Programs and Protection Directorate's Office of Critical Infrastructure Analysis to determine how the Critical Infrastructure Prioritization Program list can be used in the application process. Pending completion of these efforts, this recommendation will remain open.
    Recommendation: To enhance FEMA's efforts to incorporate new National Fire Operations Reporting System (NFORS) and Fire Community Assessment Response Evaluation System (FireCARES) data elements into fire grants program management activities, the Secretary of Homeland Security should direct the FEMA Administrator to develop a project management plan for identifying relevant data elements in the new NFORS and FireCARES systems and determining how they can be used to improve fire grant applications and awards processes and the performance assessment system.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to officials, FEMA's Grant Programs Directorate intends to develop a plan to assess the data collected to determine feasibility for integration of NFORS and FireCARES data into the AFG programs. The plan will incorporate ways to improve the applications, awards processes, and tracking of performance. This plan should be completed by March 2017, and FEMA will continue to collaborate with stakeholders for the improvement of the AFG application, awards processes, and performance management. According to FEMA, the estimated completion of this effort is September 2017.
    Director: David A. Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the Enterprise Business Management Office within the Office of the Chief Information Officer will validate each investment reported on the Dashboard and work with program officials to ensure they appropriately update the data for the IT Dashboard. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Director: Chris Currie
    Phone: (404) 679-1875

    1 open recommendations
    Recommendation: If DHS's proposed CBRNE program consolidation is approved by Congress, the Secretary of Homeland Security should direct the Assistant Secretary for the Office of Policy to use, where appropriate, the key mergers and organizational transformation practices identified in our previous work to help ensure that a CBRNE consolidated office benefits from lessons learned from other organizational transformations.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We found that key mergers and organizational transformation practices identified in previous GAO work could benefit the Department of Homeland Security (DHS) if Congress approves the proposed CBRNE consolidation. As a result, we recommended that should Congress approve DHS's CBRNE consolidation plan, the department use key mergers and organizational transformation practices identified in previous GAO work. In November 2016, DHS stated that while Congress had yet to authorize DHS's CBRNE reorganization proposal, DHS remained committed to evaluating GAO's identified practices when developing an implementation plan. We will update the status of this recommendation as additional information is made available.
    Director: Fennell, Anne-marie Lasowski
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To help ensure that the Corps and FEMA carry out the national leveesafety- related activities required in the Water Resources Reform and Development Act of 2014, the Secretary of Defense should direct the Secretary of the Army to direct the Chief of Engineers and Commanding General of the U.S. Army Corps of Engineers and that the Secretary of Homeland Security direct the FEMA Administrator to develop a plan, with milestones, for implementing these activities, using existing resources or requesting additional resources as needed. This plan could be posted on the Corps' website and monitored for progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of December 2016, GAO is awaiting action by the agency to implement this recommendation.
    Director: Andrew Von Ah
    Phone: (213) 830-1011

    4 open recommendations
    Recommendation: To ensure effective management and oversight of DHS programs receiving fees and other collections, and to ensure that component management take the following actions for each fee and other collections program that they administer, the Secretary of Homeland Security should direct the DHS Chief Financial Officer to use some means, such as the DHS Fee Governance Council, to document the processes and analyses for assessing and, as appropriate, for managing the difference between program costs and collections and document resulting decisions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS's Fee Governance Council, led by the Deputy CFO plans to draft and publish a revised section of the Financial Management Policy Manual devoted to documenting the processes and analyses for assessing and managing the difference between program costs and collections and document resulting decisions. The Council is currently working to establish interim milestones associated with this objective.
    Recommendation: To ensure effective management and oversight of DHS programs receiving fees and other collections, and to ensure that component management take the following actions for each fee and other collections program that they administer, the Secretary of Homeland Security should direct the DHS Chief Financial Officer to use some means, such as the DHS Fee Governance Council, to establish processes for managing unobligated carryover balances, to include targets for minimum and maximum balances for programs that lack such processes and targets.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Fee Governance Council will draft and publish a revised section of the Financial Management Policy Manual devoted to managing unobligated carryover balances. The Council is currently working to develop specific milestones associated with this objective.
    Recommendation: To ensure effective management and oversight of DHS programs receiving fees and other collections, and to ensure that component management take the following actions for each fee and other collections program that they administer, the Secretary of Homeland Security should direct the DHS Chief Financial Officer to use some means, such as the DHS Fee Governance Council, to conduct reviews to identify any management and operational deficiencies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The DHS Fee Governance Council plans to publish a revised section of the Financial Management Policy Manual devoted to how components conduct studies of fee programs to identify any management or operational deficiencies. The Council is currently working to establish specific milestones associated with this objective.
    Recommendation: To ensure effective management and oversight of DHS programs receiving fees and other collections, and to ensure that component management take the following actions for each fee and other collections program that they administer, the Secretary of Homeland Security should direct the DHS Chief Financial Officer to use some means, such as the DHS Fee Governance Council, to take action to track and report on management and operational deficiencies--including reasons supporting any decisions to not pursue recommended actions--identified in fee reviews or through other means.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The DHS Fee Governance Council will publish a revised section of the Financial Management Policy Manual devoted to how regular biennial reviews are conducted at DHS and how any findings and recommendations on management and operational deficiencies identified in these fee studies are tracked and reported.
    Director: Mark Goldstein
    Phone: (202) 512-2834

    3 open recommendations
    Recommendation: To improve the effectiveness, transparency, and accountability of the ECPC's efforts, the Secretary of Homeland Security, as the administrative leader of the ECPC, should clearly document the ECPC's strategic goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the effectiveness, transparency, and accountability of the ECPC's efforts, the Secretary of Homeland Security, as the administrative leader of the ECPC, should establish a mechanism to track progress by the ECPC's member agencies in implementing the ECPC's recommendations.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the effectiveness, transparency, and accountability of the ECPC's efforts, the Secretary of Homeland Security, as the administrative leader of the ECPC, should clearly define the roles and responsibilities of the ECPC's member agencies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Chris Currie
    Phone: (404) 679-1875

    1 open recommendations
    Recommendation: To help ensure that whistleblower retaliation reports are addressed efficiently and effectively, the Secretary of Homeland Security should direct the Under Secretary of DHS's National Protection and Programs Directorate's (NPPD), the Assistant Secretary for Infrastructure Protection, and the Director of the Infrastructure Security Compliance Division (ISCD) to develop a documented process and procedures to address and investigate whistleblower retaliation reports that could include existing practices, such as the Department of Labor's Occupational Safety and Health Administration's recommended practices, in developing the process and procedures.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to Infrastructure Security Compliance Division (ISCD) officials, in September 2016 they initiated development of a standard operating procedure for addressing and investigating whistleblower retaliation complaints. ISCD expects to complete a final version of the standard operating procedure by June 2017. According to ISCD officials, the procedure will consider OSHA's guidance, once available, when developing this set of procedures. We will update the status of this recommendation after additional information is received from DHS.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    9 open recommendations
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of the Department of Homeland Security (DHS) should direct the Director of USCIS to direct the USCIS Chief Information Officer (CIO), in coordination with the DHS CIO and the Chief of the Office of Transformation Coordination (OTC), to review and update, as needed, existing policies and guidance and consider additional controls to complete planning for software releases prior to initiating development and ensure software meets business expectations prior to deployment.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, the U.S. Citizenship and Immigration Services (USCIS) within the Department of Homeland Security (DHS) had taken steps to address this recommendation. In particular, in June 2017, USCIS provided an updated policy, dated April 2017, governing planning and deploying software releases. USCIS also demonstrated partial compliance with that policy. For example, it provided some release planning review documentation for recent releases that are required by the updated policy, including readiness review memos for releases 7.2 and 8.1. However, USCIS did not demonstrate that the program responsible for developing the USCIS Electronic Immigration System (USCIS ELIS) was consistently following its updated policy. For example, USCIS did not demonstrate that the program was completing all planning activities prior to initiating development, as called for in its updated policy. Moreover, the agency did not demonstrate compliance with its previous policy for all software releases planned and deployed since our July 2016 report. We will continue to work with USCIS to monitor actions the agency is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to consistently implement the principles of the framework adopted for Agile software development.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in May 2017, USCIS provided updated policy governing the development of software releases, dated April 2017, along with release planning artifacts specific to USCIS ELIS. The updated policy included an appendix devoted to generally accepted agency practices and applying Agile principles in the agency. However, USCIS had not clearly indicated if USCIS ELIS was to implement the practices described in the policy. For example, the updated policy did not require program compliance with the generally accepted agency practices. Moreover, supporting artifacts from the release planning process did not always define a commitment to a particular development methodology or set of development practices. For example, the team process agreements, which describe how members of individual teams will work with each other, did not indicate if developers were to adhere to the practices described in updated USCIS policy. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to define and consistently execute appropriate roles and responsibilities for individuals responsible for development activities consistent with its selected development framework.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in June 2017, USCIS provided updated policy, dated April 2017, governing the development of software releases and release planning artifacts. The updated policy and release documentation defined some roles and responsibilities that were previously only described by USCIS in its informal November 2014 management model, such as the authority and responsibility of a product owner. However, program documentation and policy did not define all of the roles and responsibilities. For example, program documentation and policy did not define the roles and responsibilities of a facilitator, or Scrum Master, which is a position identified in leading practices for software development using Scrum, the development methodology previously identified by the program. In addition, USCIS did not demonstrate that it had defined and committed to an updated development methodology for software releases. Such a defined methodology will impact expectations for the roles and responsibilities in software development. Without such a defined methodology or approach to Agile software development, it is not clear if roles and responsibilities defined by previously documented approach to Agile software development are still applicable for the current development approach. Moreover, documentation associated with program releases and updated policy did not define all of the roles and responsibilities for positions described by USCIS in its May 2017 written response to GAO. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to identify all system users and involve them in release planning activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, DHS and USCIS had not provided information demonstrating that the department has addressed this recommendation. In October 2016, DHS provided a written response stating that the USCIS Office of Information Technology and Office of Transformation Coordination were working closely with the various USCIS directorates to obtain and integrate feedback through regular review sessions with the end users and through additional end user testing. However, as of July 2017, DHS and USCIS have not provided new information about the status of this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to write user stories that identify user roles, include estimates of complexity, take no longer than one sprint to complete, and describe business value.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had provided GAO with documentation intended to demonstrate that the agency had taken steps to address this recommendation. For example, in May 2017, USCIS provided updated policy governing the development of software releases along with release planning artifacts specific to USCIS ELIS and an Independent Verification and Validation assessment. The agency also provided a series of backlogs that captured user stories for some software releases. In addition, the Independent Verification and Validation assessment indicated that the program was tracking user story quality as part of assessing whether value was continuously discovered and aligned to the mission. However, the assessment report provided to GAO indicated a negative trend for this outcome. Moreover, USCIS policy no longer set expectations regarding user story development. In addition, supporting artifacts from the release planning process did not always define a commitment to a particular development methodology, which is turn impacts the expectations for writing user stories. Finally, backlogs provided by USCIS did not cover all releases in development since our July 2016 report and did not include enough detail to assess all aspects of the user story process (e.g., story size and user involvement). We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to establish outcomes for Agile software development.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in April 2017, USCIS issued updated policy governing software development at the agency. The updated policy included an appendix devoted to generally accepted agency practices and applying Agile principles in the agency. This appendix also included a set of ten outcomes associated with using Agile practices at USCIS. For example, outcomes included that value is continuously discovered and aligned to the mission. However, the updated policy did not require program compliance with the practices and principles described in the appendix. Moreover, the agency did not demonstrate that USCIS ELIS had committed to achieving a specific set of outcomes for Agile software development, such as the outcomes described in the USCIS policy. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to monitor program performance and report to appropriate entities through the collection of reliable metrics.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in May 2017, USCIS provided updated policy governing the development of software that called for teams to prepare an Operations Monitoring Plan or dashboard showing the practices, tools, and measures that will monitor applications in production. The agency also provided a series of documents from internal systems and processes intended to monitor performance, such as a product dashboard for analyzing code quality (i.e., SonarQube) and a report from its Independent Verification and Validation team. However, the program was undergoing a re-baseline and had yet to document updated cost, schedule, and performance expectations against which to monitor. Moreover, the agency did not demonstrate that other metrics, such as customer satisfaction and team velocity, were being reliably collected. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To help manage the USCIS ELIS system, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update existing policies and guidance and consider additional controls to conduct unit and integration, and functional acceptance tests, and code inspection consistent with stated program goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in May 2017, USCIS provided artifacts from internal systems in place to monitor software development performance. These metrics monitored aspects of testing, such as code quality and code coverage. However, the program did not provide an updated Test and Evaluation Master Plan, which is a document it will produce as part of its ongoing effort to re-baseline. A Test and Evaluation Master Plan sets the testing expectations for the program as agreed upon with its stakeholders in DHS and USCIS. The updated plan will provide a basis for further evaluation of the steps DHS and USCIS have taken to address this recommendation. Moreover, the agency did not demonstrate that functional acceptance tests were being conducted in accordance with stated program goals. For example, the agency did not provide acceptance criteria or the associated tests demonstrating that user stories passed the defined acceptance criteria. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To help manage the USCIS ELIS system, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update existing policies and guidance and consider additional controls to develop complete test plans and cases for interoperability and end user testing, as defined in the USCIS Transformation Program Test and Evaluation Master Plan, and document the results.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, DHS and USCIS had not provided information demonstrating that they had addressed this recommendation. In October 2016, DHS provided a written response indicating that an internal process for revisiting the USCIS ELIS Test and Evaluation Master Plan had been initiated, with participation from all relevant stakeholder groups. A Test and Evaluation Master Plan sets the testing expectations for the program as agreed upon with its stakeholders in DHS and USCIS. The updated plan will provide a basis for further evaluation of the steps DHS and USCIS have taken to address this recommendation. The letter also stated that USCIS had begun to work on a policy for new interoperability test procedures. Moreover, the letter added that end user testing is a continuing activity, including providing feedback of observed issues into the development queue, with the slow launch of the naturalization capabilities in USCIS ELIS being a model. However, as of July 2017, DHS and USCIS had not provided new information about the status of this recommendation. We will continue to work with DHS and USCIS to obtain additional documentation about actions they are taking to address this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO Enterprise Business Management Office is updating its program assessment guideline. The updated guideline will include risk-based scores as the basis for its investment ratings. The Department expects to release this new guideline by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    4 open recommendations
    Recommendation: To enhance the monitoring of holding facilities, the Secretary of Homeland Security should direct Border Patrol and ICE to develop and implement a process to assess their time in custody data for all individuals in holding facilities, including: (1) identifying and addressing potential data quality issues; and (2) identifying cases where time in custody exceeded guidelines and assessing the factors impacting time in custody.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To strengthen the transparency of the complaints process, the Secretary of Homeland Security should direct CBP and ICE to develop and issue guidance on how and which complaint mechanisms should be communicated to individuals in custody at holding facilities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To facilitate the tracking of holding facility complaints, the Secretary of Homeland Security should include a classification code in all complaint tracking systems related to DHS holding facilities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To provide useful information for compliance monitoring, the Secretary of Homeland Security should direct CBP and ICE to develop and implement a process for analyzing trends related to holding facility complaints across their respective component.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Michelle Sager
    Phone: (202) 512-6806

    4 open recommendations
    Recommendation: To enable a more effective approach in working with states to adopt the NDRF, the Secretary of Homeland Security should direct the Administrator of FEMA to conduct a systematic analysis of the information generated from FEMA's readiness assessments to determine the extent of regional office efforts to help states implement the NDRF, including conducting education and outreach.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation and said it would take steps to implement it. According to FEMA, its Office of Readiness Assessment (ORA) launched the 2016 bi-annual FEMA Readiness Assessment Program in April 2016, which includes NDRF related assessment discussions in five FEMA regions. We met with officials in April 2017, who told us that ORA plans to incorporate into this year's assessments, a retrospective review of NDRF findings and progress made in implementing the NDRF since 2013. We will continue to monitor this to see what additional actions the agency takes in response to this recommendation.
    Recommendation: To enable a more effective approach in working with states to adopt the NDRF, the Secretary of Homeland Security should direct the Administrator of FEMA to develop best practices and lessons learned with regard to conducting NDRF education and outreach to states based on the analysis of readiness assessments and create a mechanism to disseminate and share those best practices and lessons learned to FEMA regional offices.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation and said it would take steps to implement it. According to FEMA, its Recovery Support Function Leadership Group initiated an information management workgroup, which shares best practices information as one of its objectives. The workgroup has piloted the use of an existing interagency portal as a potential platform for improved information sharing. We met with officials in April 2017, who told us that FEMA will incorporate its 2016 readiness review findings and best practices from regional Federal Disaster Recovery Coordinators for stakeholder outreach and education into the final platform build-out. We will continue to monitor this to see what additional actions the agency takes in response to this recommendation.
    Recommendation: To enable a more effective approach in working with states to adopt the NDRF, the Secretary of Homeland Security should direct the Administrator of FEMA to clarify with regional offices and Federal Disaster Recovery Coordinators (FDRCs) the role of the regional implementation plans in FDRC performance plans and how they will be used to assess NDRF regional implementation efforts.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation and said it would take steps to implement it. According to FEMA, to achieve greater integration of FEMA's field leadership components, FEMA's Field Operations Directorate (FOD) convened a Field Leadership Working Group of senior subject matter experts to conduct a mission analysis of FEMA's Field Leadership function (which includes Federal Disaster Recovery Coordinators as well as Federal Coordinating Officers and Incident Management Assistance Teams team leads). According to FEMA, one of the assigned tasks of the group involves developing performance metrics to define a steady state and operational performance framework for field leaders, to include Federal Disaster Recovery Coordinators. According to FEMA, the Working Group is currently underway and is preparing a Field Leader Manual for review by FOD leadership. We will continue to monitor this to see what additional actions the agency takes in response to this recommendation.
    Recommendation: To enable a more effective approach in working with states to adopt the NDRF, the Secretary of Homeland Security should direct the Administrator of FEMA to align the annual FDRC performance expectations with clearly defined organizational goals and priorities, consistent with key management practices.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation and said it would take steps to implement it. According to FEMA, the Field Leadership Working Group will implement the elements of this recommendation alongside efforts to clarify the role of the regional National Disaster Recovery Framework implementation plans. FEMA also provided documentation to GAO noting that the Working Group is progressing in its work on its Field Leadership Professional Development Plan. We will continue to monitor this to see what additional actions the agency takes in response to this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The agency agreed with the recommendation and in July 2017 stated that the department has drafted a Legacy Systems Modernization Framework. DHS is waiting for OMB?s draft guidance to be issued to ensure compliance. As a result, they now estimate this will be completed by December 2017. We will continue to monitor the implementation of this recommendation.
    Director: Marie A. Mak
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To ensure that good practices are shared within agencies, the Secretaries of Defense, Veterans Affairs, the Interior, Homeland Security, and Energy, and the Environmental Protection Agency should develop guidance that encourages local officials to examine purchase card spend patterns to identify opportunities to obtain savings and to share information on such efforts. Where applicable, we further recommend that these agencies determine the feasibility for broader application of these efforts across the agency or organization.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The department concurred with this recommendation and updated its purchase card manual November 2016 to encourage components to perform additional spend analysis for the identification of strategic sourcing opportunities, but it is unclear how results of analysis will be communicated for broader application across the agency. The department is also working with industry partners to increase the level of shared data for purchase card transactions and will develop a plan to communicate these data across the agency to support information sharing and increases strategic sourcing opportunities.
    Director: Michael J. Courts
    Phone: (202) 512-8980

    2 open recommendations
    Recommendation: To strengthen DHS's ability to fulfill legislative requirements for the VWP and protect the security of the United States and its citizens, the Secretary of Homeland Security should specify time frames for working with VWP countries to institute the additional VWP security requirements, including the requirement that the countries fully implement agreements to share information about known or suspected terrorists through the countries' Homeland Security Presidential Directive 6 arrangements and Preventing and Combating Serious Crime agreements with the United States.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS reported that nearly all VWP countries have begun sharing information on known or suspected terrorists through Homeland Security Presidential Directive 6 arrangements and that DHS also made progress in fully implementing Preventing and Combating Serious Crime agreements. According to DHS, all VWP countries were informed of the new VWP requirements in July 2016. In its initial response, DHS stated that it planned to conduct a comprehensive assessment of VWP countries' compliance with the new VWP requirements and establish a time frame for each VWP country to reach full compliance as part of each country's next formal review. However, as of April 2017, DHS needs to provide documentation to GAO to support all of these actions. GAO will continue to monitor DHS efforts to fully address this recommendation.
    Recommendation: To strengthen DHS's ability to fulfill legislative requirements for the VWP and protect the security of the United States and its citizens, the Secretary of Homeland Security should take steps to improve DHS's timeliness in reporting to Congress, within the statutory time frame, the department's determination of whether each VWP country should continue participating in the program and any effects of the country's participation on U.S. law enforcement and security interests.

    Agency: Department of Homeland Security
    Status: Open

    Comments: Since 2016, DHS has issued several reports on VWP countries to Congress that have addressed several of the overdue reports identified in 2016, but some gaps remain. As of April 2017, DHS reported plans to deliver additional reports in 2017 to address these gaps. In its initial response, DHS reported that the department had taken steps to ensure timely reporting to Congress and committed to providing Congress with advance notification of any delays in delivering future reports. To fully address this recommendation, DHS needs to issue reports to Congress on VWP countries that have not been covered within the last two years. GAO will continue to monitor DHS efforts.
    Director: Andrew Von Ah
    Phone: (213) 830-1011

    4 open recommendations
    Recommendation: To ensure the quality of the risk assessments used to inform its future QHSR processes, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to ensure future QHSR risk assessment methodologies reflect key elements of successful risk assessment methodologies, such as being: (1) Documented, which includes documenting how risk information was integrated to arrive at the assessment results, (2) Reproducible, which includes producing comparable, repeatable results, and (3) Defensible, which includes communicating any implications of uncertainty to users of the risk results.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, the Office of Policy's Office of Strategy, Plans, Analysis and Risks completed initial meetings in April 2016 with government and non-government subject matter experts to refine risk analyses for the upcoming 2018 QHSR. Representatives from the department's component and headquarters staff are to take part in the Department's Risk Modeling and Analysis Steering Committee by reviewing, documenting and approving proposed new methodologies planned to help identify and prioritize threats and hazards. This effort is intended to lead to a documented, reproducible, and defensible assessment, according to the DHS officials. This recommendation will remain open until we verify that the risk analysis contains these elements.
    Recommendation: To enable the use of risk information in supporting resource allocation decisions, guiding investments, and highlighting the measures that offer the greatest return on investment, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to refine its risk assessment methodology so that in future QHSRs it can compare and prioritize homeland security risks and risk mitigation strategies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk, with support from the RAND Corporation, has proposed a methodology to assess threats, hazards, and vulnerabilities impacting U.S. homeland security. In addition, the department's Risk Modeling and Analysis Executive Steering Committee is to review and approve the proposed methodology. The methodology is intended to enable the Department of Homeland Security to compare and prioritize homeland security risks and risk mitigation strategies, according to DHS officials. The recommendation will remain open until we verify that the methodology allows such comparisons.
    Recommendation: To ensure proper management of the QHSR stakeholder consultation process, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to identify and implement stakeholder meeting processes to ensure that communication is interactive when project planning for the next QHSR.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk finalized a draft stakeholder outreach plan to include use of the Office of Management and Budget's Max electronic collaboration website to engage with federal, state, and local stakeholders. The OMB-MAX website is available to government and non-government offices and allows the posting of documents, articles, and links, as well as facilitating collaborative editing of documents and participant interaction threads, according to DHS officials. In addition, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk is exploring the use of different tools to facilitate more interactive stakeholder engagement. For example, DHS's Office of Partnerships and Engagement is to facilitate additional engagement with external subject matter experts, arrange interagency coordination, and organize review and approval with parties of the homeland security enterprise in order to coordinate and approve the development of the 2018 QHSR. This recommendation will remain open until we verify that interactive communication approaches are implemented.
    Recommendation: To ensure proper management of the internal QHSR stakeholder consultation process, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to clarify component detailee roles and responsibilities when project planning for the next QHSR.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk (SPAR) drafted a memorandum for the Deputy Secretary to solicit Component subject matter experts. The memorandum specifies component detailee roles and responsibilities, to include serving in an advisory, consultation, and coordination role, according to DHS officials. SPAR is to lead an integrated group of analysts and strategic planners that are to be supported and augmented by the subject matter experts. The experts and detailees are to serve as members of study teams analyzing key threats, trends, and strategy and policy alternatives associated with issues and challenges relating to DHS's mission and objectives. A second memorandum requesting additional detailee support is to be issued in November 2016, prior to the formal review phase of the new QHSR which is to begin in January 2017. This recommendation will remain open until we verify that clarified detailee roles and responsibilities are finalized and implemented.
    Director: David A. Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We are following up with DHS on the finalization of its service level agreement (SLA) guidance.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    2 open recommendations
    Recommendation: To ensure that FEMA's IT systems can adequately support its ability to respond to major disasters, the Secretary of DHS should direct the FEMA Administrator to define the scope, implementation strategy, and schedule of the agency's overall modernization approach, with related goals and measures for effectively overseeing the effort. At a minimum, the agency should update its IT strategic plan and complete its modernization plan.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security concurred with this recommendation, and reported on actions taken to update its IT Modernization Plan such as conducting cross-functional work sessions to establish an actionable implementation roadmap in line with agency priorities. However, as of April 2017, we have not yet obtained evidence that FEMA has fully updated its IT strategic plan and completed its modernization plan to address the weaknesses identified in our report. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure that FEMA's IT systems can adequately support its ability to respond to major disasters, the Secretary of DHS should direct the FEMA Administrator to establish time frames for current and future IT workforce planning during its modernization efforts and ensure all regions and offices are included in these initiatives.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security concurred with, and has taken steps to implement our recommendation. For example, the department stated that FEMA completed the assessment of skills gap and identified and prioritized the skills required to staff and sustain the core competencies required to successfully implement FEMA's IT modernization efforts. However, we have not yet validated the agency actions to establish time frames for current and future IT workforce planning during its modernization efforts. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Director: Michele Mackin
    Phone: (202) 512-4841

    2 open recommendations
    Recommendation: To enhance DHS leadership's ongoing efforts to improve the affordability of the department's major acquisition portfolio, and to ensure adequate communication with Congress, the Secretary of the Department of Homeland Security should ensure that the fiscal year 2017 Future Years Homeland Security Program report, which DHS must submit to Congress at or about the same time as the President's fiscal year 2018 budget request, reflects the results of any tradeoffs stemming from the acquisition affordability reviews recommended above.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In providing comments on this report, the Department of Homeland Security (DHS) concurred with this recommendation, and stated that the fiscal year 2017 Future Years Homeland Security Program (FYHSP) report would reflect decisions made in response to our second recommendation. DHS expected to release the FYHSP report shortly after the President's fiscal year 2018 budget request in May 2017. However, the transition to a new administration delayed the release of the FYHSP report. Once available, GAO will evaluate the FYHSP report to determine whether DHS has met the intent of this recommendation.
    Recommendation: To enhance DHS leadership's ongoing efforts to improve the affordability of the department's major acquisition portfolio, and to help ensure programs secure stable funding that matches resources to requirements, the Secretary of the Department of Homeland Security should require components to establish formal, repeatable processes for addressing major acquisition affordability issues, similar to the process the Transportation Security Administration has established.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In providing comments on this report, the Department of Homeland Security (DHS) concurred with this recommendation, and stated that DHS headquarters would ensure all components are updating their cost estimates each year to inform the annual resource allocation process by March 31, 2017. However, DHS did not establish a requirement that components do so through formal, repeatable processes for addressing major acquisition affordability issues, similar to the process the Transportation Security Administration has established. As of August 2017, seven of DHS's components were in the process of establishing formal, repeatable processes for addressing affordability issues, but had not completed these efforts. GAO will continue to review the components' progress to determine whether the components' actions meet the intent of this recommendation.
    Director: Lori Rectanus
    Phone: (202) 512-2834

    3 open recommendations
    Recommendation: To help FPS enhance its strategic human capital planning efforts, the Secretary of Homeland Security should direct the Under Secretary of NPPD to work with the Director of FPS to identify time frames for developing human capital performance measures with targets that are explicitly aligned to FPS's stated human capital goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FPS stated that NPPD is working with FPS to develop a recruitment and retention strategy that will include performance measures. This strategy will be complete by December 31, 2016. However, NPPD and FPS have not yet identified timeframes for developing performance measures for other human capital areas identified in FPS's human capital plan, such as leadership and knowledge management and building a results-oriented performance culture. Furthermore, because the recruitment and retention strategy is still under development, it is unclear whether the performance measures will have targets that are explicitly aligned to FPS's stated human capital goals. FPS plans to finalize all actions associated with this recommendation by March 2017.
    Recommendation: To help FPS enhance its strategic human capital planning efforts, the Secretary of Homeland Security should direct the Under Secretary of NPPD to work with the Director of FPS to establish a plan and time frames for updating FPS's staffing model regularly and for unexpected changes in operating conditions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FPS stated that it has conducted a review and gap analysis of its existing staffing model to identify additional features it needs to incorporate into the model. FPS also began to develop a data collection plan that will, among other things, identify data needed and how FPS will validate the data. The results of the gap analysis and data collection plan will be used to establish a plan, with timeframes, for updating the staffing model regularly and when unexpected changes in operating conditions occur. FPS plans to finalize all actions associated with this recommendation by March 2017.
    Recommendation: To help FPS enhance its strategic human capital planning efforts, the Secretary of Homeland Security should direct the Under Secretary of NPPD to work with the Director of FPS to develop and document guidance on the process FPS will use to ensure the quality of its staffing model data, such as guidance on how to collect data, validate assumptions, and perform sensitivity analyses to assess the assumptions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FPS is in the process of developing documentation that will govern the process it will use to collect data and ensure data quality. FPS plans to finalize all actions associated with this recommendation by March 2017.
    Director: Chris Currie
    Phone: (404) 679-1875

    3 open recommendations
    Recommendation: To enhance accountability for key risk-management activities and facilitate coordination with federal and industry stakeholders regarding electromagnetic risks, the Secretary of Homeland Security should designate roles and responsibilities within the department for addressing electromagnetic risks and communicate these to federal and industry partners.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In a June 2016 update to our proposed recommendation, DHS reported that the Cyber, Infrastructure and Resilience (CIR) Policy Office within the DHS Office of Policy is working with DHS components to identify and articulate the roles of the National Protection and Programs Directorate, Federal Emergency Management Agency, Science and Technology Directorate, and others regarding to address electromagnetic risks. As part of this effort, CIR is to coordinate the development of a joint roles and responsibilities document to be communicated through existing partnership structures with internal and external entities.
    Recommendation: To more fully leverage critical infrastructure expertise and address responsibilities to identify critical electrical infrastructure assets as called for in the National Infrastructure Protection Plan, the Secretary of Homeland Security and the Secretary of Energy direct responsible officials to review FERC's electrical infrastructure analysis and collaborate to determine whether further assessment is needed to adequately identify critical electric infrastructure assets, potentially to include additional elements of criticality that might be considered.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In a June 2016 update to our proposed recommendation, DHS reported that the National Protection and Programs Directorate (NPPD) will increase collaborative outreach activities with FERC staff that will include a review of identified critical substations developed by FERC. The intended outcome of this review is to inform DHS activities regarding identification and prioritization of critical infrastructure assets for use during steady state and response activities. NPPD is also to inform FERC of its criticality modeling capabilities through the National Infrastructure Simulation and Analysis Center (NISAC) to enhance engagement with FERC's electric power subject matter expertise and inform future capability developments regarding response to and recovery from events such as electromagnetic pulse.
    Recommendation: To enhance federal efforts to assess electromagnetic risks and help determine protection priorities, the Secretary of Homeland Security should direct the Under Secretary for National Protection and Programs Directorate and the Assistant Secretary for the IP to work with other federal and industry partners to collect and analyze key inputs on threat, vulnerability, and consequence related to electromagnetic risks--potentially to include collecting additional information from DOD sources and leveraging existing assessment programs such as the Infrastructure Survey Tool, Regional Resiliency Assessment Program, and DCIP.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In a June 2016 update, DHS reported that the department had completed the planned refresh of the Strategic National Risk Assessment, which was intended to incorporate potential impacts to the power system from electromagnetic events. In addition, DHS reported that the Electricity Sub-sector Coordinating Council created an Electromagnetic pulse (EMP) task force, which met in April 2016 and is currently working to develop a joint industry and government approach to address EMP. It was further noted that DHS and DOE initiated a joint study on the effects of EMP on the electric power sector - led by Los Alamos National Laboratory and the National Infrastructure Simulation and Analysis Center (NISAC) - to analyze the hazard environments, impacts, and consequences of EMP and GMD on U.S. electric power infrastructure. In addition, DHS noted their support of a new effort by the Electric Power Research Institute and 39 industry partners to further study EMP vulnerabilities.
    Director: David Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security (DHS) agreed with our recommendation, and has taken initial steps to implement it. In April 2016, the department stated in correspondence to GAO that its Office of the Chief Information Officer (OCIO) developed a scorecard to track progress for each of the data center optimization areas. According the department's scorecard, the department reported meeting 3 of 10 optimization targets, but did not meet the remaining 7 targets. DHS's OCIO noted that they would update this scorecard quarterly in alignment with Federal Data Center Consolidation Initiative data collection. DHS's OCIO expected to complete implementation of this recommendation by November 30, 2016. However, as of July 2017, DHS reports on the Office of Management and Budget's (OMB) IT Dashboard that it does not yet meet any of the five data center optimization metric targets that OMB currently requires agencies to report against (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    1 open recommendations
    Recommendation: To enhance Department of Homeland Security's (DHS) U.S. Immigration and Customs Enforcement's (ICE) ability to make more effective business decisions across immigration detention facilities with respect to the provision of medical care, the Secretary of Homeland Security should direct ICE to track inspection results and conduct analyses of oversight data over time, by standards, and by facility type.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of May 2017, ICE has not provided a status update regarding the implementation of this recommendation. We will provide updated information after confirming any agency actions.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    11 open recommendations
    Recommendation: To ensure that the HRIT investment receives necessary oversight and attention, the Secretary of Homeland Security should direct the Under Secretary of Management to ensure that the HRIT executive steering committee is consistently involved in overseeing and advising HRIT, including approving key program management documents, such as HRIT's operational plan, schedule, and planned cost estimate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS provided documentation demonstrating that the HRIT executive steering committee is consistently involved in overseeing and advising HRIT in response to our recommendation. DHS also provided documentation demonstrating that the Executive Steering Committee approved HRIT's operational plan for fiscal years 2016-2018. However, DHS still needs to demonstrate that the HRIT ESC has approved the schedule and cost estimate for HRIT.
    Recommendation: To address HRIT's poor progress and ineffective management, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Human Capital Officer to direct the HRIT investment to update and maintain a schedule estimate for when DHS plans to implement each of the strategic improvement opportunities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to HRIT officials, in response to our recommendation, DHS has developed an implementation plan, including a schedule estimate, for addressing HRIT's strategic improvement opportunities. We will continue to follow-up with them for documentation of this implementation plan.
    Recommendation: To address HRIT's poor progress and ineffective management, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Human Capital Officer to direct the HRIT investment to develop a complete life-cycle cost estimate for the implementation of HRIT.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In response to our recommendation, DHS prepared an independent cost estimate for the HRIT investment. When developing this estimate, the cost estimators made many assumptions about HRIT's strategic improvement opportunities that had not yet been defined, such as the scope and the preliminary acquisition strategies for each. We will continue to follow-up with DHS for supporting documentation for this estimate in order to better understand it.
    Recommendation: To address HRIT's poor progress and ineffective management, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Human Capital Officer to direct the HRIT investment to document and track all costs, including components' costs, associated with HRIT.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with the recommendation and is working to implement it. While DHS provided certain cost tracking information for HRIT, this information was incomplete and did not demonstrate ongoing tracking of all costs. We will continue to follow-up with DHS to obtain additional documentation.
    Recommendation: To address HRIT's poor progress and ineffective management, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Human Capital Officer to direct the HRIT investment to update and maintain the department's human resources system inventory.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS provided its updated human resources systems inventory that it developed in response to our recommendation. According to officials, the list is reviewed and updated on an annual basis or as-needed when a system is deployed or retired. We will continue to monitor this recommendation to ensure that DHS is maintaining this inventory.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to establish a time frame for deciding whether PALMS will be fully deployed at the Federal Emergency Management Agency (FEMA) and the U.S. Coast Guard (USCG), and determine an alternative approach if the learning and/or performance management capabilities of PALMS are deemed not feasible for the U.S. Immigration and Customs Enforcement, FEMA, the Transportation Security Administration, or USCG.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS officials stated that PALMS will not be fully deployed at FEMA, USCG, ICE, or TSA. The officials stated that future Human Resources Information Technology (HRIT) programs will include enhancing learning management and performance management capabilities. Officials stated that the details related to these efforts are to be discussed in the HRIT strategic improvement opportunity implementation plan. We will continue to follow-up with DHS for documentation of this plan.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to develop a comprehensive life-cycle cost estimate, including all government and contractor costs, for the PALMS program.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS officials stated that the PALMS program will move into an operations and maintenance phase once the PALMS learning management capabilities are deployed to U.S. Secret Service. As such, DHS does not plan to develop an updated life-cycle cost estimate (LCCE) for PALMS. We will continue to follow-up with DHS for documentation of PALMS's actual costs, including government costs.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to develop and maintain a single comprehensive schedule that includes all government and contractor activities, and includes all planned deployment milestones related to performance management.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In response to our recommendation, the PALMS program office updated its integrated master schedule. However, this schedule has not been appropriately maintained. We will continue to follow-up with DHS officials on this recommendation.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to track and monitor all costs associated with the PALMS program.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with the recommendation and is working to implement it. DHS provided certain cost tracking information for PALMS, but this information did not include government costs or certain past PALMS costs, such as 2017 costs for the Federal Law Enforcement Training Centers' ongoing use of PALMS. We will continue to follow-up with DHS officials on this recommendation.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to document PALMS's progress and milestone reviews, including all issues and corrective actions discussed.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In response to our recommendation, DHS is documenting certain PALMS progress reviews. We have requested documentation related to U.S. Secret Service's deployment of PALMS, to determine whether the Service conducted and documented a milestone review prior to deploying the system.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to establish a comprehensive risk log that maintains an aggregation of all up-to-date risks (including both government- and vendor-identified)and associated mitigation plans. Additionally, within the comprehensive risk log, the PALMS program office should (1) identify and document planned completion dates for each risk mitigation step (where appropriate), and (2) prioritize the risks by determining each risk's relative priority and overall risk level.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In response to our recommendation, DHS updated its PALMS risk register. However, this register was not comprehensive. We will continue to follow-up with DHS officials on this recommendation.
    Director: Chris Currie
    Phone: (404) 679-1875

    1 open recommendations
    Recommendation: To enable FEMA to and more effectively respond to disasters, the Secretary of Homeland Security should direct the FEMA Administrator to develop a workforce strategy to manage and improve retention that includes a process for systematically gathering attrition data and a plan to retain IMAT Cadre-of On-Call Response Employees.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, FEMA provided an update on the status of actions taken in response to our report. In the update, FEMA officials said they had issued a new FEMA Human Capital Strategic Plan for fiscal years 2016-2020 that includes an objective to build a scalable and skilled workforce with associated measures including a decrease in attrition rate for permanent full time employees, and an increase in disaster workforce through improvements in the recruitment and retention of incident management employees. FEMA also stated that pay issues and work-life balance have been identified as contributing to retention on National Type I and Regional Type II IMATs. FEMA is actively addressing the pay issues. FEMA provided a brief summary of the actions being taken--which includes development of a policy that provides information on establishing base pay under the new pay system, movement within the pay bands, and merit-based increases is in development. Until completion of the action items, this recommendation will remain open. FEMA officials plan to provide a status update in October 2017.
    Director: Chris P. Currie
    Phone: (404) 679-1875

    2 open recommendations
    Recommendation: To promote more effective grant management coordination, the Secretary of Homeland Security should direct the FEMA Administrator to develop a plan with time frames, goals, metrics and milestones detailing how Grant Programs Directorate intends to resolve longstanding challenges associated with its existing hybrid grants management model, which divides responsibilities between regional and headquarters staff.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of March 2017, FEMA did not believe a plan was warranted to address long-standing coordination issues associated with its existing hybrid grants management model, as recommended in GAO's February 2016 report. According to the Department of Homeland Security, FEMA believes strongly in the importance of close and collaborative relationships between headquarters and regional grants staff. Further, FEMA stated the Grant Programs Directorate at headquarters already has in place numerous steps to ensure coordination and collaboration with regional grants staff. However, these steps by FEMA were already in place when GAO conducted its review in 2015 and early 2016, yet GAO identified continuing challenges related to coordination between headquarters and regions in conducting monitoring visits and providing consistent guidance to state grantees. As a result, GAO continues to believe that without a plan with time frames, goals, metrics, and milestones detailing how officials intend to resolve long-standing challenges associated with FEMA's existing hybrid grants management model, these challenges will continue to hamper the effectiveness of interactions between FEMA and state and local stakeholders in implementing the grant programs.
    Recommendation: To enable more sophisticated and comprehensive awareness of states' NIMS implementation, the Secretary of Homeland Security should direct the FEMA Administrator to develop policies and procedures for regional staff to review after-action reports from preparedness exercises within their region, and headquarters staff to review these evaluations in order to have a better understanding of NIMS implementation.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In March 2017, FEMA officials provided an update on the status of actions taken in response to our report. In the update, FEMA officials said the National Integration Center (NIC) is holding consultative sessions with state and local emergency managers to ensure the revised National Incident Management System (NIMS) doctrine and implementation objectives is operationally sound from the perspective of FEMA's stakeholders. They expect to complete this effort by September 30, 2017. Pending completion of this effort, the recommendation will remain open.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    9 open recommendations
    Recommendation: The Secretary of Homeland Security should direct Network Security Deployment (NSD) to determine the feasibility of enhancing NCPS's current intrusion detection approach to include functionality that would detect deviations from normal network behavior baselines.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 Update: In Feb. 2017, DHS officials stated that they have continued pilot activities that will enable DHS to identify suspicious network activity based on anomalous behavior and reputation and have collected lessons learned that are being tracked by the NCPS Program Management Office. Officials added that DHS had identified a contractor to support the transition of the pilot, including drafting an implementation plan; however, it had yet to award a contract due to lack of resources. As such, the agency did not have an estimated date on the completion of a draft plan for how the transition would be implemented. We requested that DHS provide a copy of the draft implementation plan for our review, when it became available. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct NSD to determine the feasibility of developing enhancements to current intrusion detection capabilities to facilitate the scanning of traffic not currently scanned by NCPS.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the NCPS Program Management Office is working with participating Internet Service Providers (ISP) to develop plans to support IPv6 for Traffic Aggregation, DNS redirection, and SMTP quarantining capabilities. Officials stated that an implementation plan that would include all ISP schedules for all planned intrusion prevention services would be available in the third quarter of fiscal year 2017. Additionally, regarding encrypted traffic, officials stated that it is conducting an analysis of Security on Encrypted Traffic (SonET) to better understand options for addressing the challenges, viability of options, and how the issue is being addressed at a broader industry level. The study is scheduled to continue through the fourth quarter of fiscal year 2017. We asked DHS to provide the ISP implementation plans (when finalized) and any findings from the ongoing SCADA and Encrypted traffic studies. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct United States Computer Emergency Readiness Team (US-CERT) to update the tool it uses to manage and deploy intrusion detection signatures to include the ability to more clearly link signatures to publicly available, open-source data repositories.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS stated that the NCPS PMO is working with participating Internet Service Providers (ISP) to develop plans to support IPv6 for Traffic Aggregation, DNS redirection, and SMTP quarantining capabilities. Officials stated that an implementation plan that would include all ISP schedules for all planned intrusion prevention services would be available in the third quarter of fiscal year 17. Additionally, officials stated that NSD is conducting an analysis on Security on Encrypted Traffic (SonET) to better understand options for addressing the challenges, viability of options, how the issue is being addressed at a broader industry level. The study will continue through the fourth quarter of fiscal year 2017. We asked DHS to provide the ISP implementation plans (when finalized) and any output/results (findings) from the ongoing studies DHS has related to SCADA and Encrypted traffic. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct US-CERT to consider the viability of using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, as an input into the development and management of intrusion detection signatures.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that enhancements were made so that Continuous Diagnostics and Mitigation program (CDM) data can be viewed with the Cyber Indicators Analysis Program (CIAP). Officials stated that the CDM data now may be combined with known vulnerability findings from NCATS and known threats collected from the CIAP system to further prioritize signature development as necessary. We have requested a meeting with DHS to observe the described enhancements. We believe that we will be able to close this recommendation, once we observe the claimed enhancements.
    Recommendation: The Secretary of Homeland Security should direct US-CERT to develop a timetable for finalizing the incident notification process, to ensure that customer agencies are being sent notifications of potential incidents, which clearly solicit feedback on the usefulness and timeliness of the notification.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 Update: In Feb. 2017, DHS stated that US-CERT is in the process of developing a targeted survey of EINSTEIN customers (based off of a prior survey). Additionally, US-CERT has updated the Incident Reporting Guidelines to address previously mentioned process concerns. We have requested a copy of these guidelines and will review the modifications made within. Additionally, DHS stated that modifications to the Remedy ticketing system are underway that would allow for the inclusion of user feedback. These changes are anticipated to be implemented by October 2017. We likely would not be able to close this recommendation until we could review the results of the modifications.
    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop metrics that clearly measure the effectiveness of NCPS's efforts, including the quality, efficiency, and accuracy of supporting actions related to detecting and preventing intrusions, providing analytic services, and sharing cyber-related information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the Office of Cyber Security and Communications (CS&C) had developed, refined, and were baselining a first set of measures that relate to the Einstein 3A program. Further, they are considering adding one of these measures as an addition to the measures tracked in support of the yearly Government Performance and Results Act (GPRA) required reporting in FY 2018. Additionally, DHS officials stated they are developing information sharing related measures, including exploring how its public and private sector recipients of information measure the value cyber threat indicators and defensive measures. In March 2017, we requested a copy of the developed measures, when they became available. This recommendation will remain open until we are able to review the developed metrics and the subsequent data they are to measure.
    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop clearly defined requirements for detecting threats on agency internal networks and at cloud service providers to help better ensure effective support of information security activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS provided memos that gave an overview of the planned enhancements to the Continuous Diagnostics and Mitigation (CDM) program that included references to cloud providers. However, DHS did not provide any specific requirements for us to review. We have requested a follow-up meeting to review the specific requirements developed in support of the planned enhancements described in the provided memos. We will not be able to close this recommendation until we can review the developed requirements and determine that cloud providers are appropriately covered.
    Recommendation: The Secretary of Homeland Security should direct NSD to develop processes and procedures for using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, to help ensure DHS is using a risk-based approach for the selection/development of future NCPS intrusion prevention capabilities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS stated that the NCPS Program Management Office has made enhancements to the Continuous Diagnostics and Mitigation (CDM) dashboard, but had yet to fully develop the CDM/NCPS data correlation. In March 2017, we asked for update on the status of data correlation, once available. In order to close this recommendation, we would need to review this model and determine how, if at all, the vulnerability information was used as part of a risk-based approach to intrusion prevention.
    Recommendation: The Secretary of Homeland Security should direct NSD to work with their customer agencies and the Internet service providers to document secure routing requirements in order to better ensure the complete, safe, and effective routing of information to NCPS sensors.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the agency worked with the Office of Management and Budget to develop a draft Trusted Internet Connections Reference Architecture. This architecture is to serve as the new guidance for agencies on perimeter security capabilities as well as alternative routing strategies. In March 2017, we requested a copy of the guidance to review the alternative routing guidance. This recommendation will remain open until we have been able to review the information above.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To better facilitate adoption of the NIST Framework for Improving Critical Infrastructure Cybersecurity, the Secretary of Homeland Security should direct officials responsible for the Critical Infrastructure Cyber Community Voluntary Program to develop metrics for measuring the effectiveness of efforts to promote and support the framework.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In December 2016, DHS officials stated that they will continue to work with sector-specific agency partners and NIST to determine how to develop measurement activities and collect information on C3VP outreach and its effectiveness in promoting and supporting the Cybersecurity Framework. We will continue to monitor their efforts and verify whether implementation of metrics has occurred.
    Director: Lori Rectanus
    Phone: (202) 512-2834

    4 open recommendations
    Recommendation: Given the collaboration challenges that FPS and GSA face in protecting federal facilities, GAO is making four recommendations to the Secretary of Homeland Security and the Administrator of the General Services Administration. FPS and GSA headquarters officials should establish a plan with timeframes for reaching agreement on a joint strategy and finalizing it in order to define and articulate a common understanding of expected outcomes and align the two agencies' activities and core processes to achieve their related missions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2017, FPS reported that it will begin the process for completing a joint strategy for federal security once its memorandum of agreement with the General Services Administration is updated and signed.
    Recommendation: Given the collaboration challenges that FPS and GSA face in protecting federal facilities, GAO is making four recommendations to the Secretary of Homeland Security and the Administrator of the General Services Administration. FPS and GSA headquarters officials should establish a plan with timeframes for reaching agreement on the two agencies' respective roles and responsibilities for federal facility security, and update and finalize the two agencies' MOA accordingly.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2017, FPS reported that it is working internally to prepare the memorandum of agreement for review and signature by the FPS Director, pending no additional changes are required to the document.
    Recommendation: Given the collaboration challenges that FPS and GSA face in protecting federal facilities, GAO is making four recommendations to the Secretary of Homeland Security and the Administrator of the General Services Administration. FPS and GSA headquarters officials should develop a process to ensure that compatible policies and procedures, including those for information sharing, are communicated at the regional level so that regional officials at both agencies have common information on how to operationalize the two agencies' collaborative efforts.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2017, FPS reported that it will begin the process for the issuance of a joint field guidance for working with the General Services Administration (GSA) once its memorandum of agreement with GSA is updated and signed.
    Recommendation: Given the collaboration challenges that FPS and GSA face in protecting federal facilities, GAO is making four recommendations to the Secretary of Homeland Security and the Administrator of the General Services Administration. FPS and GSA headquarters officials should develop mechanisms to monitor, evaluate, and report on their collaborative efforts to protect federal facilities in order to identify possible areas for improvement and to reinforce accountability.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2017, FPS reported that it will begin the process for the appointment of an FPS-GSA Liaison once its memorandum of agreement with GSA is updated and signed.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    5 open recommendations
    including 3 priority recommendations
    Recommendation: To provide reasonable assurance that USCIS's fraud prevention controls are adequate and effectively implemented, and ensure that asylum officers and FDNS immigration officers have the capacity to detect and prevent fraud, the Secretary of Homeland Security should direct USCIS to conduct regular fraud risk assessments across the affirmative asylum application process.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: In October 2016, DHS indicated that USCIS had established a working group and collected fraud trend information from all eight asylum offices that will be used to inform the development of a risk assessment framework. As of January 2017, USCIS reported that the Asylum Division is continuing to develop the risk assessment framework and is working on an initial draft. According to USCIS, the Asylum Division, in cooperation with other relevant internal stakeholders such as USCIS's Fraud Detection and National Security Directorate, plans to develop an assessment tool and implementation plan for completing regular fraud risk assessments of the affirmative asylum process, with the first assessment to be completed no later than the end of fiscal year 2017. Regularly assessing fraud risks across the affirmative asylum process would provide USCIS more complete information on risks that may affect the integrity of the process and therefore help USCIS target its fraud prevention efforts to those areas that are of highest risk.
    Recommendation: To provide reasonable assurance that USCIS's fraud prevention controls are adequate and effectively implemented, and ensure that asylum officers and FDNS immigration officers have the capacity to detect and prevent fraud, the Secretary of Homeland Security should direct USCIS to develop and implement a mechanism to collect reliable data, such as the number of referrals to FDNS from asylum officers, about FDNS's efforts to combat asylum fraud.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In January 2016, USCIS reported that FDNS is making improvements in its database for maintaining data and information on all FDNS activities, including activities associated with asylum fraud investigations. USCIS reported that FDNS planned to update database system guides and associated training materials, and conduct training for all users by September 2016. As of October 20, 2016, USCIS had not provided GAO with additional updates to the status of this recommendation. Developing and implementing a mechanism to collect reliable data, such as the number of referrals to FDNS from asylum officers, should help FDNS's efforts to combat asylum fraud.
    Recommendation: To provide reasonable assurance that USCIS's fraud prevention controls are adequate and effectively implemented, and ensure that asylum officers and FDNS immigration officers have the capacity to detect and prevent fraud, the Secretary of Homeland Security should direct USCIS to identify and implement tools that asylum officers and FDNS immigration officers can use to detect potential fraud patterns across affirmative asylum applications.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: In February 2016, DHS indicated that USCIS had allotted fiscal year 2016 funds in support of initial acquisition activities for tools to detect potential fraud patterns across affirmative asylum applications. USCIS reported that FDNS and DHS's Homeland Security Advanced Research Projects Agency are conducting an Analysis of Alternatives (AoA) to evaluate and compare operational effectiveness, suitability, costs, and risks associated with alternative solutions. In October 2016, DHS officials indicated that FDNS and DHS's Homeland Security Advanced Research Projects Agency have completed an AoA and presented the results to FDNS leadership. According to USCIS, FDNS identified a hardware solution and began acquisition planning for this hardware in September 2016. As of October 2016, RAIO FDNS is working with USCIS's Office of Information Technology and other DHS components, including the DHS Science and Technology Directorate, to study options. Based upon this additional work, and dependent on securing necessary funding, USCIS reported that it expects to complete the analysis of additional tools by September 30, 2017. Identifying and implementing new tools to detect fraud patterns would help USCIS ensure that asylum officers and FDNS immigration officers have the capacity to detect and prevent asylum fraud.
    Recommendation: To provide reasonable assurance that USCIS's fraud prevention controls are adequate and effectively implemented, and ensure that asylum officers and FDNS immigration officers have the capacity to detect and prevent fraud, the Secretary of Homeland Security should direct USCIS to require FDNS immigration officers to prescreen all asylum applications for indicators of fraud to the extent that it is cost-effective and feasible.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: We reported that some asylum offices have strengthened their capability to detect and prevent fraud by using immigration officers from USCIS's Fraud Detection and National Security Directorate (FDNS) to prescreen affirmative asylum applications; however, the use of this practice varied across asylum offices. In October 2016, DHS stated that FDNS had completed an initial review of all locally-developed prescreening policies and was working to analyze them comprehensively. Since completing this analysis, USCIS has been drafting a memorandum and companion guidance to be provided to the asylum offices, which USCIS officials stated will establish the framework for a national prescreening program. As of March 2017, USCIS reported that it expects to complete the guidance by September 30, 2017. Greater use of prescreening could allow FDNS to identify fraud trends and detect patterns that may not be evident in a small sample of asylum applications.
    Recommendation: To provide reasonable assurance that USCIS's fraud prevention controls are adequate and effectively implemented, and ensure that asylum officers and FDNS immigration officers have the capacity to detect and prevent fraud, the Secretary of Homeland Security should direct USCIS to include a review of potential fraud indicators in future random quality assurance reviews of asylum applications.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In December 2015, GAO reported that U.S. Citizenship and Immigration Services (USCIS) had implemented some quality assurance procedures for asylum decisions that are designed to ensure asylum officers' decisions are legally sufficient. However, GAO found that USCIS's random quality assurance reviews of asylum cases did not include an examination of potential indicators of fraud in the case file. Thus, GAO recommended that USCIS include a review of potential fraud indicators in future random quality assurance reviews of asylum applications. As of January 2016, USCIS's Asylum Division had revised its quality assurance checklist to include a fraud-specific section that will help the reviewers evaluate whether any fraud indicators were properly identified, analyzed, and processed by asylum officers. According to Asylum Division officials, the revised checklist will be used for all general random quality assurance reviews of asylum cases, and officials stated that the next such random review is scheduled for fiscal year 2017. To fully address this recommendation, upon completion of the fiscal year 2017 review, USCIS plans to provide GAO with documentation that the revised checklist was used.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of Homeland Security should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear sectors' cybersecurity progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS has released updated sector-specific plans for the chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear reactors sectors. The plans include a section on measuring effectiveness based on the plan development guidance. The plans provide expected metrics to track the progress of sector activities and state that the outcomes will be reported through the National Annual Reporting process as well as through the quadrennial plan update. Because the metrics are new and annual reporting has not yet occurred, DHS has not provided evidence of metrics data collected and reported to address the challenges. We will continue to follow-up to determine how performance measures have been implemented and what reporting is available based on those measures.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Homeland Security and Transportation (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the transportation systems sector's cybersecurity progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The co-Sector-Specific Agencies (SSAs) for the Transportation Systems Sector, DHS (TSA and Coast Guard) and the Department of Transportation, provided an update on efforts to develop sector cybersecurity metrics. The update described measures under consideration such as tracking the number of sector stakeholders receiving cybersecurity products, monitoring the usefulness of products through satisfaction surveys, and tracking attendance at sector events and seminars encompassing cybersecurity. The co-SSAs plan to report sector cyber activities, progress, and relevant metrics annually through the Critical Infrastructure National Annual Report and through quadrennial updates to the sector-specific plan. The latest sector-specific plan was released in 2015. The proposed metrics have not been formalized in a strategy or plan. We will continue to monitor and evaluate efforts to formalize and implement the proposed metrics to determine whether they address the intent of the recommendation.
    Director: Timothy M. Persons
    Phone: (202) 512-6412

    2 open recommendations
    Recommendation: To help ensure that biosurveillance-related funding is directed to programs that can demonstrate their intended capabilities, and to help ensure sufficient information is known about the current Gen-2 system to make informed cost-benefit decisions about possible upgrades and enhancements to the system, the Secretary of Homeland Security should direct the Assistant Secretary for Health Affairs and other relevant officials within the Department to not pursue upgrades or enhancements to the current BioWatch system until the Office of Health Affairs (OHA): (1) establishes technical performance requirements, including limits of detection, necessary for a biodetection system to meet a clearly defined operational objective for the BioWatch program by detecting attacks of defined types and sizes with specified probabilities; (2) assesses the Gen-2 system against these performance requirements to reliably establish its capabilities; and (3) produces a full accounting of statistical and other uncertainties and limitations in what is known about the system's capability to meet its operational objectives.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help reduce the risk of acquiring immature detection technologies, the Secretary of Homeland Security should direct the Assistant Secretary for Health Affairs, in coordination with the Under Secretary for Science and Technology, to use the best practices outlined in this report to inform test and evaluation actions for any future upgrades or changes to technology for BioWatch.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Michele Mackin
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To address PKEMRA, the Secretary of Homeland Security should take action to address the requirements of Section 692 to implement subcontractor limitations or request that Congress amend the law to delete Section 692.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In 2016, DHS took steps to ask Congress to repeal PKEMRA Section 692, which prohibits the use of subcontracts for more than 65 percent of the cost of cost-reimbursement type contracts that exceed the simplified acquisition threshold. DHS submitted a legislative change proposal to the Office of Management and Budget (OMB), who approves such proposals before they are submitted to Congress. OMB approved the proposed change for PKEMRA Section 692 in April 2016. We will provide additional updates as information becomes available.
    Director: David Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Homeland Security should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2017, the department's integrated data collection submission to the Office of Management and Budget had not been updated to include reinvestment plans for all reported cost savings and avoidance initiatives. For example, the department did not include reinvestment plans for two cost avoidances strategies related to the Office of Management and Budget's PortfolioStat initiative that have resulted approximately $96 million in cost avoidances. We will continue to evaluate the department's progress in implementing this recommendation.
    Director: Kimberly Gianopoulos
    Phone: (202)512-8612

    1 open recommendations
    Recommendation: To strengthen agency performance measurement related to deterring child smuggling, the Secretary of Homeland Security should instruct DHS's U.S. Immigration and Customs Enforcement to establish annual performance targets associated with the performance measures it has established for its Transnational Criminal Investigative Units.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In its comments on the report in July 2015, the Department of Homeland Security stated that it concurred with this recommendation, and that it would work with host nation partners to establish goals to measure these units' investigative activities and capacity development. In September 2015, DHS noted that it planned to use law enforcement data to measure TCIU success rates and inform efforts going forward. GAO has followed up with DHS--most recently in June 2017--on the status of its efforts to establish performance targets, but has not yet received a response.
    Director: Chris Currie
    Phone: (404) 679-1875

    2 open recommendations
    Recommendation: To ensure the accuracy of the data submitted by chemical facilities, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for the Office of Infrastructure Protection, and the Director of ISCD, in the interim, to identify potentially miscategorized facilities with the potential to cause the greatest harm and verify the Distance of Concern these facilities report is accurate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to Infrastructure Security Compliance Division (ISCD) officials, as of November 2016 ISCD completed its assessment of all Top-Screens which reported threshold quantities of release-toxic chemicals of interest and identified 158 facilities with the potential to cause the greatest harm. ISCD contacted all 158 facilities and received revised Top-Screens from 101, according to ISCD officials. ISCD halted pursuit of revised Top-Screens from the remaining facilities during summer 2016 in anticipation of the pending release of CSAT 2.0, the Top-Screen application, which both eliminates the Distance of Concern question and will result in all remaining facilities being required to submit a new Top-Screen upon the activation of CSAT 2.0. CSAT 2.0 was activated October 1, 2016, and DHS sent a letter to each of the remaining facilities informing them of their obligation to submit a new top-screen, according to ISCD officials. ISCD is continuing to monitor the resolution of the remaining cases and expects to have assessed updated Top-Screens for all of them within the first or second quarter of 2017. We will update the status of this recommendation after additional information is received from DHS.
    Recommendation: In addition, to better manage compliance among high-risk chemical facilities and demonstrate program results, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for the Office of Infrastructure Protection, and the Director of ISCD to develop documented processes and procedures to track noncompliant facilities and ensure they implement planned measures as outlined in their approved site security plans.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to Infrastructure Security Compliance Division (ISCD) officials, ISCD is nearing finalization of the updated CFATS Inspection Standard Operating Procedure (SOP) and has made progress on the new CFATS Enforcement SOP. Once completed, expected in mid-2017, these two documents collectively will formally document the processes and procedures currently being used to track noncompliant facilities and ensure they implement planned measures as outlined in their approved site security plans, according to ISCD officials. We will update the status of this recommendation after additional information is received from DHS.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    8 open recommendations
    Recommendation: To better ensure that DHS complies with TVPRA requirements for training, screening, and transferring UAC to HHS, the Secretary of Homeland Security should direct the Commissioner of U.S. Customs and Border Protection to develop and implement TVPRA training for OFO officers at airports who have substantive contact with UAC.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Office of Field Operations (OFO) within U.S. Customs and Border Protection (CBP), in collaboration with U.S. Immigration and Customs Enforcement, conducted a "Train-the-Trainer" conference in August 2015 that focused on juvenile and unaccompanied alien children (UAC). The conference, among other things, addressed screening requirements for UAC consistent with Trafficking Victims Protection Reauthorization Act of 2008 (TVPRA). CBP officers who received this additional training were then responsible for training other officers who process UAC at the ports of entry. According to CBP, while the conference was comprehensive, it did not fully encompass CBP's needs. In June 2016, CBP reported that OFO, Office of Chief Counsel, and a headquarters-level working group on UAC issues are finalizing a revised Form CBP-93 and with that are developing a detailed, relevant Train-the-Trainer course for officers responsible for TVPRA at all CBP ports of entry. In December 2016, CBP notified GAO that OFO, in coordination with CBP's Office of Training and Development, was concluding the design and embarking on the development phase of a distance learning course, tentatively entitled "Processing, Holding, and Transfer of Unaccompanied Alien Children by CBP." This course will be an annual requirement for all OFO officers. In April 2017, CBP reported that OFO was no longer pursuing a separate Train-the-Trainer course for CBP officers at air ports of entry. However, CBP continues to develop a new UAC training course. The new course is a collaborative effort between OFO and USBP, in consultation with CBP's Office of Chief Counsel, and in partnership with CBP's Office of Training and Development (OTD) to develop, deconflict, and revise training consistent with requirements under TVPRA, specifically outlining rules to identify and screen UAC, among other things. As of September 2017, CBP estimates that they will finalize the training module by June 2018. To fully address this recommendation, CBP needs to ensure that OFO officers at airports who have substantive contact with UAC complete this training.
    Recommendation: To better ensure that DHS complies with TVPRA requirements for training, screening, and transferring UAC to HHS, the Secretary of Homeland Security should direct the Commissioner of U.S. Customs and Border Protection to revise the Form 93 to include indicators or questions that agents and officers should ask UAC to better assess (1) a child's ability to make an independent decision to withdraw his or her application for admission to the United States and (2) credible evidence of the child's risk of being trafficked if returned to his or her country of nationality or last habitual residence.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In September 2015, CBP officials stated that CBP formed a working group in headquarters with representatives from the department's Office of Policy and Office for Civil Rights and Civil Liberties to examine the screening process for UAC. In addition, CBP officials noted that CBP is in the process of convening a similar group in the field. According to CBP officials, the working group meets weekly and is coordinating with nongovernmental organizations and the United Nations High Commissioner for Refugees, among others. As of June 30, 2016, CBP reported that CBP's Office of Field Operations (OFO) and U.S. Border Patrol (BP) have finalized and routed the Form CBP-93 to the OFO Executive Assistant Commissioner and United States Border Patrol Chief for final approval. As of June 2017, the revised CBP Form 93 is still under review and CBP officials estimate that the review process will be completed by December 31, 2017. To fully address this recommendation, CBP should revise the Form 93 to include indicators or questions that CBP officers and Border Patrol agents should ask UAC relative to their ability to make an independent decision and regarding the potential risk of the UAC being trafficked if returned to their country of nationality or last habitual residence.
    Recommendation: To better ensure that DHS complies with TVPRA requirements for training, screening, and transferring UAC to HHS, the Secretary of Homeland Security should direct the Commissioner of U.S. Customs and Border Protection to provide guidance to Border Patrol agents and OFO officers that clarifies how they are to implement the TVPRA requirement to transfer to HHS all Mexican UAC who have fear of returning to Mexico owing to a credible fear of persecution.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In commenting on a draft of our report, DHS indicated that CBP's U.S. Border Patrol (USBP) and Office of Field Operations (OFO) would issue further guidance to agents and officers emphasizing TVPRA transfer procedures for UAC who are nationals or habitual residents of Canada or Mexico and who are victims of a severe form of trafficking in persons. In September 2015, CBP reported that USBP and OFO estimated implementing this additional guidance by the end of calendar year 2015. In January 2016, CBP reported to GAO that, since June 2015, a headquarters level working group had been reviewing CBP's screening process for UAC. According to CBP officials, the activities of this working group will influence the guidance that will be deployed to Border Patrol agents and OFO officers and that USBP and OFO will be working together to develop additional guidance to the field by September 2016. In December 2016, CBP notified GAO that Border Patrol and OFO have partnered with CBP's Office of Training and Development, as well as the Office of Chief Counsel, to develop a distance learning course, tentatively entitled "Processing, Holding, and Transfer of Unaccompanied Alien Children by CBP." According to CBP, this course will be an annual requirement for all CBP agents and officers. As of September 2017, CBP estimates that they will finalize the training module by June 2018. To fully address this recommendation, CBP should ensure that this distance learning training module on how to implement the Trafficking Victims Protection Reauthorization Act of 2008 (TVPRA) criteria is developed and implemented, as required by CBP policy, to all Border Patrol agents and OFO officers.
    Recommendation: To better ensure that DHS complies with TVPRA requirements for training, screening, and transferring UAC to HHS, the Secretary of Homeland Security should direct the Commissioner of U.S. Customs and Border Protection to develop and implement guidance on how Border Patrol agents and OFO officers are to implement the TVPRA requirement to transfer to HHS all Canadian and Mexican UAC who are victims of a severe form of trafficking in persons.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In commenting on a draft of our report, DHS indicated that CBP's U.S. Border Patrol (USBP) and Office of Field Operations (OFO) would issue further guidance to agents and officers emphasizing TVPRA transfer procedures for UAC who are nationals or habitual residents of Canada or Mexico and who are victims of a severe form of trafficking in persons. In September 2015, CBP reported that USBP and OFO estimated implementing this additional guidance by the end of calendar year 2015. In January 2016, CBP reported to GAO that, since June 2015, a headquarters level working group has been reviewing CBP's screening process for UAC. According to CBP officials, the activities of this working group will influence the guidance that will be deployed to Border Patrol agents and OFO officers and that USBP and OFO will be working together to develop additional guidance to the field by September 2016. In December 2016, CBP notified GAO that Border Patrol and OFO have partnered with CBP's Office of Training and Development as well as the Office of Chief Counsel to develop a distance learning course, tentatively entitled "Processing, Holding, and Transfer of Unaccompanied Alien Children by CBP." According to CBP, this course will be an annual requirement for all CBP agents and officers. As of September 2017, CBP estimates that they will finalize the training module by June 2018. To fully address this recommendation, CBP should ensure that this distance learning training module on how to implement the Trafficking Victims Protection Reauthorization Act of 2008 (TVPRA) criteria is developed and implemented, as required by CBP policy, to all Border Patrol agents and OFO officers.
    Recommendation: To better ensure that DHS complies with TVPRA requirements for training, screening, and transferring UAC to HHS, the Secretary of Homeland Security should direct the Commissioner of U.S. Customs and Border Protection to ensure that Border Patrol agents document the basis for their decisions when assessing screening criteria related to (1) an unaccompanied alien child's ability to make an independent decision to withdraw his or her application for admission to the United States, and (2) whether UAC are victims of a severe form of trafficking in persons.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of December 2015, CBP officials reported that an internal working group charged with assessing UAC screening procedures was considering issues related to independent decision-making and appropriate documentation as it develops a revised screening tool. As of June 30, 2016, CBP reported that CBP's Office of Field Operations (OFO) and U.S. Border Patrol (BP) had finalized and routed a revised CBP Form 93 to the OFO Executive Assistant Commissioner and United States Border Patrol Chief for final approval. As of August 31, 2016, the revised CBP Form 93 was still under review and CBP officials estimated that the review process would be completed by December 31, 2016. In January 2017, CBP notified GAO that the expected completion date for the revised form is April 2017, and that direction to Border Patrol agents on the new form would be delivered by June 2017. In June 2017, CBP told GAO that Border Patrol and other CBP partners were continuing to determine which changes are necessary to the CBP Form 93 and estimated that these efforts would not be completed until December 31, 2017. As of September 2017, CBP reported that these efforts would not be completed until June 2018. To fully address this recommendation, CBP should ensure that Border Patrol agents document the basis for their decisions when assessing screening criteria related to (1) an unaccompanied alien child's ability to make an independent decision to withdraw his or her application for admission to the United States, and (2) whether UAC are victims of a severe form of trafficking in persons.
    Recommendation: To better ensure that DHS complies with TVPRA requirements for training, screening, and transferring UAC to HHS, the Secretary of Homeland Security should direct the Commissioner of U.S. Customs and Border Protection to determine which agents and officers who have substantive contact with UAC, complete the annual UAC training, and ensure that they do so, as required.

    Agency: Department of Homeland Security
    Status: Open

    Comments: On July 1, 2015, the Assistant Commissioner for Field Operations (OFO) disseminated a memorandum to all OFO Field Office Directors regarding the mandatory annual UAC training requirement. The Assistant Commissioner directed all Field Offices to ensure that officers completed the required training by December 31, 2015 (the memo also specified which officers are required to complete the training). On July 31, 2015, the Chief of the U.S. Border Patrol disseminated a memorandum to all Chief Patrol Agents and Directorate Chiefs for dissemination to all uniformed personnel, including supervisors, regarding the mandatory annual UAC training requirement. CBP documentation indicates that CBP implemented a new learning management system mandated by DHS on July 13, 2015, through which online training courses are offered to all CBP employees. Further, in 2016 DHS added a feature to this system that provided the capability to produce reports on courses completed by CBP employees. In April 2017, CBP provided 2016 data on the OFO officers and Border Patrol agents that had completed the required UAC training course. According to the data, 23 percent of OFO officers and 7 percent of Border Patrol agents required to complete the training had not done so. CBP officials stated that they plan to take steps to increase the percent of agents and officers who complete the required training in 2017 and will provide new data to GAO in early 2018. To fully address this recommendation, Border Patrol and OFO should ensure that all required personnel have completed the annual training, as required.
    Recommendation: To help ensure that DHS has complete and reliable data needed to ensure compliance with the UAC time-in-custody requirement under TVPRA and for required reports on UAC time in custody under the Flores Agreement, the Secretary of Homeland Security should require ICE officers to record accurate and reliable data in their automated system when UAC leave ICE custody in order to track the length of time UAC are in ICE custody.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In a July 23, 2015 memo, ICE's Assistant Director for Custody Management, with concurrence from the Acting Assistant Director for Field Operations, provided instructions to all ICE Field Office Directors, Deputy Field Office Directors, and Field Office Juvenile Coordinators (FOJCs) with instructions for processing juveniles, including unaccompanied alien children (UAC). The memo stated that FOJCs or assigned officers must immediately book UAC into ICE's automated system upon the UAC's transfer into ICE's custody (including ICE transportation contractors). The instructions state that no more than 4 hours may elapse without recording the UAC's time in ICE custody. Further, the instructions stated that when ICE transfers UAC to a new location, that FOJCs, or other assigned officers, must also ensure that ICE's automated system is updated to reflect the exact location of the transfer. According to ICE, these instructions are to be included in a juvenile processing handbook that will provide detailed instructions for officers in processing and managing juvenile cases. ICE expects to complete this handbook by June 30, 2016. As of October 2016, the handbook was still being cleared within ICE. To fully implement our recommendation, ICE should require that officers record accurate and reliable data (date and time) in their automated system when UAC leave ICE custody.
    Recommendation: To increase the efficiency and improve the accuracy of the interagency UAC referral and placement process, the Secretaries of Homeland Security and Health and Human Services should jointly develop and implement a documented interagency process with clearly defined roles and responsibilities, as well as procedures to disseminate placement decisions, for all agencies involved in the referral and placement of UAC in HHS shelters.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In September 2015, DHS stated that the department was collaborating with HHS on finalizing a Memorandum of Agreement (MOA) regarding UAC procedures. According to DHS, the MOA is meant to provide a framework for interagency coordination on the responsibilities of the parties in coordinating and establishing procedures, shared goals, and interagency cooperation with respect to UAC. In February 2016, DHS and HHS finalized the MOA. The MOA states that DHS and HHS agree to establish a Joint Concept of Operations (JCO) that should be completed no later than one year following the signing of the MOA. According to the MOA, the JCO should include, among other things, standard protocols for consistent interagency cooperation on the care, processing, and transport of UAC during both steady state operations, as well as in the event the number of UAC exceeds the standard capabilities of the departments to process, transport, and/or shelter with existing resources. As of February 2017, HHS told GAO that HHS and DHS are still in the process of drafting the JCO. To fully address the recommendation, DHS and HHS will need to ensure that the JCO, once finalized and implemented, includes a documented interagency process with clearly defined roles and responsibilities, as well as procedures to disseminate placement decisions, for all agencies involved in the referral and placement of UAC in HHS shelters.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    3 open recommendations
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Homeland Security should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security has taken steps to implement this recommendation. Specifically, it developed inventories for the two components we reviewed. The department also reported that it had identified all components' devices. However, as of August 2017, it had not provided evidence that all the components had an inventory of unique devices and associated services. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Homeland Security should ensure a reliable department-wide inventory of mobile service contracts is developed and maintained.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security has taken steps to implement the recommendation, but more needs to be done. Specifically, in May 2017, the department developed an enterprise-wide inventory of mobile service contracts; however, the department has not demonstrated that it has maintained the inventory quarterly. We will continue to monitor the department's efforts to fully implement the recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Homeland Security should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security has not implemented the recommendation. In August 2017, a Program Management Specialist in the Office of the Chief Information Office described steps the department was taking as it considers a follow-on to its department-wide blanket purchase agreement for wireless expense management services. We will continue to monitor the department's efforts to implement the recommendation.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    3 open recommendations
    Recommendation: To improve Transformation Program governance, the Secretary of DHS should direct the Under Secretary for Management to ensure that the Acquisition Review Board is effectively monitoring the Transformation Program's performance and progress toward a predefined cost and schedule; ensuring that corrective actions are tracked until the desired outcomes are achieved; and relying on complete and accurate program data to review the performance of the Transformation Program against stated expectations.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of August 2017, the Department of Homeland Security (DHS) had demonstrated that it had taken steps to address this recommendation, but additional steps were needed. Since we issued this recommendation in May 2015, the Office of Program Accountability and Risk Management (PARM), which serves as the Acquisition Review Board (ARB) executive secretariat and is to oversee DHS's acquisition portfolio, in coordination with the Office of the Chief Information Officer, has actively increased program oversight. For example, beginning in May 2015, the U.S. Citizenship and Immigration Services (USCIS) demonstrated that it submitted data supporting cost, schedule, and technical performance metrics to DHS on a monthly basis. The ARB has also held a number of meetings to discuss the Transformation Program and issued associated Acquisition Decision Memoranda with related action items. In addition, in February 2016, PARM demonstrated that DHS developed a procedure to help ensure acquisition decision memorandum actions, including corrective actions, are tracked until the desired outcomes are achieved. However, as of August 2017, the USCIS Transformation Program was in breach of its previously approved schedule expectations and was taking a strategic pause in developing new software while working to re-baseline cost and schedule expectations. During this strategic pause, the program is working to complete various action items assigned by the Acquisition Review Board, including completing an updated Release Roadmap and submitting it to PARM no later than December 29, 2017; updated Lifecycle Cost Estimate and providing it to the Cost Analysis Division no later than December 29, 2017; updated Test and Evaluation Master Plan and submitting it to the Office of Test and Evaluation no later than January 31, 2018; and an updated Acquisition Program Baseline and providing it to PARM no later than December 29, 2017. We will continue to monitor DHS?s efforts to re-baseline the USCIS Transformation Program and the Acquisition Review Board's efforts to monitor the Transformation Program's performance and progress toward a predefined cost and schedule; ensure that corrective actions are tracked until the desired outcomes are achieved; and rely on complete and accurate program data to review the performance of the Transformation Program against stated expectations until and after a new baseline is established.
    Recommendation: To improve Transformation Program governance, the Secretary of DHS should direct the DHS Under Secretary for Management, in coordination with the Director of US Citizenship and Immigration Services, to ensure that the Executive Steering Committee is effectively monitoring the Transformation Program's performance and progress toward a predefined cost and schedule and relying on complete and accurate program data to review the performance of the Transformation Program against stated expectations.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of August 2017, the Department of Homeland Security (DHS) had demonstrated that it had taken steps to address this recommendation, but additional steps were needed. More specifically, as of July 2016, the U.S. Citizenship and Immigration Services (USCIS) Transformation program office provided evidence that the Executive Steering Committee (ESC) continued to discuss cost, schedule, and operational performance metrics as part of the program's ESC meetings. However, as of August 2017, the USCIS Transformation Program was in breach of its previously approved schedule expectations and was taking a strategic pause in developing new software while working to re-baseline its cost and schedule expectations. During this strategic pause, the program is working to complete various action items assigned by the Acquisition Review Board, including completing an updated Release Roadmap and submitting it to the Office of Program Accountability and Risk Management (PARM) no later than December 29, 2017; updated Lifecycle Cost Estimate and providing it to the Cost Analysis Division no later than December 29, 2017; updated Test and Evaluation Master Plan and submitting it to the Office of Test and Evaluation no later than January 31, 2018; and an updated Acquisition Program Baseline and providing it to PARM no later than December 29, 2017. In addition, according to the program?s August 2017 Acquisition Decision Memorandum, the ESC has been transformed into a component-only body with no headquarters involvement, and the program was to establish a Program Management Integrated Product Team, which was to meet bi-weekly beginning in September 2017. We will continue to monitor DHS's efforts to re-baseline the USCIS Transformation Program, the impact of changes to the ESC, and the ESC?s efforts to effectively monitor the Transformation Program's performance and progress toward a predefined cost and schedule and rely on complete and accurate program data to review the performance of the Transformation Program against stated expectations until and after a new program baseline is established.
    Recommendation: To help ensure that assessments prepared by the Office of the Chief Information Officer in support of the department's updates to the federal IT Dashboard more fully reflect the current status of the Transformation Program, the Secretary of DHS should direct the department's Chief Information Officer to use accurate and reliable information, such as operational assessments of the new architecture and cost and schedule parameters approved by the Under Secretary of Management.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2017, the Department of Homeland Security (DHS) had demonstrated that it had taken steps to address this recommendation, but additional steps were needed. In particular, in February 2016, the DHS Office of the Chief Information Officer (OCIO), in coordination with the Office of Program Accountability and Risk Management (PARM), had consolidated the department's Investment Management System and Next Generation Periodic Reporting System tools into a single enterprise information management and repository system named Investment Evaluation, Submission, and Tracking (INVEST). According to the department, this effort should improve the reliability of the metrics used by OCIO's Enterprise Business Management Office (EBMO), as well as the other line of business and component program offices, and ensure data integrity. The data reported in INVEST include cost, schedule, and operational performance metrics that are to align with the OMB's Information Technology (IT) Dashboard reporting requirements. In addition, as of September 2017, the program was listed as a high-risk program on the federal IT dashboard, in contrast to its April 2015 rating of medium risk. However, as of August 2017, the program was in breach of its previously approved schedule expectations and was taking a strategic pause in developing new software while working to re-baseline its cost and schedule expectations. We will continue to monitor DHS?s efforts to re-baseline the USCIS Transformation Program and the Office of the Chief Information Officer's efforts to use accurate and reliable information to update the federal IT dashboard until and after a new program baseline is established.
    Director: Michele Mackin
    Phone: (202) 512-4841

    2 open recommendations
    Recommendation: To improve DHS's management of major acquisition programs, the Secretary of Homeland Security should ensure future baselines for all of TSA's major acquisition programs capture the overall historical record of change.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In providing comments on this report, the Department of Homeland Security (DHS) concurred with this recommendation, and stated that the Transportation Security Administration (TSA) will begin to incorporate an addendum to future Acquisition Program Baselines (APB) that will provide a single source to show the changes to cost, schedule, and performance metrics, beginning with the initial program baseline and showing traceability of all interim approved versions to the current APB. DHS estimated it would complete this effort April 30, 2016. As of August 2017, DHS leadership had approved updated versions of the two APBs that were the basis for this recommendation. Both included addendums with metrics from prior APBs, but raised questions about traceability to the current cost, schedule, and performance metrics. GAO will assess the updated APBs as a part of its annual review of select DHS major acquisition programs to determine whether the department has addressed the recommendation.
    Recommendation: To more accurately communicate DHS's funding plans for USCG's major acquisition programs, the Secretary of Homeland Security should ensure the funding plans presented to Congress in fiscal year 2015 are comprehensive and clearly account for all operations and maintenance funding DHS plans to allocate to each of the USCG's major acquisition programs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In providing comments on this report, the Department of Homeland Security (DHS) concurred with this recommendation, and stated that the U.S. Coast Guard and the DHS Chief Financial Officer will develop a plan to address this recommendation by September 30, 2015, then work together to fully implement the plan. DHS estimated it would complete this effort March 31, 2016. However, the USCG encountered technical challenges during this process and was unable to implement the plan by that time. The U.S. Coast Guard has revised the estimated completion date, and now anticipates it will be able to address this recommendation in fiscal year 2020.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Secretary of the Department of Homeland Security should direct FPS to develop and implement a strategy for using covert-testing data and data on prohibited items to improve FPS's security-screening efforts. The strategy should, at a minimum, aim to ensure that: (1) covert-testing data are used to systematically monitor, review, and improve performance nationwide; (2) covert-testing data are used to determine which testing scenarios will be implemented or reinstated; and (3) data on prohibited items are analyzed to determine the reasons for wide variations in the number of reported prohibited-items detected across buildings and to assist with managing the screening process and informing policy.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, implementation of this recommendation was in process, according to the Federal Protective Service (FPS). FPS provided no additional information, but plans to update GAO in the coming weeks on the status of this and other open recommendations.
    Director: Michele Mackin
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: In order to help ensure consistent, effective oversight of DHS's acquisition programs, and to make the CASR more useful, starting with the report reflecting fiscal year 2015 program data, the Secretary of DHS should adjust the CASR to do the following: (1) report an individual rating for each program's cost, schedule, and technical risks; (2) report a best estimate of procurement quantities or indicate why this is not applicable, as appropriate; (3) report all programs' significant changes in acquisition cost, quantity, or schedule from the previous CASR report by determining a means to account for programs that lack acquisition program baselines; (4) report major program events that are included in acquisition program baselines, such as scheduled acquisition decision events; and (5) report the level at which the program's life-cycle cost estimate was approved.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation, and took some actions to address it. The Office of Program Accountability and Risk Management (PARM) updated its template for the Comprehensive Acquisition Status Report (CASR) to reflect the following changes: individual ratings for each program's cost, schedule, and technical risks; significant changes in programs' acquisition cost, quantity, or schedule; and major events included in the acquisition program baselines. In addition, PARM intended to revise the reporting information for the level at which a program's life-cycle cost estimate was approved and its estimate of procurement quantities. However, the 2017 Consolidated Appropriations Act discontinued the requirement to submit the CASR with future budget requests and DHS did not submit one for 2017. Recently introduced legislation would reestablish the CASR requirement and we will revisit this recommendation pending the outcome of that legislation.
    Director: Marie A. Mak
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To ensure a consistent and more collaborative approach to the protection of critical technologies, the Secretaries of Commerce, Defense, Homeland Security, State, and the Treasury; as well as the Attorney General of the United States, who have lead and stakeholder responsibilities for the eight programs within the critical technologies portfolio, should take steps to promote and strengthen collaboration mechanisms among their respective programs while ongoing initiatives are implemented and assessed. These steps need not be onerous; for example, they could include conducting an annual meeting to discuss their programs, including the technologies they are protecting, their programs' intent, any new developments or changes planned for their programs, as well as defining consistent critical technologies terminology and sharing important updates.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In providing comments on this report, the agency concurred with this recommendation. Relevant efforts by DHS to finalize memoranda of understanding with other agencies and by the Export Enforcement Coordination Center to share information and data across the export control enforcement community are ongoing. As of Sept 2017, DHS did not identify relevant actions to coordinate on critical technologies among other agencies.
    Director: Maurer, Diana C
    Phone: (202) 512-9627

    1 open recommendations
    Recommendation: To better position DHS to monitor components' progress remediating AUO deficiencies, the Secretary of DHS should develop and execute a department-wide oversight mechanism to ensure components implement AUO appropriately on a sustained basis, and in accordance with law and regulation.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2015, the Department of Homeland Security (DHS) took actions toward addressing our recommendation by developing a department-wide oversight mechanism described in a directive and instruction on administratively uncontrollable overtime (AUO). DHS's AUO directive defines responsibility for Office of the Chief Human Capital Officer (OCHCO) that includes establishing AUO policy and guidance, providing program oversight and evaluating component AUO compliance, and administering an AUO training program, among other things. The directive also requires component heads to develop component-specific AUO policies that must be reviewed by DHS OCHCO for concurrence and also submit to OCHCO the results of an independent, third-party audit of compliance with applicable AUO law and policy no later than 18 months after the date of the directive (i.e., by December 2016) and annually thereafter . In March 2016, Immigration and Customs Enforcement (ICE) completed its annual financial audit, conducted by a separate office within DHS, which now incorporates audit of ICE's use of AUO. As of May 2017, the other DHS components that continue to use AUO--U.S. Secret Service and U.S. Customs and Border Protection--have not yet submitted results of third-party audits of AUO to OCHCO. To ensure that the AUO directive has been fully and appropriately executed across the department, the recommendation will remain open until USSS and CBP have submitted their first independent, third-party audit to OCHCO. At that point we will we review the remaining audits to determine if the recommendation has been addressed, and can therefore be closed.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Secretary of Homeland Security, in consultation with GSA, should develop and implement a strategy to address cyber risk to building and access control systems that, among other things: (1) defines the problem; (2) identifies roles and responsibilities; (3) analyzes the resources needed; and (4) identifies a methodology for assessing this cyber risk.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the Department has taken in response to this recommendation, we will provide updated information.
    Director: Chris P. Currie
    Phone: (404) 679-1875

    1 open recommendations
    Recommendation: To enhance the Secretary of Homeland Security's ability to assess national preparedness and provide management oversight of federal interagency efforts to close previously identified capability gaps, the Secretary of Homeland Security should direct the Administrator of FEMA--in coordination and collaboration with the National Security Council Staff and other federal departments and agencies--to collect information on and regularly report to the Secretary the status of federal interagency implementation of corrective actions identified (1) through prior national-level exercises and (2) following real-world incidents, specifically major disasters.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In November 2016, FEMA officials reported that the agency had developed an approach for collecting and reporting on the status of federal interagency corrective actions from Level I disasters to add to the current practice of reporting on national level exercises. According to officials, the proposed approach was under review and the agency plans to coordinate with the other federal departments and agencies before submitting their proposal to DHS for final approval. In August 2017, FEMA's National Preparedness Directorate reported an expected completion date of December 29, 2017. Pending completion of this effort, this recommendation remains open.
    Director: Melvin, Valerie C
    Phone: (202) 512-6304

    3 open recommendations
    Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to improve reporting of FOIA costs by including salaries, employee benefits, non-personnel direct costs, indirect costs, and costs for other offices.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In responding to our recommendation, DHS said it has developed a spreadsheet that is to be used by its components to track FOIA costs. However, as of September 2017, DHS has not yet provided information containing such details as when its components will be required to use the spreadsheet and if the spreadsheet is to track all the categories of costs discussed in our report. We plan to update the status of this recommendation when DHS provides documentation that further explains, and confirms the department's use of, the spreadsheet.
    Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to direct USCIS and Coast Guard to fully implement the recommended FOIA processing system capabilities and the section 508 requirement.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In response to our recommendation, DHS issued a memo to all of the department's FOIA officers in March 2015 which focused on ensuring that each component's FOIA processing systems are 508 compliant. However, as of September 2017, DHS has not yet provided us with evidence that the U.S. Citizenship and Immigration Services and the Coast Guard have implemented system capabilities that are 508 compliant. When DHS provides information concerning its actions taken to make the systems compliant, we will update the status of the recommendation.
    Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to determine the viability of re-establishing the service-level agreement between the U.S. Citizenship and Immigration Services (USCIS) and U.S. Immigration and Customs Enforcement to eliminate duplication in the processing of immigration files. If the benefits of doing so would exceed the costs, re-establish the agreement.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS has stated that it is taking steps to determine if the U.S. Immigration and Customs Enforcement and the U.S. Citizenship and Immigration Services will re-establish the service-level agreement to process FOIA requests related to immigration files. In addition, the department has stated that duplication no longer exists in the processing of these type of requests. However, DHS has not yet provided evidence, such as a cost-benefit analysis, that could demonstrate the steps it is taking regarding the service-level agreement. Further, GAO has not yet received evidence from the department to support its assertion that duplication no longer exists in the processing of immigration files. We will update the status of this recommendation when DHS provides documentation.
    Director: Gomez, Jose A
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To promote forward-looking construction and rebuilding efforts while FEMA phases out most subsidies, the Secretary of the Department of Homeland Security should direct FEMA to consider amending NFIP minimum standards for floodplain management to incorporate, as appropriate, forward-looking standards, similar to the minimum standard adopted by the Hurricane Sandy Rebuilding Task Force.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In March 2017, the Department of Homeland Security reaffirmed that they agreed with the recommendation, and would begin implementing it after implementing the statutory mandates in the Biggert-Waters Flood Insurance Reform Act of 2012. The Department estimated that it would begin implementing our recommendation in 2018 and complete its implementation by 2020.
    Director: Maurer, Diana C
    Phone: (202) 512-9627

    3 open recommendations
    including 3 priority recommendations
    Recommendation: The Secretary of Homeland Security should designate the headquarters consolidation program a major acquisition, consistent with DHS acquisition policy, and apply DHS acquisition policy requirements.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: In alignment with GAO's recommendation, on September 16, 2014, DHS issued an Acquisition Decision Memorandum designating the DHS-funded portions of the headquarters consolidation program as a Major Acquisition Program to be overseen by the departmental Acquisition Review Board (ARB). DHS made further progress implementing this recommendation by conducting and documenting an ARB of the program on November 15, 2016. The ARB process provided DHS greater oversight of headquarters consolidation, and provided a forum for officials to consider a wide range of issues affecting consolidation efforts, such as funding and project scope. However, DHS and General Services Administration (GSA) were required to revise their cost and schedule estimates subsequent to the ARB's review. In addition, as of March 2017, DHS, in coordination with GSA, had not submitted the report to Congress on DHS Headquarters Consolidation mandated by Pub. L. No. 114-150. GAO will reassess the status of this recommendation after cost and schedule estimates are finalized and DHS and GSA submit the required report to Congress, i.e., when there is more certainty about the future direction of the project overall and DHS's funded portion in particular.
    Recommendation: In order to improve transparency and allow for more informed decision making by congressional leaders and DHS and GSA decision-makers, before requesting additional funding for the DHS headquarters consolidation project, the Secretary of Homeland Security and the Administrator of the General Services Administration should work jointly to conduct the following assessments and use the results to inform updated DHS headquarters consolidation plans: (1) a comprehensive needs assessment and gap analysis of current and needed capabilities that take into consideration changing conditions, and (2) an alternatives analysis that identifies the costs and benefits of leasing and construction alternatives for the remainder of the project and prioritizes options to account for funding instability.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: The Department of Homeland Security Headquarters Consolidation Accountability Act of 2015 (Pub. L. No. 114-150) was enacted on April 29, 2016. Among other things, the act requires DHS, in coordination with GSA, to submit information to Congress about DHS headquarters consolidation efforts not later than 120 days of enactment. As of March 2017, DHS and GSA had not submitted the information to Congress required by Pub. L. No. 114-150. Officials stated that the information would be submitted as soon as possible, but exact timeframes were uncertain given ongoing project deliberations and internal reviews. Required information includes a comprehensive assessment of property and facilities utilized by DHS in the National Capital Region, and an analysis that identifies the costs and benefits of leasing and construction alternatives for the remainder of the consolidation project. DHS and GSA have made significant progress in developing a revised plan for headquarters consolidation since 2014, including the completion of a business case analysis to support the new plan. GAO will review the latest information on DHS headquarters consolidation efforts when it is provided to Congress, and will assess the materials in the context of this recommendation at that time. Continued DHS and GSA attention to following leading capital planning practices is critical given the project's multi-billion dollar cost and impact on future departmental operations.
    Recommendation: In order to improve transparency and allow for more informed decision making by congressional leaders and DHS and GSA decision-makers, before requesting additional funding for the DHS headquarters consolidation project, after revising the DHS headquarters consolidation plans, the Secretary of Homeland Security and the Administrator of the General Services Administration should work jointly to develop revised cost and schedule estimates for the remaining portions of the consolidation project that conform to GSA guidance and leading practices for cost and schedule estimation, including an independent evaluation of the estimates.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: The Department of Homeland Security Headquarters Consolidation Accountability Act of 2015 (Pub. L. No. 114-150) was enacted on April 29, 2016. Among other things, the act requires DHS, in coordination with GSA, to submit information to Congress about DHS headquarters consolidation efforts not later than 120 days of enactment. As of March 2017, DHS and GSA had not submitted the information to Congress required by Pub. L. No. 114-150. Officials stated that the information would be submitted as soon as possible, but exact timeframes were uncertain given ongoing project deliberations and internal reviews. Required information includes updated cost and schedule estimates for the consolidation project that are consistent with GAO's recommendations in GAO-14-648. Furthermore, the act requires the Comptroller General to evaluate the cost and schedule estimates not later than 90 days after their submittal to Congress. GSA is leading efforts to revise project cost and schedule estimates, and according to GSA officials, the revised figures will take into account GAO's leading estimation practices. GAO will review the latest DHS headquarters consolidation cost and schedule estimates when they are provided to Congress, and will assess the materials in the context of this recommendation at that time. Continued DHS and GSA attention to following leading cost and schedule estimation practices is critical given the project's multi-billion dollar cost and impact on future departmental operations.
    Director: Stephen Caldwell
    Phone: (202) 512-8777

    4 open recommendations
    Recommendation: Within DHS, to promote efficiency and harmonize the various assessments to advance security and resilience across the spectrum of CI in a manner consistent with the Homeland Security Act of 2002, PPD-21, and the NIPP, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate work with other DHS offices and components to develop and implement ways that DHS can facilitate data sharing and coordination of vulnerability assessments to minimize the risk of potential duplication or gaps in coverage.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS has taken action in response to GAO's September 2014 recommendation to develop a department-wide process to facilitate data sharing and coordination among the various DHS components that conduct or require vulnerability assessments, but has not fully implemented the recommendation. DHS first reported to GAO in August 2015 that its Office of Infrastructure Protection (IP) and the Sector Outreach and Programs Division Innovation Center had formed a vulnerability assessment working group comprised of a variety of federal stakeholders, both within and outside DHS, to enhance overall integration and coordination of vulnerability assessment efforts. In December 2015, DHS stated that IP was conducting pilot projects to expand access to its IPGateway portal--IP's system that houses infrastructure data and identifies facilities that have been assessed by IP. In a July 2016 update, DHS reported that IP had reached agreement with DHS components to expand access to its IP Gateway portal to those partners as a means to share IP's vulnerability assessment information and help coordinate assessment visits and related activities. DHS also noted in its update that IP had begun providing access to IP Gateway to components within DHS but did not provide a date as to when that step would be complete. These are positive steps toward implementing a systematic and integrated approach for facilitating data sharing and coordination of vulnerability assessments throughout the department. However, developing a department-wide process to facilitate data sharing and coordination among the DHS offices and components that conduct or require vulnerability assessments would better enable DHS to minimize the risk of potential duplication and gaps by its offices and components in the vulnerability assessments they conduct. Because DHS is still in the process of completing these steps, the recommendation has not yet been fully implemented.
    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to identify key CI security-related assessment tools and methods used or offered by SSAs and other federal agencies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2016, DHS has established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and has designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, is collaborating to enhance the integration and coordination of vulnerability assessment efforts. This working group is intended to serve as an interagency forum to address several recommendations from GAO Report 14-507. However, the effort is ongoing and it is too early to determine if it will successfully address the recommendation.
    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to analyze the key CI security-related assessment tools and methods offered by sector-specific agencies (SSA) and other federal agencies to determine the areas they capture.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2016, DHS has established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and has designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, is collaborating to enhance the integration and coordination of vulnerability assessment efforts. This working group is intended to serve as an interagency forum to address several recommendations from GAO Report 14-507. However, the effort is ongoing and it is too early to determine if it will successfully address the recommendation.
    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to develop and provide guidance for what areas should be included in vulnerability assessments of CI that can be used by DHS, SSAs, and other CI partners in an integrated and coordinated manner, among and across sectors, where appropriate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2016, DHS has established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and has designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, is collaborating to enhance the integration and coordination of vulnerability assessment efforts. This working group is intended to serve as an interagency forum to address several recommendations from GAO Report 14-507. However, the effort is ongoing and it is too early to determine if it will successfully address the recommendation.
    Director: Maurer, Diana C
    Phone: (202) 512-9627

    2 open recommendations
    Recommendation: To ensure effective evaluation of federal training programs and enhance DHS's stewardship of resources for federal training programs, the Secretary of Homeland Security should direct DHS components to ensure that their documented training evaluation processes fully address attributes for effective training evaluation processes as they are drafted, updated, or revised.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In September 2014, we reported on the Department of Homeland Security's (DHS) training efforts, including the extent to which DHS has a documented process to evaluate training and development programs. We found that all five DHS components in GAO's review--U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, the U.S. Coast Guard, the Transportation Security Administration, and the Federal Law Enforcement Training Center--have a documented process to evaluate their training programs. Their documented processes fully included three of six attributes of effective training evaluation processes identifying goals, programs to evaluate, and how results are to be used. However, the documented processes did not consistently include the other three attributes: methodology, timeframes, and roles and responsibilities. We concluded that by updating documentation to address these attributes, DHS components would have more complete information to guide its efforts in conducting effective evaluations. We therefore recommended that DHS direct its components to ensure that their documented training evaluation processes fully address attributes for effective training evaluation processes as they are drafted, updated, or revised. In September 2016, DHS officials reported that a DHS-wide self-audit of training evaluation processes was completed on March 31, 2016 and found that DHS has current documentation addressing effective learning evaluation programs and that there are commonalities in evaluation procedures across the components. As a part of the self-audit, components provided policy and procedures documents related to their training evaluation processes and found that they adhere to sound instructional systems design models. However, the self-audit focused on identifying the specific training evaluation practices for a sample of courses at each component and not whether the component-level guidance included the attributes for effective training evaluation processes we identified in our report. Further, although DHS updated its department-wide guidance on training evaluation in April 2016 to incorporate the attributes for effective training evaluation processes and some components have followed suit, other components have not. For example, we found that some components, such as Customs and Border Protection and the U.S. Coast Guard, had updated their training evaluation guidance to include the attributes we identified in our report. Others, such as U.S. Immigration and Customs Enforcement were in the process of updating their guidance. However, as of April 2017, the guidance from the Transportation Security Administration remained in draft and the guidance from the Federal Law Enforcement Training Center had not been updated since our review. Therefore, this recommendation remains open pending action on the above noted items.
    Recommendation: To ensure effective evaluation of federal training programs and enhance DHS's stewardship of resources for federal training programs, the Secretary of Homeland Security should identify existing challenges that prevent DHS from accurately capturing training costs department-wide and, to the extent that the benefits of addressing those challenges exceed the costs, implement corrective measures to overcome these challenges..

    Agency: Department of Homeland Security
    Status: Open

    Comments: In September 2014, we reported on the Department of Homeland Security's (DHS) training efforts, including the extent to which DHS has a documented process to reliably capture costs. We found that DHS identified efficiencies and cost savings for delivering a number of training programs. However, different methods are used for capturing training costs across the department, which poses challenges for reliably capturing these costs across DHS. Components capture training costs differently, contributing to inconsistencies in training costs captured across DHS. Variation in methods used to collect data can affect the reliability and quality of DHS-wide training program costs. However, DHS has not identified all challenges that contribute to these inconsistencies. We concluded that DHS could improve its awareness about the costs of training programs DHS-wide and thereby enhance its resource stewardship by identifying existing challenges that prevent DHS from accurately capturing training costs and implementing corrective measures. We therefore recommended that DHS identify existing challenges that prevent DHS from accurately capturing training costs department-wide and, to the extent that the benefits of addressing those challenges exceed the costs, implement corrective measures to overcome these challenges. As of September 2016, DHS reported that its Office of the Chief Human Capital Officer and Office of the Chief Financial Officer worked together to research the issue and determine the best course of action to standardize training cost reporting. However, this did not require a formal root cause analysis. In order to identify a way for the components to capture training costs in a standardized manner, DHS formed a Tiger Team that included officials from each component which identified 12 common functional areas for training to capture training costs. Components were directed to prepare implementation plans outlining how they will begin capturing cost data within the identified functional training areas and, according to DHS, began capturing the data on September 29, 2016. In January 2017, the DHS Chief Financial Officer provided guidance to the components as to how they are to report their training costs to DHS on a quarterly basis. Components provided their first quarterly submission to DHS in January 2017. These steps are in line with the intent of our recommendation. This recommendation will remain open as we monitor its continued implementation over the next two quarters.
    Director: Brenda S. Farrell
    Phone: (202) 512-3604

    2 open recommendations
    Recommendation: To help ensure that all employees are treated fairly and receive the protections established in the executive order, the Secretary of Homeland Security should direct the Commandant, U.S. Coast Guard, to revise the Coast Guard instruction for military personnel to specify that military personnel may be represented by counsel or other representatives at their own expense.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of summer 2016, in response to our recommendation, the Commandant of the Coast Guard issued a policy message stating that individuals may have counsel or other representative present at the service member's own expense. According to a Coast Guard official, this message serves as interim guidance until the personnel security manual can be finalized. This official estimated that the manual will be updated in the latter part of fiscal year 2016. This recommendation will remain open until the Coast Guard finalizes the update to its manual in accordance with our recommendation.
    Recommendation: To facilitate coordination between personnel security and human capital offices regarding how a security clearance revocation should affect an employee's employment status, and to help ensure that individuals are treated in a fair and consistent manner, the Secretary of Homeland Security should direct the Under Secretary for Management to review and revise policy regarding coordination between the personnel security and human capital offices to clarify what information can and should be communicated between human capital and personnel security officials at specified decision points in the revocation process, and when that information should be communicated.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Daniel Garcia-Diaz
    Phone: (202) 512-8678

    1 open recommendations
    Recommendation: As FEMA determines the scope of its efforts to revise its existing guidance, the Secretary of the Department of Homeland Security (DHS) should direct the Administrator of FEMA to update existing guidance to include additional information on and options for mitigating the risk of flood damage to agricultural structures to reflect recent farming developments and structural needs in vast and deep floodplains.

    Agency: Department of Homeland Security
    Status: Open

    Comments: To obtain information for updating existing guidance, FEMA engaged a contractor in April 2016 to conduct Phase 1 of a study evaluating recent farming developments. The June 2016 report from the contractor provided FEMA with information on the types of flood damage agricultural buildings and contents can sustain, required mitigation measures under NFIP, and insurance that is currently available to farmers. Phase 2 of the study is underway. This phase will identify the number and types of agricultural structures and the legislation, regulations, and various agency programs affecting the management of these structures; analyze the feasibility of mitigation options for these structures across different types of floodplains; and explore rating guidelines and potential mitigation techniques that could result in reduced risk or rates for agricultural structures. FEMA expects to receive a draft of the Phase 2 study from the contractor in July 2017. GAO will continue to monitor FEMA's progress.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal partners to ensure that the maritime risk assessment includes cyber-related threats, vulnerabilities, and potential consequences.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that the National Maritime Strategic Risk Assessment (NMSRA) was still being finalized. The agency stated that they expected this to be completed by July 2017. Once completed, we will analyze the results of the NMSRA in order to validate the extent to which its contents implement our recommendation.
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to use the results of the risk assessment to inform how guidance for area maritime security plans, facility security plans, and other securityrelated planning should address cyber-related risk for the maritime sector.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that it had developed a draft Navigation and Vessel Inspection Circular (NVIC) to provide guidance on assessment methods that assist vessel and facility owners and operators identify and address cybersecurity vulnerabilities. USCG stated that the draft NVIC would be published in the Federal Register for 60 days, to enable maritime stakeholders to review and provide comment. Once USCG provides us a final copy of the NVIC, we will analyze it to determine if it provides guidance for addressing cyber-related risk in the maritime sector.
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal stakeholders to determine if the Maritime Modal Sector Coordinating Council should be reestablished to better facilitate stakeholder coordination and information sharing across the maritime environment at the national level.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, the U.S. Coast Guard (USCG) stated that the tasking for the National Maritime Security Advisory Committee to explore the issue of information sharing mechanisms in regards to cyber information had been completed. However, USCG did not mention any decision related to the reestablishment of the sector coordinating council.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to develop procedures for officials at the field review level (i.e., captains of the port) and national review level (i.e., the National Review Panel and FEMA) to consult cybersecurity subject matter experts from the Coast Guard and other relevant DHS components, if applicable, during the review of cybersecurity grant proposals for funding.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information we receive and update status of implementation efforts.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to use any information on cyberrelated threats, vulnerabilities, and consequences identified in the maritime risk assessment to inform future versions of funding guidance for grant applicants and reviews at the field and national levels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information received and update status of implementation efforts.
    Director: Eileen Larence
    Phone: (202) 512-8777

    1 open recommendations
    Recommendation: To help ensure that I&A maintains critical skills and competencies, when planning for and implementing current and future workforce actions, the Secretary of Homeland Security should establish mechanisms to monitor and evaluate workforce initiatives and use results to determine any needed changes.

    Agency: Department of Homeland Security
    Status: Open

    Comments: GAO will update the status of this recommendation when the Department of Homeland Security provides documentation and other information on actions it has taken to monitor and evaluate workforce initiatives.
    Director: Dave Wise
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Secretary of Transportation and the Secretary of Homeland Security should direct the Administrators of FTA and FEMA to establish specific guidelines to monitor, evaluate, and report the results of collaborative efforts--including their communications program and protocol--for Hurricane Sandy as well as future disasters.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FTA and FEMA concurred with the recommendation and reported they took two actions in response. First, FTA and FEMA executed the communications protocol contemplated in the memorandum of agreement governing and collaboration between the two agencies in future disasters. This protocol established a joint tracking system to prevent duplicative assistance and included provisions for coordinating funding and for collaborating where insurance settlements and share grantees are involved. Second, in May 2017, FTA and FEMA published an after action report on coordination between the agencies in response to Hurricane Sandy. This report described the coordination that occurred during the Hurricane Sandy response, and discussed lessons learned to be applied to future events, such as the need for more frequent regularly scheduled meetings. We are evaluating FTA's and FEMA's responses.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    4 open recommendations
    Recommendation: To ensure the effective management of software licenses, the Secretary of Homeland Security should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, the Department of Homeland Security (DHS) reported that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) tool that enables industry best practices and standards for software license management. DHS also reported that the CDM implementation will facilitate normalization efforts across DHS by defining common software license and maintenance requirements. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Homeland Security should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, the Department of Homeland Security (DHS) reported that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) tool that enables industry best practices and standards for software license management. DHS also reported that the CDM implementation will provide DHS with an automated capability for IT hardware and software asset discovery; IT asset inventory tracking; software inventory normalization; software license optimization; data sharing capabilities, and thus ensure full compliance with the requirement to maintain a continual agency-wide inventory of software licenses. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Homeland Security should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, the Department of Homeland security (DHS) reported that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) tool that enables industry best practices and standards for software license management. DHS also reported that the tracking of software assets and inventory will be implemented as CDM is rolled out to each DHS Component. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Homeland Security should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, the Department of Homeland Security (DHS) reported that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) tool that enables industry best practices and standards for software license management. DHS also reported that CDM tracking of software assets and inventory will be implemented as CDM is rolled out to each DHS Component. The CDM tool will provide DHS with an automated capability for IT hardware and software asset discovery; IT asset inventory tracking; software inventory normalization; software license optimization; data sharing capabilities, and thus ensure full compliance with the requirement to maintain a continual agency-wide inventory of software licenses, including all licenses purchased, deployed, and in use, as well as spending on subscription services. As this data is captured the DHS OCIO, OSDO will analyze the software license data to track cost, usage, benefits to establish spending data that allows to the Department to perform trend analysis. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Director: Mackin, Michele
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To better communicate acquisition funding needs to Congress, the Secretary of Homeland Security should enhance the content of future Future Years Homeland Security Program (FYHSP) reports--for fiscal years 2016-20 and beyond--by presenting acquisition programs' annual cost estimates and any anticipated funding gaps.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In providing comments on this report, the Department of Homeland Security (DHS) concurred with this recommendation, and stated that it provides Congress Comprehensive Acquisition Status Reports (CASR) on a quarterly basis that include cost estimates for all major acquisition programs. However, the CASRs do not disaggregate the cost estimates to identify how much the programs are expected to cost each year, and therefore the proposed approach would not allow Congress to identify funding gaps on an annual basis. In April 2016, DHS presented an alternative approach that would incorporate annual funding gaps into future FYHSP reports. DHS stated it plans to initially include these annual funding gaps in the fiscal years 2018-22 FYHSP report, which was expected to be released shortly after the President's fiscal year 2018 budget request in May 2017. However, the transition to a new administration delayed the release of the FYHSP report. Once available, GAO will evaluate the FYHSP report to determine whether DHS has met the intent of this recommendation.
    Director: Wilshusen, Gregory C
    Phone: (202)512-6244

    1 open recommendations
    Recommendation: The Secretary of Homeland Security, in collaboration with emergency service sector stakeholders, should address the cybersecurity implications of implementing Next Generation 911 and the First Responder Network Authority network in the next iteration of sector plans.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In December 2015, DHS released an updated sector-specific plan for the emergency services sector that describes the sector's greater dependence on cyber-based infrastructure as a notable trend and emerging issue among the sector's risks. However, the plan does not incorporate steps to address the cybersecurity risk of implementing Next Generation 911 or risks associated with the First Responder Network, the public safety broadband network, currently in development. An update to the sector-specific plan will likely not occur until 2018. When DHS provides evidence regarding additional risk mitigation steps, we will review the evidence provided to update the status of this recommendation.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    3 open recommendations
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Director: Grover, Jennifer A
    Phone: (202) 512-7141

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To help ensure that security-related funding is directed to programs that have demonstrated their effectiveness, the Secretary of Homeland Security should direct the TSA Administrator to limit future funding support for the agency's behavior detection activities until TSA can provide scientifically validated evidence that demonstrates that behavioral indicators can be used to identify passengers who may pose a threat to aviation security.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: The Department of Homeland Security (DHS) did not concur with GAO's November 2013 recommendation to the TSA Administrator to limit future funding support for the agency's behavior detection activities until TSA can provide scientifically validated evidence that demonstrates that behavioral indicators can be used to identify passengers who may pose a threat to aviation security. However, as of July 2017, DHS has reduced funding for its behavior detection activities and taken some steps toward identifying additional evidence to support its use of behavioral indicators. TSA officials stated that GAO's recommendation contributed to DHS's decision to reduce the number of behavior detection officers (BDO) from 3,131 full-time equivalents in fiscal year 2013 to 2,393 full-time equivalents employed in fiscal year 2016. Further, in the summer of 2016 and consistent with the Aviation Security Act of 2016, the agency began assigning BDOs to other positions at passenger screening checkpoints where they are able to observe passengers while performing screening duties. According to TSA officials, all BDOs have now been converted into transportation security officers with behavior detection capabilities, which is expected to reduce the cost of the agency's behavior detection activities. As of August 2017, TSA does not yet have an estimate of any associated cost reductions. Since GAO's 2013 report, TSA has revised its list of behavioral indicators and taken some steps to identify evidence that these indicators can be used to identify passengers who may pose a threat to aviation security. Specifically, TSA hired a contractor to search available literature for sources supporting its revised list of 36 behavioral indicators. However, in 2017, GAO reviewed all 178 sources TSA identified and found that 98 percent (175 of 178) did not provide valid evidence for specific behavioral indicators in its revised list and that the remaining 3 sources could be used as valid evidence to support 8 of the 36 indicators. GAO reported that TSA should continue to limit funding for the agency's behavior detection activities until TSA can provide valid evidence demonstrating that behavioral indicators can be used to identify passengers who may pose a threat to aviation security, consistent with the recommendation in its November 2013 report.
    Director: Goldstein, Mark L
    Phone: (202) 512-2834

    3 open recommendations
    Recommendation: To ensure that the increasing risks of GPS disruptions to the nation's critical infrastructure are effectively managed, the Secretary of Homeland Security should increase the reliability and usefulness of the GPS risk assessment by developing a plan and time frame to collect relevant threat, vulnerability, and consequence data for the various critical infrastructure sectors, and periodically review the readiness of data to conduct a more data-driven risk assessment while ensuring that DHS's assessment approach is more consistent with the National Infrastructure Protection Plan (NIPP).

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS officials had previously indicated that DHS's Office of Infrastructure Protection (IP) and Office of Cyber and Infrastructure Analysis (OCIA) have discussed an update of the GPS risk assessment, noting that such an update may be included in fiscal year 2017 planning documents. However, as of February 2017, no documentation had been provided that demonstrates such plans. Additionally, information from DHS shows that DHS has continued other efforts to collect potentially relevant threat, vulnerability, and consequence data for various GPS equipment in use. For example, according to DHS officials, DHS has conducted visits to major maritime, finance, wireless communications, and electricity firms to gauge their understanding of GPS vulnerabilities and of technology- and strategy-based efforts to improve GPS resilience, and DHS documentation shows that DHS has held events to test GPS receivers as part of assessing vulnerabilities. We will update the status of this recommendation after we receive additional information from DHS.
    Recommendation: To ensure that the increasing risks of GPS disruptions to the nation's critical infrastructure are effectively managed, the Secretary of Homeland Security should, as part of current critical infrastructure protection planning with Sector-Specific Agencys (SSAs) and sector partners, develop and issue a plan and metrics to measure the effectiveness of GPS risk mitigation efforts on critical infrastructure resiliency.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of February 2017, DHS documentation shows that DHS has worked with Sector Specific Agencies (SSAs) and other interagency partners to help manage GPS risks and continues to communicate information on risks to critical infrastructure partners. For example, according to DHS officials, this included briefing field staff and developing questions for infrastructure surveys to gather information on GPS resilience at the facility level. According to DHS officials, at the national level DHS included GPS in discussions with SSAs on topics they could include in their Sector-Specific Plans (each SSA develops a Sector-Specific Plan to detail risk management in its critical infrastructure sector), but DHS has also indicated that sector-oriented metrics are not a viable means of assessing risk management actions. We will update the status of this recommendation after we receive additional information from DHS.
    Recommendation: To improve collaboration and address uncertainties in fulfilling the National Security Presidential Directive 39 (NSPD-39) backup-capabilities requirement, the Secretaries of Transportation and Homeland Security should establish a formal, written agreement that details how the agencies plan to address their shared responsibility. This agreement should address uncertainties, including clarifying and defining DOT's and DHS's respective roles, responsibilities, and authorities; establishing clear, agreed-upon outcomes; establishing how the agencies will monitor and report on progress toward those outcomes; and setting forth the agencies' plans for examining relevant issues, such as the roles of SSAs and industry, how NSPD-39 fits into the NIPP risk management framework, whether an update to the NSPD-39 is needed, or other issues as deemed necessary by the agencies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of February 2017, the National Executive Committee for Space-Based Positioning, Navigation, and Timing (PNT) Executive Steering group had established an interagency team called the "Complementary PNT Tiger Team" co-chaired by DHS, DOT, and DOD. This team was formed to manage the federal government's efforts to establish a national backup system to GPS. According to DHS officials, this organizational structure obviates the need for a formal, written agreement between DOT and DHS specific to GPS backup responsibilities. They also stated that, in a separate but related effort, DHS, DOT, and DOD are discussing a tri-lateral agreement that covers a broad spectrum of PNT-related responsibilities and activities. We will update the status of this recommendation after we receive additional information from DHS.
    Director: Goldstein, Mark L
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To improve the management and oversight of FPS's contract guard program, the Secretary of Homeland Security should direct the Under Secretary of National Protection and Programs Directorate (NPPD) and the Director of FPS to take immediate steps to determine which guards have not had screener or active-shooter scenario training and provide it to them and, as part of developing a national lesson plan, decide how and how often these trainings will be provided in the future.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FPS has indicated that they plan to implement this recommendation through its implementation of a training management system. FPS anticipates beginning implementation of this system in early 2018 and completing implementation by August 2018. GAO will continue to work with FPS to determine whether this recommendation has been implemented.
    Recommendation: To improve the management and oversight of FPS's contract guard program, the Secretary of Homeland Security should direct the Under Secretary of NPPD and the Director of FPS to require that contract guard companies' instructors be certified to teach basic and refresher training courses to guards and evaluate whether a standardized instructor certification process should be implemented.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FPS has indicated that they are currently assessing options for implementing a national lesson plan for guard training that addresses this recommendation. GAO will continue to work with FPS to determine whether this recommendation has been implemented.
    Director: Cackley, Alicia P
    Phone: (202) 512-8678

    1 open recommendations
    Recommendation: To establish full-risk rates for properties with previously subsidized rates that reflect their risk for flooding, the Secretary of the Department of Homeland Security (DHS) should direct the FEMA Administrator to develop and implement a plan, including a timeline, to obtain needed elevation information as soon as practicable.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As we reported in February 2016 in GAO-16-190, FEMA has taken limited action to implement this recommendation. For example, FEMA noted that the agency would evaluate the appropriate approach for obtaining or requiring the submittal of information needed to determine full-risk rates for subsidized properties. FEMA also said it would explore technological advancements and engage with industry to determine the availability of technology, building information data, readily available elevation data, and current flood hazard data that could be used to implement the recommendation. However, FEMA officials also said that the agency faced a cost challenge with respect to elevation certificates and that obtaining these certificates could take considerable time and cost. They noted that requiring policyholders to incur the cost of obtaining elevation certificates would not be consistent with NFIP's policy objective to promote affordability. The officials added that the agency encourages subsidized policyholders who seek to ensure the appropriateness of their NFIP rates to voluntarily submit elevation documentation.
    Director: Caldwell, Stephen L
    Phone: (202) 512-9610

    2 open recommendations
    Recommendation: To better assess risk associated with facilities that use, process, or store chemicals of interest consistent with the NIPP and the CFATS rule, the Secretary of Homeland Security should direct the Under Secretary for National Protection and Programs Directorate (NPPD), the Assistant Secretary for NIPP's Office of Infrastructure Protection (IP), and Director of ISCD to develop a plan, with timeframes and milestones, that incorporates the results of the various efforts to fully address each of the components of risk and take associated actions where appropriate to enhance ISCD's risk assessment approach consistent with the NIPP and the CFATS rule.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to Infrastructure Security Compliance Division (ISCD) officials, they completed development of an updated tiering methodology, which incorporates improvements based on recommendations from both the external peer review of the tiering methodology and a Sandia National Laboratory (Sandia) report on economic consequences, which was submitted to the Department in the first quarter of fiscal year (FY) 2015. Additionally, according to the officials, DHS continued hosting meetings of an external experts panel consisting of representatives from other Federal agencies and the chemical and oil and natural gas industries, who have met repeatedly to review and provide input on the proposed improvements to the Chemical Facility Anti-Terrorism Standards (CFATS) tiering methodology. As noted in the tiering methodology improvement plan previously provided by the Department to GAO, the ISCD is having external entities validate and verify the updated methodology before deployment. To that end, the Homeland Security Studies and Analysis Institute (HSSAI) has reviewed and provided findings and recommendations on all parts of the updated tiering engine. Additionally, Sandia has been conducting component testing of the tiering engine as it is being updated and, beginning in January 2016, Sandia will conduct end-to-end testing of the engine. Concurrent with these efforts, ISCD has been updating the Chemical Security Assessment Tool (CSAT) applications which currently support the collection of the data used by the CFATS tiering methodology (i.e., Top-Screen, Security Vulnerability Assessment). According to the officials, deployment of these new applications cannot occur until the DHS's Information Collection Request (ICR) is approved by the White House's Office of Management and Budget (OMB), which the Department anticipates submitting to OMB in the third quarter of fiscal year 2016. We will update the status of this recommendation after additional information is received from DHS. Status as of January 20, 2016.
    Recommendation: To better assess risk associated with facilities that use, process, or store chemicals of interest consistent with the NIPP and the CFATS rule, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for IP, and Director of ISCD to conduct an independent peer review, after ISCD completes enhancements to its risk assessment approach, that fully validates and verifies ISCD's risk assessment approach consistent with the recommendations of the National Research Council of the National Academies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to Infrastructure Security Compliance Division (ISCD) officials, the updated CFATS risk-based tiering methodology has been developed and portions of it are undergoing independent review from both HSSAI and Sandia. An independent verification and validation of the updated tiering methodology is scheduled to be conducted by Sandia beginning in January 2016. We will update the status of this recommendation after additional information is received from DHS. Status as of January 20, 2016.
    Director: Larence, Eileen
    Phone: (202)512-6510

    1 open recommendations
    Recommendation: To ensure that USNCB and ICE are providing more comprehensive information to their respective foreign counterparts regarding registered sex offenders traveling internationally, the Attorney General and the Secretary of Homeland Security should take steps to help ensure that USNCB and ICE have information on the same number of registered sex offenders as well as the same level of detail on registered sex offenders traveling internationally. Such steps could include USNCB and ICE copying each other on their notifications to their foreign counterparts or USNCB receiving information directly from the CBP National Targeting Center (NTC).

    Agency: Department of Homeland Security
    Status: Open

    Comments: We reported that U.S. National Central Bureau (USNCB) and U.S. Immigration and Customs Enforcement (ICE) did not have information on the same registered sex offenders or the same level of detail on registered sex offenders traveling internationally, which affected their ability to notify their respective foreign counterparts. In part, this is because the two agencies rely on different information sources and do not share information with one another. We recommended that DOJ and DHS develop mechanisms that would enable these two agencies to have access to the same information on traveling sex offenders. In August 2013, ICE provided documentation showing that it copied several U.S. Marshals Service (USMS) officials on notifications that ICE sent to other countries regarding registered sex offenders traveling internationally. However, ICE did not copy USNCB on these notifications. ICE explained that it thought sharing information on traveling sex offenders with USMS and relying on USMS to pass that information along to USNCB was the most efficient way to share information with USNCB. However, we analyzed notifications from ICE, USNCB, and USMS regarding sex offenders who initiated international travel in February 2014 and found that USMS only passed along about 30 percent of the notifications it received from ICE to USNCB. We provided the results of this analysis to all three agencies in July 2014. We met with relevant U.S. Customs and Border Protection (CBP), ICE, USMS, and USNCB officials in September 2014 to discuss options for ensuring that USNCB receives more comprehensive information regarding traveling sex offenders. ICE officials stated that since CBP is the source of the information ICE receives on traveling sex offenders, as well as one of the information sources for USMS, that it may be best for CBP to provide information directly to USNCB. USNCB officials also stated that their preference was to receive information directly from CBP, and it was their understanding that CBP and USNCB were in the process of developing an MOU that would allow for this. In October 2015, CBP confirmed that the MOU would enable CBP to share information with USNCB regarding traveling sex offenders. CBP also stated that the MOU had been approved by CBP and sent to USNCB for review. In an April 2016 update, CBP reported that the MOU had been tentatively approved by USNCB and is expected to be finalized and signed in July 2016. In August 2016, CBP stated that the completion date for the MOU was pushed back to September 30, 2016, to allow time for CBP and USNCB to negotiate additional edits. We followed up with CBP about the status of the MOU in February 2017. We are awaiting a response.
    Director: Caldwell, Stephen L
    Phone: (202)512-9610

    1 open recommendations
    Recommendation: To better ensure consistent implementation of and accountability for DHS's resilience policy, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to develop an implementation strategy for this new policy that identifies the following characteristics and others that may be deemed appropriate: (1) steps needed to achieve results, by developing priorities, milestones, and performance measures; (2) responsible entities, their roles compared with those of others, and mechanisms needed for successful coordination; and (3) sources and types of resources and investments associated with the strategy, and where those resources and investments should be targeted.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In the 60-day letter provided in January 2013, DHS indicated that the Resilience Integration Team (RIT) was developing a draft implementation plan to be circulated among relevant stakeholders for review. On 10/30/13, we notified DHS that we would like to see a copy of the resilience policy implementation plan (if developed), or any other related documentation if the plan is still in development. We were informed later that day that a draft plan had been developed, and DHS needed to confirm its status. In May of 2015, we were told again that a draft plan had been developed but never finalized. As of August 2015, DHS's Policy Office is looking into the status of plan development. We await their response. DHS response still pending as of 10/4/16.
    Director: Powner, David A
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: The Secretaries of Homeland Security and Health and Human Services should direct their Chief Information Officers to ensure OAs are performed annually on all major steady state investments and the assessments include all key factors.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security has updated their OA policy and is currently performing OAs on investments. We received fiscal year 2016 OAs for CBP but are waiting for the rest of the departments OAs for FY2016.
    Director: Maurer, Diana C
    Phone: (202) 512-9627

    2 open recommendations
    Recommendation: To strengthen DHS's evaluation and planning process for addressing employee morale, the Secretary of Homeland Security should direct the Office of the Chief Human Capital Officer (OCHCO) and component human capital officials to examine their root cause analysis efforts and, where absent, add the following: comparisons of demographic groups, benchmarking against similar organizations, and linkage of root cause findings to action plans.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In fiscal year 2012, we reviewed and reported on actions DHS took to address the morale of its employees. We reported, among other things, that DHS's Office of the Chief Human Capital Officer and DHS components had not consistently used three survey analysis techniques when analyzing employee survey results--comparisons of demographic groups, benchmarking against similar organizations, and linking root cause findings to action plans. DHS OCHCO officials, and supporting documentation, indicate some actions taken to incorporate these techniques. Specifically, as of June 2017, officials provided copies of the DHS FY 2017 Component Employee Engagement Action Plans. We reviewed the action plans and spoke with DHS OCHCO officials to determine the extent to which DHS's action plans addressed our recommendation. Several action plans we reviewed included evidence of utilizing the three survey analysis techniques we recommended, while other action plans lack some or all of the techniques. For example, components whose action plans fully address the recommendation includes: Customs and Border Protection (CBP), Federal Emergency Management Agency (FEMA), Immigration and Customs Enforcement (ICE), and the Transportation Security Administration (TSA). Components whose action plans partially address the recommendation are: U.S. Citizenship and Immigration Services (USCIS), U.S. Coast Guard (USCG), and U.S. Secret Service (USSS). National Protection and Programs Directorate's (NPPD) action plan did not address any of the three survey analysis techniques. According to DHS OCHCO officials, while OCHCO developed a checklist to consult when creating action plans to address employee survey results, senior management decided not to require that components use the checklist in developing their action plans as it may limit their freedom to develop their goals and planning. To fully address this recommendation, DHS OCHCO officials need to continue to provide documentary evidence of demographic analysis, benchmarking, and root cause linkage efforts completed for components that have not fully addressed the recommendation in their action plans. DHS OCHCO officials agreed with our analysis and reiterated their intent to fully implement this recommendation. We will update the status of this recommendation after additional information is received from DHS. Status as of June 2017.
    Recommendation: To strengthen DHS's evaluation and planning process for addressing employee morale, the Secretary of Homeland Security should direct the OCHCO and component human capital officials to establish metrics of success within the action plans that are clear and measurable.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In fiscal year 2012, we reviewed and reported on actions DHS took to address the morale of its employees. We reported, among other things, that DHS's Office of the Chief Human Capital Officer and DHS components measures of action plan success related to employee morale could have improved clarity and incorporate measurable targets. DHS officials regularly provided us with copies of annual component employee engagement action plans, most recently as of June 2017. We reviewed the action plans and spoke with DHS OCHCO officials to determine the extent to which DHS's action plans addressed our recommendation. Our review in June 2017 indicated that most components' action plans included clear and measureable targets. For example, components whose action plans fully address the recommendation include CBP, Coast Guard, FEMA, ICE, NPPD, USCIS, and USSS. TSA's action plans partially addressed the recommendation and the component is taking steps to improve its measures. To fully address this recommendation, DHS OCHCO officials need to continue to provide documentary evidence of improved measure clarity and incorporate measurable targets in components' action planning efforts. DHS OCHCO officials agreed with our assessment and told us that they continue to provide feedback to component officials to address action planning improvement. These officials reiterated their efforts to fully implement this recommendation and we will update the status of this recommendation after additional information is received from DHS.
    Director: Mackin, Michele
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To help mitigate the risk of poor acquisition outcomes and strengthen the department's investment management activities, the Secretary of Homeland Security should direct the Under Secretary for Management to, once the department's acquisition programs comply with DHS acquisition policy, prioritize major acquisition programs departmentwide and ensure that the department's acquisition portfolio is consistent with DHS's anticipated resource constraints.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In providing comments on this report, DHS concurred with this recommendation, and stated that its effort to more fully reflect portfolio management practices in its acquisition policy will help DHS prioritize its major acquisition programs departmentwide. DHS also stated that the revised portfolio management approach will help ensure that the department's acquisition portfolio is consistent with anticipated resource constraints. However, it has taken years for some of the department's major acquisition programs to comply with DHS's acquisition policy, which requires getting approval for key acquisition documentation that contains the critical knowledge needed for DHS to make effective portfolio management decisions. In February 2017, we found that DHS had approved the required acquisition documentation for all of its major acquisition programs and planned to continue to ensure that all major acquisition programs have approved documents, such as acquisition program baselines. Now that major acquisition programs are in compliance with DHS's acquisition policy, GAO will evaluate the department's implementation of its revised portfolio management approach to determine whether DHS has met the intent of this recommendation by ensuring that the department's acquisition portfolio is consistent with DHS's anticipated resource constraints.
    Director: Goldstein, Mark L
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: Given the challenges that FPS faces in assessing risks to federal facilities and managing its contract guard workforce, the Secretary of Homeland Security should develop and implement a new comprehensive and reliable system for contract guard oversight.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to FPS officials, as of September 2017, FPS is currently reviewing proposals and preparing to make a decision for the final contract award for a Post Tracking System (PTS). According to FPS, this PTS will allow FPS to comprehensively and reliability mange its contract guards. Once the contract is awarded in late 2017 FPS will begin to implement the PTS system. GAO is keeping this recommendation open pending successful implementation of this system.
    Recommendation: Given the challenges that FPS faces in assessing risks to federal facilities and managing its contract guard workforce, the Secretary of Homeland Security should verify independently that FPS's contract guards are current on all training and certification requirements.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to FPS officials, as of September 2017, FPS plans to address this recommendation through the implementation of FPS?s Training Academy and Management System (TAMS). FPS reported that this system should allow it to verify independently that FPS's contract guards are current on all training and certification requirements. FPS is currently taking various steps to finalize the system and anticipates full implementation of TAMS by August 2018. GAO is leaving this recommendation open pending successful implementation of TAMS.
    Director: Martin, Belva M
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To better inform management and resource allocation decisions, effectively manage limited export control enforcement resources, and improve the license determination process, the Secretary of Homeland Security, in consultation with the departmental representatives of the Export Enforcement Coordination Center, including Commerce, Justice, State, and the Treasury should (1) leverage export control enforcement resources across agencies by building on existing agency efforts to track resources expended, as well as existing agency coordination at the local level; (2) establish procedures to facilitate data sharing between the enforcement agencies and intelligence community to measure illicit transshipment activity; and (3) develop qualitative and quantitative measures of effectiveness for the entire enforcement community to baseline and trend this data.

    Agency: Department of Homeland Security
    Status: Open

    Comments: To help track resources expended and coordination of enforcement resources, the E2C2 has ratified and implemented the investigative deconfliction protocol. The Export Enforcement Coordination Center (E2C2) has also ratified and implemented the dispute resolution protocol and it is being used by all E2C2 partners. These are two of seven standard operating procedures planned to be in use by the E2C2. The Intelligence Community engagement/information protocols are being addressed through the E2C2 Export Enforcement Intelligence Working Group to help facilitate data sharing, and ICE, through the E2C2, is still in the process of establishing interagency agreement on procedures to facilitate data sharing between the enforcement agencies and intelligence community to assist in measuring illicit transshipment activity. The E2C2 Intel Cell White Paper is complete, but the Cell is not staffed or operational. This Cell is to serve as the primary interagency conduit for defining, establishing, and implementing protocols and facilitating information sharing between the IC and export enforcement community. The white paper outlines the E2C2 Intel Cell's mission, general roles and functions, recommended tasks and structure to facilitate enhanced coordination and intelligence sharing. When established, the Cell will develop standard operating procedures but this has not yet occurred. In late August 2016, the Department of Commerce assigned a new Assistant Director and one analyst to the E2C2. Efforts to formalize an intelligence analytical unit and draft a corresponding SOP are ongoing as of the summer of 2017.
    Director: Goldstein, Mark L
    Phone: (202)512-6670

    1 open recommendations
    Recommendation: The Secretary of Homeland Security and Attorney General should instruct the Director of FPS, and the Director of the Marshals Service, respectively, to jointly lead an effort, in consultation and agreement with the judiciary and GSA, to update the MOA on courthouse security to address the challenges discussed in this report. Specifically, in this update to the MOA stakeholders should: (1) clarify federal stakeholders' roles and responsibilities including, but not limited to, the conditions under which stakeholders may assume each other's responsibilities and whether such agreements should be documented; and define GSA's responsibilities and determine whether GSA should be included as a signatory to the updated MOA; (2) outline how they will ensure greater participation of relevant stakeholders in court or facility security committees; and (3) specify how they will complete required risk assessments for courthouses, referred to by the Marshals Service as court security facility surveys and by FPS as facility security assessments (FSA), and ensure that the results of those assessments are shared with relevant stakeholders, as appropriate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of April 2017, The Federal Protective Service, U.S. Marshals Service, Administrative Office of the U.S. Courts, and General Services Administration were working to update the memorandum of agreement on courthouse security. An updated memorandum has been drafted, but it has yet to be signed by all parties. Consequently, resolution of this recommendation is pending until further action is taken.
    Director: Brown, Orice Williams
    Phone: (202)512-5837

    3 open recommendations
    Recommendation: To improve strategic planning, performance management, and program oversight within and related to NFIP, the Secretary of DHS should direct the FEMA Administrator to develop a comprehensive workforce plan according to PKEMRA that identifies agency staffing and skills requirements, addresses turnover and staff vacancies, and analyzes FEMA's use of contractors.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to FEMA officials, as of July 2016, FEMA is in the process of developing a Workforce Strategic Plan they say will contribute to organizational performance and mission by enabling FEMA to align the overall workforce with strategic priorities. FEMA expected to complete the plan by the first quarter of FY2017. As of December 2016, FEMA officials said they were still working to implement this recommendation and agreed to provide us with an update of their progress.
    Recommendation: To improve FEMA's policies, procedures, and systems for achieving NFIP's program goals, the Secretary of DHS should direct the FEMA Administrator to consider the costs and benefits of implementing an interim system for FEMA and updating its document management policies and procedures while waiting for DHS to implement an agencywide electronic document management system.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA officials stated that, as of July 2016, FEMA is working to pilot an Electronic Records Management System (ERMS). They said that they expected to have all email records in an electronic state by December 31, 2016, and all records in an electronic state by December 31, 2019. They said that they expect the end state in 2019 to meet the Presidential Directive and NARA guidelines. As of December 2016, FEMA officials said they were still working to implement this recommendation and agreed to provide us with an update of their progress.
    Recommendation: To improve FEMA's policies, procedures, and systems for achieving NFIP's program goals, the Secretary of DHS should direct the FEMA Administrator to establish timelines for and complete the development and implementation of FEMA's revised acquisition process, in line with the DHS Acquisition Directive 102-01, including a rollout process with staff training and a mechanism to better ensure that all acquisitions undergo the necessary reviews.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA officials stated that, as of July 2016, a Disaster Acquisitions Response Team (DART) was in place along with metrics in place to monitor the team's success. They said they had also awarded a contract to serve as a contract file repository and that previously scanned contract files would be uploaded by December 31, 2016. As of December 2016, FEMA officials said they were still working to implement this recommendation and agreed to provide us with an update of their progress.
    Director: Grover, Jennifer A
    Phone: (202) 512-7141

    3 open recommendations
    including 1 priority recommendation
    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should perform an internal control assessment of the TWIC program by (1) analyzing existing controls, (2) identifying related weaknesses and risks, and (3) determining cost-effective actions needed to correct or compensate for those weaknesses so that reasonable assurance of meeting TWIC program objectives can be achieved. This assessment should consider weaknesses we identified in this report among other things, and include: (1) strengthening the TWIC program's controls for preventing and detecting identity fraud, such as requiring certain biographic information from applicants and confirming the information to the extent needed to positively identify the individual, or implementing alternative mechanisms to positively identify individuals; (2) defining the term extensive criminal history for use in the adjudication process and ensuring that adjudicators follow a clearly defined and consistently applied process, with clear criteria, in considering the approval or denial of a TWIC for individuals with extensive criminal convictions not defined as permanent or interim disqualifying offenses; and (3) identifying mechanisms for detecting whether TWIC holders continue to meet TWIC disqualifying criminal offense and immigration-related eligibility requirements after TWIC issuance to prevent unqualified individuals from retaining and using authentic TWICs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We reported that internal control weaknesses governing the enrollment, background checking, and use of TWIC potentially limit the program's ability to provide reasonable assurance that access to secure areas of MTSA-regulated facilities is restricted to qualified individuals. We further reported that TSA did not assess the internal controls designed and in place to determine whether they provided reasonable assurance that the program could meet defined mission needs for limiting access to only qualified individuals, and that internal control weaknesses in TWIC enrollment, background checking, and use could have contributed to the breach of selected MTSA-regulated facilities during covert tests conducted by our investigators. We recommended that DHS perform an internal control assessment of the TWIC program by (1) analyzing existing controls, (2) identifying related weaknesses and risks, and (3) determining cost-effective actions needed to correct or compensate for those weaknesses so that reasonable assurance of meeting TWIC program objectives can be achieved. In April 2013, DHS reported that it had taken a number of steps to address our recommendations. For example, it had refreshed and reissued fraudulent document detection training to enrollment personnel; created a mechanism for enrollment personnel to send detailed information of suspected fraud to adjudication personnel; benchmarked TWIC enrollment processes with passport enrollment processes; and defined guidance for adjudicators on the application of discretionary authority. As we reported in May 2013, to determine if the internal control weaknesses identified in our May 2011 report still exist, we conducted limited covert testing in late 2012. Our investigators again acquired an authentic TWIC through fraudulent means and were able to use this card and counterfeit TWIC cards to access areas of ports or port facilities requiring a TWIC for entry at four ports. In February 2014, TSA reported that it, in coordination with Coast Guard and DHS subject matter experts, had established an Executive Steering Committee to address recommendations from the May 2011 report on the TWIC program's internal controls (GAO-11-657). GAO recommended that the internal control assessment be the basis of the effectiveness assessment. In response, the Executive Steering Committee developed an internal control action plan that lists TWIC program control issues GAO identified, along with actions that TSA and the Coast Guard would or would not take to address them. However, based on our review of the internal control action plan and associated documents, and further discussing with TSA officials the methodology used to arrive at the internal control action plan, we determined that the internal control assessment we recommended has not been implemented. Specifically, there is no evidence of a detailed mapping of each policy and process in the program, their interrelationships, and clear linkage to show how actions in one step may enhance or reduce the effectiveness of the TWIC program achieving its stated mission needs. In January 2017 TSA awarded a contract for an internal control assessment of the TWIC program, including the TWIC program?s internal controls of the enrollment, background checking, and credential issuance processes. The assessment, however, is to exclude an assessment of Coast Guard?s role in TWIC enforcement. The project held a kickoff meeting in March of 2017 and is expected to produce final recommendations by August 2017. We believe that this is a positive step towards addressing our recommendation. However, the assessment does not include an evaluation of the use of TWIC, including Coast Guard's role in TWIC enforcement. We continue to believe that the internal control assessment inclusive of TWIC use and the interrelationship between acquiring a TWIC and using it in the maritime environment is needed. For the reasons noted above, this recommendation remains open.
    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: We reported that DHS had not assessed the program's effectiveness at enhancing security. We recommended that DHS conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks. In March 2012, DHS reported that it agreed that the results and progress of the internal control actions should be used to further evaluate the effectiveness of the TWIC program. They further noted that as the different long term actions progress, DHS will develop specific plans to address this action. In May 2013 (see GAO-13-198), we reported that DHS had not addressed this recommendation. On January 17, 2014, the explanatory statement accompanying the Consolidated Appropriations Act, 2014, directed DHS to complete the assessment that we recommended within 90 days after enactment (April 17, 2014). In February 2014, TSA reported that it, in coordination with Coast Guard and DHS subject matter experts, had established an Executive Steering Committee to address recommendations from the May 2011 report on the TWIC program's internal controls (GAO-11-657). GAO recommended that the internal control assessment be the basis of the effectiveness assessment. In response, the Executive Steering Committee developed an internal control action plan that lists TWIC program control issues GAO identified, along with actions that TSA and the Coast Guard would or would not take to address them. However, based on our review of the internal control action plan and associated documents, and further discussing with TSA officials the methodology used to arrive at the internal control action plan, we determined that the internal control assessment we recommended has not been implemented. Specifically, there is no evidence of a detailed mapping of each policy and process in the program, their interrelationships, and clear linkage to show how actions in one step may enhance or reduce the effectiveness of the TWIC program achieving its stated mission needs. As of March 2017, the internal control assessment we recommended as the basis for initiating the effectiveness assessment had not been completed. However, on January 15, 2016, Coast Guard reported that it had completed its effectiveness assessment. Specifically, DHS completed an effectiveness assessment titled "Security Assessment of the Transportation Worker Identification Credential and Readers." However, the effectiveness assessment did not substantively address the risk concerns identified in our report. For example, the effectiveness assessment lacked the internal control assessment we deem to be the critical first step for fully understanding the TWIC program's controls, costs, and risks. Further, while the effectiveness assessment presented a comparison of alternative credentialing approaches, the assessment did not fully consider, as discussed in our 2011 and 2013 reports, an approach wherein federal security threat assessments could be leveraged in concert with site-specific credentials. The analysis did consider the benefits of updating the TWIC credential to new federal credentialing standards. However, absent from the analysis is a risk-informed basis for disallowing site-specific credentials. While TWIC credentials are developed based on standards aligned with those used by federal entities, each federal entity continues to use site-specific credentials that have varying appearances, rather than a single credential for granting access to all federal entities. This is important, especially because Coast Guard's risk assessment does not include an evaluation of the security benefits and shortfalls that a single credential used nation-wide provide. Absent effectiveness assessment that meets the intent of our recommendation, this recommendation remains open.
    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should use the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks as part of conducting the regulatory analysis on implementing a new regulation on the use of TWIC with biometric card readers.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We reported that prior to issuing the regulation on implementing the use of TWIC as a flashpass, DHS conducted a regulatory analysis, which asserted that TWIC would increase security. The analysis included an evaluation of the costs and benefits related to implementing TWIC. We further reported that as a proposed regulation on the use of TWIC with biometric card readers is under development, DHS is to issue a new regulatory analysis. Conducting a regulatory analysis using the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and needed corrective actions could better inform and enhance the reliability of the new regulatory analysis. Moreover, these actions could help DHS identify and assess the full costs and benefits of implementing the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks, and help ensure that the TWIC program is more effective and cost-efficient than existing measures or alternatives at enhancing maritime security. We therefore recommended that DHS use the information from the internal control and effectiveness assessments we recommended as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks as part of conducting the regulatory analysis on implementing a new regulation on the use of TWIC with biometric card readers. In March 2012, DHS reported that upon completion of the internal control and effectiveness assessments, DHS will evaluate the results to determine any subsequent actions, and that any applicable data or risks will be communicated to the Coast Guard for consideration during their regulatory analysis. However, DHS has not implemented the internal control assessment we recommended, which is to be the basis for the effectiveness assessment and addressing this recommendation. Further, the January 15, 2016 effectiveness assessment titled "Security Assessment of the Transportation Worker Identification Credential and Readers" did not substantively address the risk concerns identified in our report. Given shortfalls that remain in addressing our internal control assessment and effectiveness assessment recommendations, this recommendation remains open pending DHS taking corrective actions. As of March 2017, no further action has been taken.
    Director: Sherrill, Andrew
    Phone: (202)512-7252

    1 open recommendations
    Recommendation: To help ensure that the number of new H-1B workers who are subject to the cap--both entering the United States and changing to H-1B status within the United States--does not exceed the cap each year, U.S. Citizenship and Immigration Services should take steps to improve its tracking of the number of approved H-1B applications and the number of issued visas under the cap by fully leveraging the transformation effort currently under way, which involves the adoption of an electronic petition processing system that will be linked to the Department of State's tracking system. Such steps should ensure that linkages to the Department of State's tracking system will provide Homeland Security with timely access to data on visa issuances, and that mechanisms for tracking petitions and visas against the cap are incorporated into U.S. Citizenship and Immigration Services' business rules to be developed for the new electronic petition system.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In 2016, USCIS officials reported that, according to their current timeframes, the business rules associated with the nonimmigrant visa petition process (including Form I-129) in the USCIS Electronic Immigration System (ELIS) were slated to be developed in late 2017, with implementation projected for the beginning of 2018. They stated that during the requirements-gathering phase, the Service Center Operations officials and the Office of Transformation Program officials planned to discuss potential options for improving the tracking of the number of approved H-1B applications and the number of issued visas under the cap, including assessing the feasibility of linking DHS and State Department data. GAO will follow-up with USCIS on the status of this recommendation when business rules for the nonimmigrant line of the ELIS are developed and released.
    Director: Caldwell, Stephen L
    Phone: (202) 512-9610

    1 open recommendations
    Recommendation: To facilitate better agency understanding of the potential need and feasibility of expanding electronic verification of seafarers, to improve data collection and sharing, and to comply with the Inflation Adjustment Act, the Secretary of Homeland Security should direct the Commandant of the Coast Guard and Commissioner of CBP to jointly establish an interagency process for sharing and reconciling records of absconder and deserter incidents occurring at U.S. seaports.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security (DHS) concurred and stated that U.S. Customs and Border Protection (CBP) and the Coast Guard would begin to assess the appropriate offices within each component involved in the review and to establish a working group to evaluate the current reporting process within each component, and between CBP and Coast Guard. Further, DHS noted that it was working to co-locate the Coast Guard's ICC Coastwatch and CBP's National Targeting Center-Passenger and that this would help to eliminate many of the absconder-and deserter- reporting inconsistencies GAO identified between Coast Guard and CBP. In January 2013, CBP and Coast Guard officials reported that they had studied the CBP and Coast Guard data and found that multiple factors had likely contributed to the data variances, including differences in definitions for absconders/deserters among CBP and Coast Guard field units, and the method in which field units had recorded and reported absconder and deserter incidents. Officials reported that the two agencies were planning to develop an interagency memorandum of agreement (MOA) with field guidance for reporting absconder and deserter incidents. Officials reported that they expected to finalize and implement the MOA and field guidance by November 30, 2013. In July 2014, CBP described a new process in place for interagency data reconciliation, reporting that this action was taken in lieu of previously discussed plans to develop an interagency MOU. In December 2015, CBP reported that it expected to complete the effort by March 2016. In March 2016, CBP report that it expected to complete the effort by September 2016. CBP officials reported that the Coast Guard and CBP determined that the absconder data variances were caused by the agencies using different reporting criteria. Officials reported that the two agencies were preparing a memo and guidance to issue to field units by August 31, 2016. Officials reported that the recommendation would be fully implemented by September 30, 2016. In September 2016, CBP reported that it expected to implement the effort by December 31, 2016. In December 2016, CBP reported that the agency had drafted a memo to coincide with new Coast Guard procedure for conducting asymmetric migration vetting and deconfliction. CBP was also working to require all ports of entry to report all maritime asymmetric migration events directly to Coastwatch or a Targeting Framework event. However, on October 18, 2016, the DHS Deputy Secretary issued Department Policy Regarding Investigative Data and Event Deconfliction Policy Directive 045-04 that sets forth DHS policy for investigative data and event deconfliction and the use of related deconfliction systems in the course of certain law enforcement activity. As a result of the newly published Directive, DHS requires that CBP develop and implement related policy, by January 17, 2017. The policy directive requires DHS components to develop a policy applicable to components having equities in Investigative Data and Event Deconfliction. The policy will focus on more effective coordination of investigative activity to ensure officer safety by identifying links between ongoing criminal investigations. The Policy also requires that CBP components, at a minimum, conduct deconfliction thru the Deconfliction and Information Coordination Endeavor, Regional Information Sharing Systems Officer Safety Event Deconfliction System, Secure Automated Fast Event Tracking Network or Case Explorer systems. CBP and Coast Guard are now looking at a directive which makes it a port responsibility to deconflict case related information. The timeline for drafting and finalizing that directive is January 2017. Because of this change in direction, CBP and Coast Guard are requesting an extension to March 31, 2017 to finalize and disseminate the new policy.
    Director: Gambler, Rebecca
    Phone: (202) 512-6912

    2 open recommendations
    Recommendation: To help ensure DHS is maximizing the benefits of its coordination efforts with northern border partners through interagency forums, documented agreements, and its resource planning process, the Secretary of Homeland Security should provide DHS-level guidance and oversight for interagency forums established or sponsored by its components to ensure that the missions and locations are not duplicative and to consider the downstream burden on northern border partners.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In fiscal year 2011, we reviewed and reported the extent to which the Department of Homeland Security (DHS) had improved federal coordination of border security intelligence and enforcement operations with state, local, and Canadian law enforcement partners. We found, among other things, that DHS improved northern border security coordination through interagency forums and joint operations; however, partners raised concerns about the resources needed for the increasing number of interagency forums and that some efforts may be overlapping. In May 2011 and June 2012, DHS reported that it took action to coordinate law enforcement initiatives and advance communications interoperability and information sharing, while reducing duplicative activities. DHS also reported that the DHS Northern Border Strategy, released in June 2012, is intended to align internal DHS operations and provide a unified direction that will also help the department reduce duplicative activities. However, DHS's efforts to coordinate law enforcement initiatives and its Northern Border Strategy do not specifically address possible duplication of efforts and resource constraints that may be imposed by interagency forums. Further, DHS leadership has not yet determined how the strategy will be implemented. In October 2015, DHS officials stated that a statement of cooperation for a Cross-Border Law Enforcement Advisory Committee was signed by all five core members. The intent of the committee is to provide executive-level strategic guidance to cross-border law enforcement initiatives involving partnerships between U.S. and Canadian law enforcement agencies on the northern border. However, DHS officials stated that it will take at least a year to show how this committee will increase coordination and prevent duplication among interagency forums, including the IBET and BEST. Development of this committee is a positive step; however, it is too soon to assess the extent to which this committee helps prevent duplication of effort and strengthen coordination efforts along the northern border. As of August 31, 2017, DHS had not provided updated information to show how the committee increased coordination and prevented duplication among interagency forums. To fully address this recommendation, DHS needs to provide guidance specific to interagency forums established or sponsored by its components and conduct DHS-level oversight for those forums to ensure they are not duplicative and do not burden northern border partners.
    Recommendation: To help ensure DHS is maximizing the benefits of its coordination efforts with northern border partners through interagency forums, documented agreements, and its resource planning process, the Secretary of Homeland Security should provide regular DHS-level oversight of Border Patrol and ICE compliance with the provisions of the interagency memorandum of understanding (MOU), including evaluation of outstanding challenges and planned corrective actions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In fiscal year 2011, we reviewed and reported on the extent to which the Department of Homeland Security (DHS) had made progress in addressing past coordination challenges between U.S. Border Patrol, an office within U.S. Customs and Border Protection (CBP), and Immigration and Customs Enforcement (ICE), and across the Drug Enforcement Administration and Forest Service, according to northern border security partners. We found, among other things, that federal agency coordination to secure the northern border was improved, but partners cited ongoing challenges sharing information and resources for daily border security related to operations and investigations despite the efforts made to establish and update interagency agreements. In June 2012, DHS reported that the DHS Northern Border Strategy emphasizes the importance of partnerships and coordination and discusses the benefits that can be garnered through collaboration and information sharing. DHS also reported that a National Special Agent in Charge/Chief Patrol Agent Advisory Council was established to enhance collaboration between Border Patrol and ICE, which includes addressing historical points of contention between the two components. While the strategy emphasizes and encourages coordination between Border Patrol and ICE, it does not specifically address compliance with the interagency memoranda of agreement, evaluation of longstanding challenges, or any planned corrective actions. In addition, the advisory council established does not provide DHS-level oversight as it is composed of ICE and Border Patrol officials. In October 2015, DHS officials stated that the Cross-Border Law Enforcement Advisory Committee may provide DHS-level oversight because both CBP and ICE officials are members of the committee. However, as of August 31, 2017, DHS has not yet indicated how the committee may provide guidance and oversight to ensure Border Patrol and ICE compliance with the provisions of the interagency memorandum of understanding, and DHS could not provide timeframes for addressing this recommendation. To fully address this recommendation, DHS needs to take action to specifically address long-standing coordination challenges and enforce DHS-level oversight of Border Patrol and ICE compliance with the interagency memoranda of agreement.
    Director: Brown, Orice Williams
    Phone: (202) 512-3000

    5 open recommendations
    Recommendation: To provide transparency and accountability over the payments FEMA makes to WYOs for expenses and profits, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to determine in advance the amounts built into the payment rates for estimated expenses and profit.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA is continuing (as of 08/29/2014) to analyze Write-Your-Own (WYO) payments and related flood expenses for selected companies and is evaluating the reliability (accuracy, consistency, etc.) of the National Association of Insurance Commissioners (NAIC) data for purposes of performing the analysis we had recommended.
    Recommendation: To provide transparency and accountability over the payments FEMA makes to WYOs for expenses and profits, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to annually analyze the amounts of actual expenses and profit in relation to the estimated amounts used in setting payment rates.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In its initial response to this report, FEMA did not concur with this recommendation. In November 2016, FEMA restated its position and concurs with this recommendation, and is in the process of implementing it.
    Recommendation: To provide transparency and accountability over the payments FEMA makes to WYOs for expenses and profits, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to consider the results of the analysis of payments, actual expenses, and profit in evaluating the methods for paying WYOs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA is continuing (as of 08/29/2014) to analyze WYO payments and related flood expenses for selected companies and is evaluating the reliability (accuracy, consistency, etc.) of the National Association of Insurance Commissioners (NAIC) data for purposes of performing the analysis we had recommended.
    Recommendation: To increase the usefulness of the data reported by WYOs to the National Association of Insurance Commissioners (NAIC) and to institutionalize FEMA's use of such data, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to take actions to obtain reasonable assurance that NAIC flood insurance expense data can be considered in setting payment rates that are appropriate, including identifying affiliated company profits in reported flood insurance expenses.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA continues (as of 08/29/2014) to work with the National Association of Insurance Commissioners (NAIC) to improve the consistency with which commission, operating, and loss adjustment expenses are reported by insurance companies that participate in the National Flood Insurance Program.
    Recommendation: To increase the usefulness of the data reported by WYOs to the National Association NAIC and to institutionalize FEMA's use of such data, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to develop comprehensive data analysis strategies to annually test the quality of flood insurance data that WYOs report to NAIC.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA continues (as of 08/29/2014) to work with the National Association of Insurance Commissioners (NAIC) to improve the consistency with which commission, operating, and loss adjustment expenses are reported by insurance companies that participate in the National Flood Insurance Program.
    Director: Williams, Orice M
    Phone: (202)512-5837

    2 open recommendations
    Recommendation: The Secretary of the Department of Homeland Security should direct FEMA to take steps to ensure that its rate-setting methods and the data it uses to set rates result in full-risk premiums rates that accurately reflect the risk of losses from flooding. These steps should include, for example, verifying the accuracy of flood probabilities, damage estimates, and flood maps; ensuring that the effects of long-term planned and ongoing development, as well as climate change, are reflected in the flood probabilities used; and reevaluating the practice of aggregating risks across zones.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of January 2017, FEMA is taking steps to verify the accuracy of flood probabilities by collecting and analyzing data from flood insurance studies. FEMA is also continuing to monitor the completion of these studies to determine when a statistically valid amount of data is available so that it can better assess flood risk. To verify the accuracy of damage estimates, FEMA is collecting data required to revise its estimates of flood damage and is undertaking studies to determine factors beyond flood water depth that contribute to flood damage. FEMA will incorporate that information into its rate-setting methodology as the necessary data becomes available. To verify the accuracy of flood maps, FEMA continues to reassess flood risk, evaluate coastal flood maps, and update its overall map inventory. To ensure that flood probabilities reflect long-term and ongoing planned development and climate change, FEMA is working with the Technical Mapping Advisory Committee to ensure the best available information on flood probabilities is used for rate-setting. In addition, as FEMA collects information on flood probabilities, it will conduct analyses to evaluate the practice of classifying risk across zones.
    Recommendation: The Secretary of the Department of Homeland Security should direct FEMA to ensure that information is collected on the location, number, and losses associated with existing and newly created grandfathered properties in NFIP and to analyze the financial impact of these properties on the flood insurance program.

    Agency: Department of Homeland Security
    Status: Open

    Comments: To assess the impact of grandfathered properties on the NFIP, as of January 2017, FEMA has begun to develop a process to obtain current zone designations for all existing policyholders. In addition, FEMA is requiring zone determination data to be updated as flood maps change. According to FEMA, this will allow officials to determine which policyholders are grandfathered but will not allow the determination of a property-specific rate in all circumstances.
    Director: Shear, William B
    Phone: (202)512-4325

    1 open recommendations
    Recommendation: To ensure compliance with federal contracting regulations and to more transparently disclose the extent to which subcontracting opportunities are available to small businesses, the Secretaries of Homeland Security and Defense and the Administrator of General Services should consider asking their respective Inspectors General to conduct a review at an appropriate future date to ensure that this guidance and related requirements are being followed.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS issued a chapter on its small business subcontracting program in its DHS Acquisition Manual in October 2009 and developed a subcontracting plan checklist that officials are to use when awarding a contract. In May 2010 DHS officials claimed that these documents are examples of progress they have made to address the recommendation on ensuring compliance with federal contracting regulations and other related requirements. After reviewing these documents we disagreed with the agency and do not believe that these documents constitute agency guidance on the contract administration duties to monitor contractor compliance with subcontracting plan reporting requirements.