Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Facility security"

    25 publications with a total of 77 open recommendations including 13 priority recommendations
    Director: Seto J. Bagdoyan
    Phone: (202) 512-6722

    4 open recommendations
    Recommendation: The NIST Director should incorporate elements of key practices into the implementation of the Security Sprint action plans, by establishing a comprehensive communication strategy for employees; interim milestone dates; and measures to assess effectiveness. (Recommendation 1)

    Agency: Department of Commerce: National Institute of Standards and Technology
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the Office of Security (OSY), in coordination with the NIST Director, should conduct an evaluation of the effectiveness of the current security management structure as compared to a consolidated security structure, centrally managed by OSY, to identify the most effective and feasible approach to physical security at NIST. (Recommendation 2)

    Agency: Department of Commerce: Office of Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of OSY should ensure that the draft Commerce risk management policy is finalized and implemented in accordance with the ISC's RMP Standard, by requiring the following: (1) Use and documentation of a sound risk assessment methodology that assesses the threats, vulnerabilities, and consequences for each of the undesirable events required by the RMP Standard, and use of these three factors to measure risk. (2) Documentation of key risk management decisions, such as justification and tenants' approval for facility security level (FSL) determinations, justification for deviation from baseline levels of risk or protection, as well as risk acceptance and consideration of alternative countermeasures. (3) Establishment of a facility security committee (FSC) at multitenant facilities and campuses, including locations such as the NIST Boulder campus. (4) ISC training for all OSY assessors and the individuals responsible for deciding to implement countermeasures and accepting risk. (Recommendation 3)

    Agency: Department of Commerce: Office of Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The NIST Director should finalize and implement risk management policies and procedures, ensuring that they contain a formal coordination mechanism between OSY and NIST and are aligned with Commerce's revised risk management policy, particularly with regard to establishing FSCs. (Recommendation 4)

    Agency: Department of Commerce: National Institute of Standards and Technology
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Jessica Farb
    Phone: (202) 512-6991

    2 open recommendations
    Recommendation: The Assistant Secretary of State for Diplomatic Security should take steps to ensure the implementation of revised standard operating procedures for collecting electronic ATA course and participant data. (Recommendation 1)

    Agency: Department of State
    Status: Open

    Comments: On August 28, 2017, having reviewed a draft version of GAO-17-704, State concurred with this recommendation and noted that ATA had revised its standard operating procedures for collecting data and shared the document with us. We will follow-up with ATA regarding steps taken to ensure the implementation of those procedures.
    Recommendation: The Assistant Secretary of State for Diplomatic Security should develop and implement a process to confirm and document whether future ATA participants return to their home countries following the completion of ATA training and, for any participants trained in the United States who do not, share relevant information with the Department of Homeland Security. (Recommendation 2)

    Agency: Department of State
    Status: Open

    Comments: On August 28, 2017, having reviewed a draft version of GAO-17-704, State concurred with this recommendation and stated that, by the end of the year, it will implement a process to ensure that participants sent to ATA training in the United States return to their home countries. We will follow-up with ATA regarding the implementation of such a process for participants sent to ATA training in the United States or other locations outside of their home countries.
    Director: Lori Rectanus
    Phone: (202) 512-2834

    7 open recommendations
    Recommendation: The Secretary of the Interior should direct the Director of the National Park Service to direct the U.S. Park Police to ensure that performance measures linked to program goals are included as part of its updated strategic plan and direct it to develop a timeline for completion of this plan.

    Agency: Department of the Interior
    Status: Open

    Comments: Interior concurred with this recommendation and said it would take steps to implement it. When we confirm what actions Interior has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of the Interior should direct the Director of the National Park Service to direct the U.S. Park Police to seek additional input from federal entities with expertise regarding ways to enhance testing of its physical security program.

    Agency: Department of the Interior
    Status: Open

    Comments: Interior concurred with this recommendation and said it would take steps to implement it. When we confirm what actions Interior has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of the Smithsonian Institution should direct the Office of Protection Services to develop program goals and ensure that performance measures linked to those goals are included as part of the strategic plan for security and develop a timeline for completion of this plan.

    Agency: Smithsonian Institution
    Status: Open

    Comments: The Smithsonian concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the Smithsonian has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of the Smithsonian Institution should direct the Office of Protection Services to seek additional input from federal entities with expertise regarding ways to enhance testing of the physical security program.

    Agency: Smithsonian Institution
    Status: Open

    Comments: The Smithsonian concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the Smithsonian has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to develop a process for documenting risk management decisions.

    Agency: National Gallery of Art
    Status: Open

    Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the National Gallery has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to ensure that program goals and performance measures linked to those goals are included as part of the master security plan and develop a timeline for completion of this plan.

    Agency: National Gallery of Art
    Status: Open

    Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the National Gallery has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to seek additional input from federal entities with expertise regarding ways to enhance testing of the physical security program.

    Agency: National Gallery of Art
    Status: Open

    Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the National Gallery has taken in response to this recommendation, we will provide updated information.
    Director: Lori Rectanus
    Phone: (202) 512-2834

    4 open recommendations
    Recommendation: The Attorney General should instruct the Director of the Marshals Service to ensure that the improvements being made to the Marshals Service's information on the security concerns of individual buildings allow the Marshals Service to understand the concerns across the portfolio.

    Agency: Department of Justice
    Status: Open

    Comments: When we confirm what actions the Marshalls Service has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of GSA and the Director of the AOUSC, on behalf of the Judicial Conference of the United States, in conjunction with the Marshals Service and FPS, should improve CSP documentation in order to improve transparency and collaboration in the CSP program.

    Agency: General Services Administration
    Status: Open

    Comments: When we confirm what actions GSA has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of GSA and the Director of the AOUSC, on behalf of the Judicial Conference of the United States, in conjunction with the Marshals Service and FPS, should improve CSP documentation in order to improve transparency and collaboration in the CSP program.

    Agency: Administrative Office of the United States Courts
    Status: Open

    Comments: When we confirm what actions AOUSC has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of GSA--in conjunction with AOUSC, the Marshals Service, and FPS--should establish a national-level working group or similar forum, consisting of leadership designees with decision-making authority, to meet regularly to address courthouse security issues.

    Agency: General Services Administration
    Status: Open

    Comments: When we confirm what actions GSA has taken in response to this recommendation, we will provide updated information.
    Director: Jennifer Grover
    Phone: (202) 512-7141

    2 open recommendations
    Recommendation: To ensure that C-TPAT program managers are provided consistent data from the C-TPAT field offices on security validations, the Commissioner of U.S. Customs and Border Protection should develop standardized guidance for the C-TPAT field offices to use in tracking and reporting information on the number of required and completed security validations.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: On April 28, 2017, CBP officials provided documentation--a common worksheet, instructions, and related standard operating procedures for C-TPAT field offices to use in tracking and reporting information to headquarters staff on security validations required and completed. We reviewed the information and interviewed C-TPAT officials in two field offices and C-TPAT's Plans and Operations Branch, which is responsible for overseeing these efforts, about the new procedures. In early August 2017, we asked for additional evidence that C-TPAT is ensuring one standard approach across its field offices for capturing and reporting security validations required and completed. The BBP liaison informed us that C-TPAT officials are to provide the additional evidence by the end of September 2017.
    Recommendation: To ensure the availability of complete and accurate data for managing the C-TPAT program and establishing and maintaining reliable indicators on the extent to which C-TPAT members receive benefits, the Commissioner of U.S. Customs and Border Protection should determine the specific problems that have led to questionable data contained in the Dashboard and develop an action plan, with milestones and completion dates, for correcting the data so that the C-TPAT program can produce accurate and reliable data for measuring C-TPAT member benefits.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: On July 28, 2017, CBP provided us with documentation, to include: a schedule of completed and planned activities related to refining data reporting system requirements, testing of preliminary results from new data runs, developing a reporting system for tracking security examination rates, and a copy of the results of a preliminary data run identifying shipment examination rates by mode of transportation and C-TPAT member Tier level. CBP staff informed us that the steps being taken to address this recommendation are to continue through the end of the 2017. In the interim, we are reviewing the documents CBP provided to determine what, if any, additional information we may need to assess progress in addressing this recommendation.
    Director: Chris P. Currie
    Phone: (404) 679-1875

    2 open recommendations
    Recommendation: To enhance its ability to fulfill its role as the facilitator of cross-sector collaboration and best-practices sharing, the Secretary of Homeland Security should direct the Assistant Secretary of Infrastructure Protection, Office of Infrastructure Protection, to explore with key critical infrastructure partners, whether and what opportunities exist to harmonize federally-administered screening and credentialing access control efforts across critical infrastructure sectors.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure that SCO uses its time and resources to pursue the most efficient and effective screening and credentialing harmonization goals on behalf of the department, the Secretary of Homeland Security should direct the Deputy Assistant Secretary for Screening Coordination, Office of Policy, to establish goals and objectives to support its broader strategic framework for harmonization.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David Wise
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Administrator of the General Services Administration should determine whether the beneficial owner of high-security space that GSA leases is a foreign entity and, if so, share that information with the tenant agencies so they can adequately assess and mitigate any security risks.

    Agency: General Services Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Michael J. Courts
    Phone: (202) 512-8980

    5 open recommendations
    including 5 priority recommendations
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct the Bureau of Diplomatic Security (DS) to create consolidated guidance for RSOs that specifies required elements to include in post travel notification and transportation security policies. For example, as part of its current effort to develop standard templates for certain security directives, DS could develop templates for transportation security and travel notification policies that specify the elements required in all security directives as recommended by the February 2005 Iraq ARB as well as the standard transportation-related elements that DS requires in such policies.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in October 2016 describing its plans to address the recommendation. However, as of March 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to clarify whether or not the FAH's armored vehicle policy for overseas posts is that every post must have sufficient armored vehicles, and if DS determines that the policy does not apply to all posts, articulate the conditions under which it does not apply.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in October 2016 describing its plans to address the recommendation. However, as of March 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to develop monitoring procedures to ensure that all posts comply with the FAH's armored vehicle policy for overseas posts once the policy is clarified.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in October 2016 describing its plans to address the recommendation. However, as of March 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to clarify existing guidance on refresher training, such as by delineating how often refresher training should be provided at posts facing different types and levels of threats, which personnel should receive refresher training, and how the completion of refresher training should be documented.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: As of April 2017, State concurred with this recommendation and plans to clarify its guidance on refresher training. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to improve guidance for RSOs, in coordination with other relevant State offices and non-State agencies as appropriate, on how to promote timely communication of threat information to post personnel and timely receipt of such information by post personnel.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in October 2016 describing its plans to address the recommendation. However, as of March 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Director: Brian Lepore
    Phone: (202) 512-4523

    4 open recommendations
    including 1 priority recommendation
    Recommendation: To improve DOD's ability to oversee its inventory of leased real property, aimed at improving the accuracy and completeness of data in RPAD, the Secretary of Defense should direct the Secretary of the Army to enforce DOD's Real Property Inventory (RPI) Reporting Guidance, which states that for multiple assets associated with a single lease, the military departments and WHS must provide a breakout of the annual rent plus other costs for each asset on the same lease, to avoid overstating costs associated with such leases.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with our recommendation that Secretary of the Army enforce DOD's Real Property Inventory (RPI) Reporting Guidance to break out the annual rent plus other costs for each asset on the same lease to avoid overstating the costs associated with such leases. As of October 2016, DOD has not completed any actions to implement this recommendation.
    Recommendation: To help reduce facility costs and reliance on leased space, the Secretary of Defense should direct the Secretaries of the military departments to require that their departments look for opportunities to relocate DOD organizations in leased space to installations that may have underutilized space due to force structure reductions or other indicators of potentially available space, where such relocation is cost-effective and does not interfere with the installation's ongoing military mission.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: DOD did not concur with our recommendation that the military departments look for opportunities to relocate DOD organizations in leased space onto installations that may have underutilized space. As of October 2016, DOD has not completed any actions to implement this recommendation.
    Recommendation: To improve DOD's ability to ensure that its leased facilities are secure, the Secretary of Defense should direct the Under Secretary of Defense (Intelligence) to request reports from the Federal Protective Service for all leased facilities on a periodic basis as determined necessary for oversight. At a minimum, the Under Secretary should request (1) the results of the assessments, (2) the date on which the last assessment was completed for each facility and the date for which the next scheduled assessment is planned, and (3) information on whether these dates meet the time frames established by Interagency Security Committee standards.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with our recommendation that DOD improve its ability to ensure that its leased facilities are secure and stated that it would collaborate with the Federal Protective Service to obtain the listing of the leased facilities the agency supports, monitor and provide oversight of the scheduling of the assessments, and review the results of the assessments. As of October 2016, DOD has not completed any actions to implement this recommendation.
    Recommendation: To improve DOD's ability to oversee its inventory of leased real property, aimed at improving the accuracy and completeness of data in RPAD, the Secretary of Defense should direct the Assistant Secretary of Defense (Energy, Installations and Environment) to modify the office's Real Property Information Model to include a data element to capture the square footage for each lease of space in a single building and also make a corresponding change to its Real Property Inventory (RPI) Reporting Guidance to require that the square footage for each individual lease be reported when multiple leases exist for a single building, to avoid overstating the total square footage assigned to each lease in RPAD.

    Agency: Department of Defense
    Status: Open

    Comments: DOD did not concur with our recommendation that the Assistant Secretary of Defense (Energy, Installations and Environment) modify the office's Real Property Information Model to include a new data element to capture the total square footage assigned to each individual lease when multiple leases exist for a single building and make a corresponding change to its guidance to avoid overstating the total square footage assigned to each lease in RPAD. As of October 2016, DOD has not completed any actions to implement this recommendation.
    Director: Lori Rectanus
    Phone: (202) 512-2834

    8 open recommendations
    Recommendation: Given the collaboration challenges that FPS and GSA face in protecting federal facilities, GAO is making four recommendations to the Secretary of Homeland Security and the Administrator of the General Services Administration. FPS and GSA headquarters officials should establish a plan with timeframes for reaching agreement on a joint strategy and finalizing it in order to define and articulate a common understanding of expected outcomes and align the two agencies' activities and core processes to achieve their related missions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2017, FPS reported that it will begin the process for completing a joint strategy for federal security once its memorandum of agreement with the General Services Administration is updated and signed.
    Recommendation: Given the collaboration challenges that FPS and GSA face in protecting federal facilities, GAO is making four recommendations to the Secretary of Homeland Security and the Administrator of the General Services Administration. FPS and GSA headquarters officials should establish a plan with timeframes for reaching agreement on a joint strategy and finalizing it in order to define and articulate a common understanding of expected outcomes and align the two agencies' activities and core processes to achieve their related missions.

    Agency: General Services Administration
    Status: Open

    Comments: As of September 2017, GSA reported that until FPS works with GSA specifically on the joint strategy, no final document will be released.
    Recommendation: Given the collaboration challenges that FPS and GSA face in protecting federal facilities, GAO is making four recommendations to the Secretary of Homeland Security and the Administrator of the General Services Administration. FPS and GSA headquarters officials should establish a plan with timeframes for reaching agreement on the two agencies' respective roles and responsibilities for federal facility security, and update and finalize the two agencies' MOA accordingly.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2017, FPS reported that it is working internally to prepare the memorandum of agreement for review and signature by the FPS Director, pending no additional changes are required to the document.
    Recommendation: Given the collaboration challenges that FPS and GSA face in protecting federal facilities, GAO is making four recommendations to the Secretary of Homeland Security and the Administrator of the General Services Administration. FPS and GSA headquarters officials should establish a plan with timeframes for reaching agreement on the two agencies' respective roles and responsibilities for federal facility security, and update and finalize the two agencies' MOA accordingly.

    Agency: General Services Administration
    Status: Open

    Comments: As of September 2017, GSA reported sending a final MOA draft to FPS in December 2015 and stated that it hopes to have a signed MOA by both agencies when leadership is in place.
    Recommendation: Given the collaboration challenges that FPS and GSA face in protecting federal facilities, GAO is making four recommendations to the Secretary of Homeland Security and the Administrator of the General Services Administration. FPS and GSA headquarters officials should develop a process to ensure that compatible policies and procedures, including those for information sharing, are communicated at the regional level so that regional officials at both agencies have common information on how to operationalize the two agencies' collaborative efforts.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2017, FPS reported that it will begin the process for the issuance of a joint field guidance for working with the General Services Administration (GSA) once its memorandum of agreement with GSA is updated and signed.
    Recommendation: Given the collaboration challenges that FPS and GSA face in protecting federal facilities, GAO is making four recommendations to the Secretary of Homeland Security and the Administrator of the General Services Administration. FPS and GSA headquarters officials should develop a process to ensure that compatible policies and procedures, including those for information sharing, are communicated at the regional level so that regional officials at both agencies have common information on how to operationalize the two agencies' collaborative efforts.

    Agency: General Services Administration
    Status: Open

    Comments: As of September 2017, GSA reported developing and releasing "GSA Order 1000.1 Document Security for Handling Facility Security Assessments" to ensure that when GSA receives a Facility Security Assessment from FPS, it will be handled in a consistent, appropriate manner.
    Recommendation: Given the collaboration challenges that FPS and GSA face in protecting federal facilities, GAO is making four recommendations to the Secretary of Homeland Security and the Administrator of the General Services Administration. FPS and GSA headquarters officials should develop mechanisms to monitor, evaluate, and report on their collaborative efforts to protect federal facilities in order to identify possible areas for improvement and to reinforce accountability.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2017, FPS reported that it will begin the process for the appointment of an FPS-GSA Liaison once its memorandum of agreement with GSA is updated and signed.
    Recommendation: Given the collaboration challenges that FPS and GSA face in protecting federal facilities, GAO is making four recommendations to the Secretary of Homeland Security and the Administrator of the General Services Administration. FPS and GSA headquarters officials should develop mechanisms to monitor, evaluate, and report on their collaborative efforts to protect federal facilities in order to identify possible areas for improvement and to reinforce accountability.

    Agency: General Services Administration
    Status: Open

    Comments: As of September 2017, GSA reported that the updated MOA will cover this recommendation once signed.
    Director: Joseph W. Kirschbaum
    Phone: (202) 512-9971

    2 open recommendations
    Recommendation: To assist U.S. installations in protecting against insider threats, the Secretary of Defense should direct the military services to share information about actions U.S. installations have taken to address insider threats by consistently using existing mechanisms--such as working groups, lessons-learned information systems, and antiterrorism web portals.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To assist DOD leadership in their oversight and decision-making process, the Secretary of Defense should direct the DOD leaders on the Mission Assurance Coordination Boards and the military services to take steps to improve the consistency of reporting and monitoring of the implementation of recommendations from the independent review of the 2009 Fort Hood shooting. Such steps could include DOD and the military services developing criteria for consistent reporting on the progress of recommendations and the military services providing periodic reports to the Mission Assurance Coordination Boards on the status of Fort Hood recommendations at the service level and installation level.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Secretary of the Department of Homeland Security should direct FPS to develop and implement a strategy for using covert-testing data and data on prohibited items to improve FPS's security-screening efforts. The strategy should, at a minimum, aim to ensure that: (1) covert-testing data are used to systematically monitor, review, and improve performance nationwide; (2) covert-testing data are used to determine which testing scenarios will be implemented or reinstated; and (3) data on prohibited items are analyzed to determine the reasons for wide variations in the number of reported prohibited-items detected across buildings and to assist with managing the screening process and informing policy.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, implementation of this recommendation was in process, according to the Federal Protective Service (FPS). FPS provided no additional information, but plans to update GAO in the coming weeks on the status of this and other open recommendations.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    2 open recommendations
    including 1 priority recommendation
    Recommendation: The Secretary of Homeland Security, in consultation with GSA, should develop and implement a strategy to address cyber risk to building and access control systems that, among other things: (1) defines the problem; (2) identifies roles and responsibilities; (3) analyzes the resources needed; and (4) identifies a methodology for assessing this cyber risk.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the Department has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of the General Services Administration should assess the building and access control systems that it owns in FPS-protected facilities in a manner that is fully consistent with FISMA and its implementation guidelines.

    Agency: General Services Administration
    Status: Open
    Priority recommendation

    Comments: As of October 2016, GSA recently provided documentation about its assessments of the control systems that the agency owns in FPS-protected facilities. We are reviewing this information to determine whether GSA has implemented the recommendation.
    Director: Stephen Caldwell
    Phone: (202) 512-8777

    4 open recommendations
    Recommendation: Within DHS, to promote efficiency and harmonize the various assessments to advance security and resilience across the spectrum of CI in a manner consistent with the Homeland Security Act of 2002, PPD-21, and the NIPP, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate work with other DHS offices and components to develop and implement ways that DHS can facilitate data sharing and coordination of vulnerability assessments to minimize the risk of potential duplication or gaps in coverage.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS has taken action in response to GAO's September 2014 recommendation to develop a department-wide process to facilitate data sharing and coordination among the various DHS components that conduct or require vulnerability assessments, but has not fully implemented the recommendation. DHS first reported to GAO in August 2015 that its Office of Infrastructure Protection (IP) and the Sector Outreach and Programs Division Innovation Center had formed a vulnerability assessment working group comprised of a variety of federal stakeholders, both within and outside DHS, to enhance overall integration and coordination of vulnerability assessment efforts. In December 2015, DHS stated that IP was conducting pilot projects to expand access to its IPGateway portal--IP's system that houses infrastructure data and identifies facilities that have been assessed by IP. In a July 2016 update, DHS reported that IP had reached agreement with DHS components to expand access to its IP Gateway portal to those partners as a means to share IP's vulnerability assessment information and help coordinate assessment visits and related activities. DHS also noted in its update that IP had begun providing access to IP Gateway to components within DHS but did not provide a date as to when that step would be complete. These are positive steps toward implementing a systematic and integrated approach for facilitating data sharing and coordination of vulnerability assessments throughout the department. However, developing a department-wide process to facilitate data sharing and coordination among the DHS offices and components that conduct or require vulnerability assessments would better enable DHS to minimize the risk of potential duplication and gaps by its offices and components in the vulnerability assessments they conduct. Because DHS is still in the process of completing these steps, the recommendation has not yet been fully implemented.
    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to identify key CI security-related assessment tools and methods used or offered by SSAs and other federal agencies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2016, DHS has established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and has designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, is collaborating to enhance the integration and coordination of vulnerability assessment efforts. This working group is intended to serve as an interagency forum to address several recommendations from GAO Report 14-507. However, the effort is ongoing and it is too early to determine if it will successfully address the recommendation.
    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to analyze the key CI security-related assessment tools and methods offered by sector-specific agencies (SSA) and other federal agencies to determine the areas they capture.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2016, DHS has established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and has designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, is collaborating to enhance the integration and coordination of vulnerability assessment efforts. This working group is intended to serve as an interagency forum to address several recommendations from GAO Report 14-507. However, the effort is ongoing and it is too early to determine if it will successfully address the recommendation.
    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to develop and provide guidance for what areas should be included in vulnerability assessments of CI that can be used by DHS, SSAs, and other CI partners in an integrated and coordinated manner, among and across sectors, where appropriate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2016, DHS has established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and has designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, is collaborating to enhance the integration and coordination of vulnerability assessment efforts. This working group is intended to serve as an interagency forum to address several recommendations from GAO Report 14-507. However, the effort is ongoing and it is too early to determine if it will successfully address the recommendation.
    Director: Courts, Michael J
    Phone: (202) 512-8980

    5 open recommendations
    including 5 priority recommendations
    Recommendation: To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct the Under Secretary for Management to identify and eliminate inconsistencies between and within the Foreign Affairs Manual, Foreign Affairs Handbook (FAH), and other guidance concerning physical security.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State has taken steps to revise sections of the Foreign Affairs Manual and Foreign Affairs Handbook related to physical security through the Security Standards Committee. The committee, which is made up of DS and OBO officials, meet weekly to create and revise physical security standards, as needed. In addition, DS officials review all relevant sections of the FAM and FAH each year. However, as of March 2017, State has not provided evidence that it has conducted a comprehensive review of all physical security guidance to identify inconsistencies.
    Recommendation: To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the OSPB to clarify existing flexibilities in the FAH to ensure that security and life-safety updates to the OSPB standards and Physical Security Handbook are updated through an expedited review process.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State is in the process of revising the OSPB Working Group Guidelines in the FAH to clarify existing flexibilities for and to formalize an expedited process for making security and life-safety updates to the OSPB standards and Physical Security Handbook. As of April 2017 this action had not been completed, and State now expects to complete this action by the end of calendar year 2017.
    Recommendation: To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the OSPB to develop a process to routinely review all OSPB standards and the Physical Security Handbook to determine if the standards adequately address evolving threats and risks.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: Although State has not developed a process to routinely review all OSPB standards and the Physical Security Handbook to determine if the standards adequately address evolving threats and risks, officials agree with the intent of the recommendation and are taking actions to address it. For example, State?s Security Standards Committee, which is made up of DS and OBO officials, meet weekly to create and revise physical security standards, as needed. In addition, DS officials conduct an annual review of all the relevant sections of the FAM and FAH, which includes the OSPB standards and the Physical Security Handbook. However, as of March 2017, State had not provided evidence proving that it specifically considers evolving threats and risks when reviewing OSPB standards and the Physical Security Handbook.
    Recommendation: To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the OSPB to develop a policy for the use of interim and temporary facilities that includes definitions for such facilities, time frames for use, and a routine process for reassessing the interim or temporary designation.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State is taking a number of actions to regularly reassess the risk that various posts and facilities face. For example, Regional Security Officers are required to conduct a physical security review for every work facility at least once a year at high-threat, high-risk posts, and every three years at all other posts. State also now conducts an annual process, the Vital Presence Validation Process, to reassess the risk taken to operate at each of the high-threat, high-risk posts. However, as of March 2017, it is unclear whether temporary and interim facilities are being reviewed and reassessed during these or other processes.
    Recommendation: To strengthen the effectiveness of the Department of State's risk management policies, the Secretary of State should develop a risk management policy and procedures for ensuring the physical security of diplomatic facilities, including roles and responsibilities of all stakeholders and a routine feedback process that continually incorporates new information.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State has created a working group to draft a revision to the risk management policy. As of April 2017, State anticipates that the update will be published in 2018.
    Director: David C. Trimble
    Phone: (202) 512-3841

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that the security of radiological sources at industrial facilities is reasonably assured, the Chairman of the Nuclear Regulatory Commission should conduct an assessment of the T&R process--by which licensees approve employees for unescorted access--to determine if it provides reasonable assurance against insider threats, including (1) determining why criminal history information concerning convictions for terroristic threats was not provided to a licensee during the T&R process to establish if this represents an isolated case or a systemic weakness in the T&R process; and (2) revising, to the extent permitted by law, the T&R process to provide specific guidance to licensees on how to review a employee's background. NRC should also consider whether certain criminal convictions or other indicators should disqualify an employee from T&R or trigger a greater role for NRC.

    Agency: Nuclear Regulatory Commission
    Status: Open
    Priority recommendation

    Comments: On December 14, 2016, the NRC provided Congress with a report detailing its review of the effectiveness of the requirements in 10 CFR Part 37 to determine whether any additional security measures, guidance updates, rulemaking changes, or licensee outreach efforts are appropriate. The completion of the 10 CFR Part 37 program review included insights into the effectiveness of the T&R process. Specifically, the review generated recommendations for enhancements in the area of T&R, including, among other things, increased controls for protection of information related to individuals having access to Category 1 and 2 quantities of radioactive materials; improved guidance related to information individuals must disclose when applying for unescorted access; development of sample forms or templates for use in T&R evaluations; and improved coordination efforts with the FBI to share potential terrorist threat information involving individuals seeking approval for new or continued unescorted access to Category 1 and 2 quantities of radioactive materials. However, certain aspects of the NRC staff's assessment of the T&R process remain ongoing. Specifically, on November 25, 2016, the staff closed Temporary Instruction (TI) 2800/042, "Evaluation of Trustworthiness and Reliability Determinations," and is using the information gained from the TI to consider additional enhancements to the T&R process. As part of this continuing effort, the NRC will evaluate the potential use of disqualifying criteria in making T&R determinations and the incorporation of additional insider mitigation program features, such as requiring the self-reporting of legal actions, into the T&R process to which the individual has been subject. The NRC expects this evaluation to be completed in December 2017.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal partners to ensure that the maritime risk assessment includes cyber-related threats, vulnerabilities, and potential consequences.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that the National Maritime Strategic Risk Assessment (NMSRA) was still being finalized. The agency stated that they expected this to be completed by July 2017. Once completed, we will analyze the results of the NMSRA in order to validate the extent to which its contents implement our recommendation.
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to use the results of the risk assessment to inform how guidance for area maritime security plans, facility security plans, and other securityrelated planning should address cyber-related risk for the maritime sector.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that it had developed a draft Navigation and Vessel Inspection Circular (NVIC) to provide guidance on assessment methods that assist vessel and facility owners and operators identify and address cybersecurity vulnerabilities. USCG stated that the draft NVIC would be published in the Federal Register for 60 days, to enable maritime stakeholders to review and provide comment. Once USCG provides us a final copy of the NVIC, we will analyze it to determine if it provides guidance for addressing cyber-related risk in the maritime sector.
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal stakeholders to determine if the Maritime Modal Sector Coordinating Council should be reestablished to better facilitate stakeholder coordination and information sharing across the maritime environment at the national level.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, the U.S. Coast Guard (USCG) stated that the tasking for the National Maritime Security Advisory Committee to explore the issue of information sharing mechanisms in regards to cyber information had been completed. However, USCG did not mention any decision related to the reestablishment of the sector coordinating council.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to develop procedures for officials at the field review level (i.e., captains of the port) and national review level (i.e., the National Review Panel and FEMA) to consult cybersecurity subject matter experts from the Coast Guard and other relevant DHS components, if applicable, during the review of cybersecurity grant proposals for funding.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information we receive and update status of implementation efforts.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to use any information on cyberrelated threats, vulnerabilities, and consequences identified in the maritime risk assessment to inform future versions of funding guidance for grant applicants and reviews at the field and national levels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information received and update status of implementation efforts.
    Director: Goldstein, Mark L
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To improve the management and oversight of FPS's contract guard program, the Secretary of Homeland Security should direct the Under Secretary of National Protection and Programs Directorate (NPPD) and the Director of FPS to take immediate steps to determine which guards have not had screener or active-shooter scenario training and provide it to them and, as part of developing a national lesson plan, decide how and how often these trainings will be provided in the future.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FPS has indicated that they plan to implement this recommendation through its implementation of a training management system. FPS anticipates beginning implementation of this system in early 2018 and completing implementation by August 2018. GAO will continue to work with FPS to determine whether this recommendation has been implemented.
    Recommendation: To improve the management and oversight of FPS's contract guard program, the Secretary of Homeland Security should direct the Under Secretary of NPPD and the Director of FPS to require that contract guard companies' instructors be certified to teach basic and refresher training courses to guards and evaluate whether a standardized instructor certification process should be implemented.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FPS has indicated that they are currently assessing options for implementing a national lesson plan for guard training that addresses this recommendation. GAO will continue to work with FPS to determine whether this recommendation has been implemented.
    Director: Gambler, Rebecca S
    Phone: (202) 512-8777

    3 open recommendations
    Recommendation: To improve the usefulness of southwest border crossing wait time data for informing public and management decisions, the Commissioner of CBP should identify and carry out steps that can be taken to help CBP port officials overcome challenges to consistent implementation of existing wait time estimation methodologies. Steps for ensuring consistent implementation of these methodologies could include, for example, implementing the fiscal year 2008 Western Hemisphere Travel Initiative report recommendations to use closed-circuit television cameras to measure wait time in real time and provide a standardized measurement and validation tool.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: As of May 2017, CBP officials report that in order to avoid further investment in a manual wait time methodology, the agency plans to focus resources on developing an enterprise-wide solution for automating the measurement of border delays. CBP estimates that this recommendation will be completed in October 2017.
    Recommendation: To improve the usefulness of southwest border crossing wait time data for informing public and management decisions, the Commissioner of CBP should, in consultation with Federal Highway Administration and state DOTs, assess the feasibility of replacing current methods of manually calculating wait times with automated methods, which could include assessing all of the associated costs and benefits, options for how the agency will use and publicly report the results of automated data collection, the potential trade-offs associated with moving to this new system, and other factors such as those influencing the possible expansion of existing automation efforts to the 34 other locations that currently report wait times but have no automation projects under way.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: As of May 2017, CBP's Office of Field Operations (OFO) reports working to identify a feasible and cost effective wait time solution to measure commercial vehicle delays along the southern border. Specifically, CBP officials report that they have been partnering with the Federal Highway Administration and the Texas A&M's Transportation Institute on the deployment of an automated radio-frequency identification measurement solution to measure commercial delays at eight crossings. To verify the accuracy of the automated wait time data, CBP officials report that in June 2016 they conducted a ground-truth analysis with mixed results. CBP officials report DHS Science and Technology directorate delivered their final report in February 2017 and by the end of September 2017, pending review and acceptance of the report's findings, CBP will coordinate efforts to develop the required communication protocols and data schematics for near real-time commercial vehicle wait time updates to the CBP Border Wait Time website and Border Wait Time app. CBP estimates that this recommendation will be completed in October 2017.
    Recommendation: To better ensure that CBP's Office of Field Operations' (OFO) staffing processes are transparent and to help ensure CBP can demonstrate that these resource decisions have effectively addressed CBP's mission needs, the Commissioner of CBP should document the methodology and process OFO uses to allocate staff to land ports of entry on the southwest border, including the rationales and factors considered in making these decisions.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: As of May 2017, CBP's Office of Field Operations (OFO) reports that they have adopted a workload staffing model to identify CBP staffing requirements at land ports of entry. CBP officials report that the workload staffing model provides senior leadership with a decision-support tool to identify the number of required resources for each location and accounts for distinct operating environments, unique variables, and major functions and activities. CBP officials report that they use the workload staffing model results in its budget requests and when allocating staff to the ports of entry. However, CBP has not provided GAO with documentation showing how staff are allocated among land ports of entry including how workload staffing model results are used in this process. CBP officials report that in May 2017 OFO began working with contracted experts to synthesize the quantitative and qualitative data available and develop a comprehensive CBP position allocation methodology. CBP estimates that this recommendation will be completed in March 2018.
    Director: Caldwell, Stephen L
    Phone: (202) 512-9610

    2 open recommendations
    Recommendation: To better assess risk associated with facilities that use, process, or store chemicals of interest consistent with the NIPP and the CFATS rule, the Secretary of Homeland Security should direct the Under Secretary for National Protection and Programs Directorate (NPPD), the Assistant Secretary for NIPP's Office of Infrastructure Protection (IP), and Director of ISCD to develop a plan, with timeframes and milestones, that incorporates the results of the various efforts to fully address each of the components of risk and take associated actions where appropriate to enhance ISCD's risk assessment approach consistent with the NIPP and the CFATS rule.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to Infrastructure Security Compliance Division (ISCD) officials, they completed development of an updated tiering methodology, which incorporates improvements based on recommendations from both the external peer review of the tiering methodology and a Sandia National Laboratory (Sandia) report on economic consequences, which was submitted to the Department in the first quarter of fiscal year (FY) 2015. Additionally, according to the officials, DHS continued hosting meetings of an external experts panel consisting of representatives from other Federal agencies and the chemical and oil and natural gas industries, who have met repeatedly to review and provide input on the proposed improvements to the Chemical Facility Anti-Terrorism Standards (CFATS) tiering methodology. As noted in the tiering methodology improvement plan previously provided by the Department to GAO, the ISCD is having external entities validate and verify the updated methodology before deployment. To that end, the Homeland Security Studies and Analysis Institute (HSSAI) has reviewed and provided findings and recommendations on all parts of the updated tiering engine. Additionally, Sandia has been conducting component testing of the tiering engine as it is being updated and, beginning in January 2016, Sandia will conduct end-to-end testing of the engine. Concurrent with these efforts, ISCD has been updating the Chemical Security Assessment Tool (CSAT) applications which currently support the collection of the data used by the CFATS tiering methodology (i.e., Top-Screen, Security Vulnerability Assessment). According to the officials, deployment of these new applications cannot occur until the DHS's Information Collection Request (ICR) is approved by the White House's Office of Management and Budget (OMB), which the Department anticipates submitting to OMB in the third quarter of fiscal year 2016. We will update the status of this recommendation after additional information is received from DHS. Status as of January 20, 2016.
    Recommendation: To better assess risk associated with facilities that use, process, or store chemicals of interest consistent with the NIPP and the CFATS rule, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for IP, and Director of ISCD to conduct an independent peer review, after ISCD completes enhancements to its risk assessment approach, that fully validates and verifies ISCD's risk assessment approach consistent with the recommendations of the National Research Council of the National Academies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to Infrastructure Security Compliance Division (ISCD) officials, the updated CFATS risk-based tiering methodology has been developed and portions of it are undergoing independent review from both HSSAI and Sandia. An independent verification and validation of the updated tiering methodology is scheduled to be conducted by Sandia beginning in January 2016. We will update the status of this recommendation after additional information is received from DHS. Status as of January 20, 2016.
    Director: Caldwell, Stephen L
    Phone: (202)512-9610

    1 open recommendations
    Recommendation: To better ensure consistent implementation of and accountability for DHS's resilience policy, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to develop an implementation strategy for this new policy that identifies the following characteristics and others that may be deemed appropriate: (1) steps needed to achieve results, by developing priorities, milestones, and performance measures; (2) responsible entities, their roles compared with those of others, and mechanisms needed for successful coordination; and (3) sources and types of resources and investments associated with the strategy, and where those resources and investments should be targeted.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In the 60-day letter provided in January 2013, DHS indicated that the Resilience Integration Team (RIT) was developing a draft implementation plan to be circulated among relevant stakeholders for review. On 10/30/13, we notified DHS that we would like to see a copy of the resilience policy implementation plan (if developed), or any other related documentation if the plan is still in development. We were informed later that day that a draft plan had been developed, and DHS needed to confirm its status. In May of 2015, we were told again that a draft plan had been developed but never finalized. As of August 2015, DHS's Policy Office is looking into the status of plan development. We await their response. DHS response still pending as of 10/4/16.
    Director: Caldwell, Stephen L
    Phone: (202)512-3000

    1 open recommendations
    Recommendation: To strengthen the Coast Guard's efforts to ensure the security of OCS facilities and deepwater ports, the Commandant of the Coast Guard should make improvements to the Marine Information for Safety and Law Enforcement (MISLE) database or MISLE guidance to better ensure that all OCS facilities, both fixed and floating, are accurately and consistently identified and that the results of security inspections are consistently recorded to allow for better data analyses and management of the security inspections process.

    Agency: Department of Homeland Security: United States Coast Guard
    Status: Open

    Comments: In June 2015, the Coast Guard updated its Marine Information for Safety and Law Enforcement (MISLE) Facilities User Guide to reflect an added feature to MISLE that allows users to identify if a vessel or facility is an OCS facility regulated under the Maritime Transportation Security Act (MTSA), 33 CFR 106. To ensure that this added feature is used in a consistent manner to accurately classify facilities that are regulated under 33 CFR 106, the Coast Guard is in the process of updating Navigation and Vessel Inspection Circular 05-03. In mid-November 2016, the Coast Guard liaison noted that the Coast Guard expects to issue the updated circular and complete related activities by the end of October 2017. On March 24, 2017, the Coast Guard liaison sent an email to notify GAO that the Coast Guard is still awaiting final decision on deployment of Homeport 2.0, prior to finalizing NVIC 5-03 and that the MISLE User Guide remains under development, with the estimated completion date (ECD) remaining as 10/31/17.
    Director: Goldstein, Mark L
    Phone: (202)512-6670

    2 open recommendations
    Recommendation: The Secretary of Homeland Security and Attorney General should instruct the Director of FPS, and the Director of the Marshals Service, respectively, to jointly lead an effort, in consultation and agreement with the judiciary and GSA, to update the MOA on courthouse security to address the challenges discussed in this report. Specifically, in this update to the MOA stakeholders should: (1) clarify federal stakeholders' roles and responsibilities including, but not limited to, the conditions under which stakeholders may assume each other's responsibilities and whether such agreements should be documented; and define GSA's responsibilities and determine whether GSA should be included as a signatory to the updated MOA; (2) outline how they will ensure greater participation of relevant stakeholders in court or facility security committees; and (3) specify how they will complete required risk assessments for courthouses, referred to by the Marshals Service as court security facility surveys and by FPS as facility security assessments (FSA), and ensure that the results of those assessments are shared with relevant stakeholders, as appropriate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of April 2017, The Federal Protective Service, U.S. Marshals Service, Administrative Office of the U.S. Courts, and General Services Administration were working to update the memorandum of agreement on courthouse security. An updated memorandum has been drafted, but it has yet to be signed by all parties. Consequently, resolution of this recommendation is pending until further action is taken.
    Recommendation: The Secretary of Homeland Security and Attorney General should instruct the Director of FPS, and the Director of the Marshals Service, respectively, to jointly lead an effort, in consultation and agreement with the judiciary and GSA, to update the MOA on courthouse security to address the challenges discussed in this report. Specifically, in this update to the MOA stakeholders should: (1) clarify federal stakeholders' roles and responsibilities including, but not limited to, the conditions under which stakeholders may assume each other's responsibilities and whether such agreements should be documented; and define GSA's responsibilities and determine whether GSA should be included as a signatory to the updated MOA; (2) outline how they will ensure greater participation of relevant stakeholders in court or facility security committees; and (3) specify how they will complete required risk assessments for courthouses, referred to by the Marshals Service as court security facility surveys and by FPS as facility security assessments (FSA), and ensure that the results of those assessments are shared with relevant stakeholders, as appropriate.

    Agency: Department of Justice
    Status: Open

    Comments: As of April 2017, The Federal Protective Service, U.S. Marshals Service, Administrative Office of the U.S. Courts, and General Services Administration were working to update the memorandum of agreement on courthouse security. An updated memorandum has been drafted, but it has yet to be signed by all parties. Consequently, resolution of this recommendation is pending until further action is taken.
    Director: Wilshusen, Gregory C
    Phone: (202)512-3000

    4 open recommendations
    Recommendation: To ensure that PIV cards do not remain in the possession of staff whose employment or contract with the federal government is over, the Secretary of Commerce should establish controls, in addition to time frames for implementing a new tracking system, to ensure that PIV cards are revoked in a timely fashion.

    Agency: Department of Commerce
    Status: Open

    Comments: As of June 2017, Commerce had not submitted information or plans regarding revoking PIV cards in a timely fashion.
    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of the Interior should develop specific implementation plans for enabling PIV-based access to the department's major facilities, including identifying necessary infrastructure upgrades and time frames for deployment.

    Agency: Department of the Interior
    Status: Open

    Comments: As of June 2017, Interior had not yet provided specific implementation plans for enabling PIV access to the department's major facilities.
    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Labor should ensure that the department's plans for PIV-enabled physical access at major facilities are implemented in a timely manner.

    Agency: Department of Labor
    Status: Open

    Comments: As of June 2017, Labor had not provided any information about whether the department's plans for PIV-enabled physical access at major facilities were being implemented in a timely manner.
    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal networks and systems, the Administrator of NASA should develop and implement procedures for PIV-based logical access when using Apple Mac and mobile devices that do not rely on direct interfaces with PIV cards, which may be impractical.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: As of March 2017, NASA reported that it had begun implementing procedures for PIV-based logical access for the Apple Mac computers and mobile devices in its computing environment. NASA procured software to begin the transition of the Apple computers, but due to configuration issues the transition was not scheduled to be completed until December 2017. Further, NASA had begun the transition for mobile devices, which was scheduled to be completed by September 2017.
    Director: Clark, Cheryl E
    Phone: (202)512-9521

    3 open recommendations
    Recommendation: Based on a review of all existing contracts under $100,000 without an appointed COTR that should require contract employees to obtain favorable background investigation results, the Commissioner of the IRS should direct the appropriate IRS officials to amend those contracts to require that favorable background investigations be obtained for all relevant contract employees before routine, unescorted, unsupervised physical access to taxpayer information is granted.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: According to IRS, it has completed its contract review and made appropriate modifications as of July 2016. However, the modifications to the contracts were not made available for our review during the fiscal year 2016 audit. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of the IRS should direct the appropriate IRS officials to establish a policy requiring collaborative oversight between IRS's key offices in determining whether potential service contracts involve routine, unescorted, unsupervised physical access to taxpayer information, thus requiring background investigations, regardless of contract award amount. This policy should include a process for the requiring business unit to communicate to the Office of Procurement and the Human Capital Office the services to be provided under the contract and any potential exposure of taxpayer information to contract employees providing the services, and for all three units to (1) evaluate the risk of exposure of taxpayer information prior to finalizing and awarding the contract and (2) ensure that the final contract requires favorable background investigations as applicable, commensurate with the assessed risk.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that during fiscal year 2017, several internal organizations will partner to identify the remaining actions needed to address this recommendation. According to IRS, these actions include developing policies and procedures to reasonably assure that (1) oversight between IRS's key offices is conducted to determine whether potential service awards IRS enters into involve routine, unescorted, unsupervised physical access to taxpayer information by contractors, thus requiring background investigations, and (2) the resulting processes make clear who is responsible for completing the various steps, as well as who must maintain documentation of the approved access determination prior to the contractor being allowed to provide the services. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of the IRS should direct the appropriate IRS officials to revise the post orders for the service center campuses (SCC) and lockbox bank security guards to include specific procedures for timely reporting exterior lighting outages to SCC or lockbox bank facilities management. These procedures should specify (1) whom to contact to report lighting outages and (2) how to document and track lighting outages until resolved.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that during fiscal year 2017, it would update campus post orders to help ensure timely reporting, monitoring and repair of exterior lighting outages. In addition, AWSS engaged in discussions with personnel from FPS and GSA to coordinate responsibilities and suggested changes for post orders when security services are contracted by those entities. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.