Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Information technology"

    138 publications with a total of 893 open recommendations including 63 priority recommendations
    Director: Carol C. Harris
    Phone: (202) 512-4456

    25 open recommendations
    Recommendation: The Administrator of General Services should disseminate the 16 agency-focused lessons learned that have not been fully incorporated in GSA guidance to the agencies involved in the current transition. (Recommendation 1)

    Agency: General Services Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Agriculture should ensure that the Department's Chief Information Officer verifies the completeness of its inventory of current telecommunications assets and services and establishes a process for ongoing maintenance of the inventory. (Recommendation 2)

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Agriculture should ensure that the Department's Chief Information Officer completes efforts to identify future telecommunications needs and areas for optimization, identifies the costs and benefits of new technology, and aligns USDA's approach with its long-term plans. (Recommendation 3)

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Agriculture should ensure that the Department's Chief Information Officer identifies transition-related roles and responsibilities related to the management of assets, human capital, and information security, and legal expertise; develops a transition communications plan; and uses configuration and change-management processes in USDA's transition. (Recommendation 4)

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Agriculture should ensure that the Department's Chief Information Officer documents the costs and benefits of transition investments, identifies staff resources needed for the remainder of the transition, and analyzes training needs for staff assisting with the transition. (Recommendation 5)

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Agriculture should ensure that the Department's Chief Information Officer demonstrates that the Department's transition goals and measures align with its mission, identifies transition risks related to critical systems and continuity of operations, and identifies mission-critical priorities in USDA's transition timeline. (Recommendation 6)

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Labor should ensure that the Department's Chief Information Officer verifies the completeness of DOL's inventory of current telecommunications assets and services and establishes a process for ongoing maintenance of the inventory. (Recommendation 7)

    Agency: Department of Labor
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Labor should ensure that the Department's Chief Information Officer identifies the agency's future telecommunications needs, completes a strategic analysis of the agency's telecommunications requirements, and incorporates the requirements into transition planning. (Recommendation 8)

    Agency: Department of Labor
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Labor should ensure that the Department's Chief Information Officer identifies transition-related roles and responsibilities related to the management of assets, human capital, and information security, and legal expertise; develops a transition communications plan; and uses project, configuration, and change-management processes in DOL's transition (Recommendation 9)

    Agency: Department of Labor
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Labor should ensure that the Department's Chief Information Officer identifies the resources needed for the full transition, develops justifications for the costs of changes to hardware and software, identifies staff resources needed for the remainder of the transition, and analyzes training needs for staff assisting with the transition. (Recommendation 10)

    Agency: Department of Labor
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Labor should ensure that the Department's Chief Information Officer identifies transition risks related to information security, critical systems, and continuity of operations, and identifies mission-critical priorities in DOL's transition timeline. (Recommendation 11)

    Agency: Department of Labor
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chairman of the Securities and Exchange Commission should ensure that the Commission's Chief Information Officer identifies the agency's future telecommunications needs, areas for optimization, and the costs and benefits of new technology; completes a strategic analysis of the commission's telecommunications requirements; and incorporates the identified requirements into transition planning. (Recommendation 12)

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chairman of the Securities and Exchange Commission should ensure that the Commission's Chief Information Officer identifies roles and responsibilities related to the management of assets and human capital and legal expertise for the transition; includes key local and regional officials in SEC's transition communications plan; and completes efforts to use configuration and change management processes in the transition. (Recommendation 13)

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chairman of the Securities and Exchange Commission should ensure that the Commission's Chief Information Officer identifies the resources needed for the full transition, justifies requests for transition resources, identifies staff resources needed for the full transition, and completes efforts to analyze training needs for staff assisting with the transition. (Recommendation 14)

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chairman of the Securities and Exchange Commission should ensure that the Commission's Chief Information Officer completes efforts to demonstrate that the commission's transition goals and measures align with its mission, identifies transition risks related to critical systems and continuity of operations, and identifies mission-critical priorities in SEC's transition timeline. (Recommendation 15)

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner of the Social Security Administration should ensure that the Administration's Chief Information Officer verifies the completeness of SSA's inventory of current telecommunications assets and services and establishes a process for ongoing maintenance of the inventory regarding services other than local and long-distance telecommunications. (Recommendation 16)

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner of the Social Security Administration should ensure that the Administration's Chief Information Officer completes identification of the agency's future telecommunications needs and aligns its approach with the agency's enterprise architecture. (Recommendation 17)

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner of the Social Security Administration should ensure that the Administration's Chief Information Officer uses configuration and change-management processes in its transition. (Recommendation 18)

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner of the Social Security Administration should ensure that the Administration's Chief Information Officer identifies the resources needed for the full transition, documents the costs and benefits of transition investments, identifies staff resources needed for the remainder of the transition, and analyzes training needs for all staff working on the transition. (Recommendation 19)

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner of the Social Security Administration should ensure that the Administration's Chief Information Officer completes efforts to identify measures of success for the transition, identifies transition risks related to critical systems and continuity of operations, and identifies mission-critical priorities in SSA's transition timeline. (Recommendation 20)

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Transportation should ensure that the Department's Chief Information Officer verifies the completeness of DOT's inventory of current telecommunications assets and services and establishes a process for ongoing maintenance of the inventory. (Recommendation 21)

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Transportation should ensure that the Department's Chief Information Officer identifies the agency's future telecommunications needs, areas for optimization, and costs and benefits of new technology; and completes efforts to align DOT's approach with its long-term plans and enterprise architecture. (Recommendation 22)

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Transportation should ensure that the Department's Chief Information Officer identifies roles and responsibilities related to the management of assets and human capital and legal expertise for the transition; develops a transition communications plan; and fully uses configuration and change-management processes in DOT's transition. (Recommendation 23)

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Transportation should ensure that the Department's Chief Information Officer fully identifies the resources needed for the full transition, justifies requests for transition resources, identifies staff resources needed for the full transition, and fully analyzes training needs for staff assisting with the transition. (Recommendation 24)

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Transportation should ensure that the Department's Chief Information Officer fully demonstrates that DOT's transition goals and measures align with its mission; completely identifies transition risks related to information security, critical systems, and continuity of operations; and fully identifies mission-critical priorities in the transition timeline. (Recommendation 25)

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    3 open recommendations
    Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task an integrated project team, made up of an IT project manager and business owner, with including specific actions in the Public Health and Medical Situational Awareness Strategy Implementation Plan for conducting all activities required to establish and operate the network.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task the integrated project team with developing a project management plan that includes measurable steps--including a timeline of tasks, resource requirements, estimates of costs, and performance metrics--that can be used to guide and monitor HHS's actions to establish the network defined in the plans.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes related to the establishment of the network in accordance with Enterprise Performance Life Cycle Framework guidance, under the leadership of the HHS CIO.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    3 open recommendations
    Recommendation: The Chief Executive Officer should direct the Chief Information Officer to take steps needed to ensure that system requirements are defined to align with the business needs of CNCS's future risk-based grants monitoring process (Recommendation 1).

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that the system development project schedule identifies in the baseline both planned and actual dates for completing all project-level activities, and can be used to monitor and measure progress of the grant monitoring system project (Recommendation 2).

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that test plans are defined and implemented to include the second version of the grant monitoring system in all stages of testing during development, and results of initial stages are approved before conducting subsequent test stages (Recommendation 3).

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    6 open recommendations
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that state-based marketplace annual sustainability plans, to the extent possible, have complete 5-year budget forecasts. (Recommendation 1)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that all state-based marketplaces provide required annual financial audit reports which are in accordance with generally accepted government auditing standards. (Recommendation 2)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that marketplace IT self-sustainability risk assessments are based on fully defined measurable terms, a clear categorization process, and a defined response to high risks. (Recommendation 3)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that states develop, update, and follow performance measurement plans that allow the states to continuously identify and assess the most important IT metrics for their state marketplaces. (Recommendation 4)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to conduct operational analysis reviews and systematically monitor the performance of states' marketplace IT systems using key performance indicators. (Recommendation 5)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that metrics collected from states to monitor marketplaces' operational performance link to performance goals and include baselines and targets to monitor progress. (Recommendation 6)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    20 open recommendations
    Recommendation: As most agencies lack plans to meet OMB's data center optimization targets by the end of fiscal year 2018, it is increasingly likely that these agencies will require additional time to achieve the data center consolidation and optimization goals required by FITARA and OMB guidance. In order to provide agencies with additional time to meet OMB's data center optimization targets and achieve the related cost savings, Congress should consider extending the time frame for the data center consolidation and optimization provisions of FITARA beyond their current expiration date of October 1, 2018.

    Agency: Congress
    Status: Open

    Comments: When we determine what steps the Congress has taken, we will provide updated information.
    Recommendation: To better ensure that agencies complete important DCOI planning documentation and that the initiative improves governmental efficiency and achieves intended cost savings, the Director of OMB should direct the Federal chief information officer to formally document a requirement for agencies to include plans, as part of existing OMB reporting mechanisms, to implement automated monitoring tools at their agency-owned data centers.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Commerce
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Energy
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of the Interior
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Justice
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Labor
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of the Treasury
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of State
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: General Services Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Small Business Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Office of Personnel Management
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update the plans of action and milestones to reflect expected completion dates for implementing the recommendations made by US-CERT.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency plans to update the plans of action and milestones with the current status, including expected completion dates.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM partially concurred with the recommendation. The agency is working on making improvements to its automated system to further support its remedial action management processes, including timely closure.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update policy to reflect deployment of Department of Homeland Security threat indicators and the specific 24-hour scanning requirement.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of updating security policies.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of defining role-based training requirements for its continuous monitoring program.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should provide detailed guidance on the quality assurance process that includes evaluating security control assessments.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of developing additional standards for evaluating security controls testing and asserts it will use these standards for evaluating security control assessments.
    Director: Joseph W. Kirschbaum
    Phone: (202) 512-9971

    2 open recommendations
    Recommendation: To ensure that DOD implements the tasks and objectives of key cybersecurity guidance to strengthen its cybersecurity posture, the Secretary of Defense should direct the Principal Cyber Advisor to modify the criteria for closing tasks from The DOD Cyber Strategy to reflect whether tasks have been implemented, and to re-evaluate tasks that have been previously determined to be completed to ensure that they meet the modified criteria.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To ensure that DOD implements the tasks and objectives of key cybersecurity guidance to strengthen its cybersecurity posture, the Secretary of Defense should direct the Commander of CYBERCOM, in coordination with the Under Secretary of Defense for Acquisition, Technology, and Logistics and DOD Chief Information Officer, to establish a timeframe and monitor implementation of the DOD Cybersecurity Campaign objective to develop cybersecurity readiness assessments to help ensure accountability.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: John H. Pendleton
    Phone: (202) 512-3489

    1 open recommendations
    Recommendation: As the department seeks to report on and achieve required cost savings, the Secretary of Defense should direct the Deputy Chief Management Officer to develop reliable cost savings estimates that include detailed information and documentation to allow for clear tracking of cost savings by DOD and Congress.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    5 open recommendations
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to update FMCSA's IT strategic plan to include well-defined goals, strategies, measures, and timelines for modernizing its systems.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to ensure that the IT investment process guidance lays out the roles and responsibilities of all working groups and individuals involved in the agency's governance process.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to finalize the restructure of the Office of Information Technology, including fully defining the roles and responsibilities of the CIO.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to ensure that appropriate governance bodies review all IT investments and track corrective actions to closure.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to ensure that required operational analyses are performed for Aspen, Motor Carrier Management Information System, Sentri 2.0, and Unified Registration System on an annual basis.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    4 open recommendations
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to identify performance metrics and associated targets for the goals and objectives in the department's IT strategic plans, including the Information Resources Management strategic plan and the Health Information Strategic Plan, as they relate to the delivery of health IT and the VHA mission.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation and described planned coordination with the Office of Information and Technology and the Veterans Health Administration to develop or revise and maintain performance metrics that support the strategic and health information technology goals and objectives. The department plans to revise performance metrics to align to new goals and objectives by June 2018.
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that the department-level investment review structure is implemented as planned and that guidance on the IT governance process is documented and identifies criteria for selecting new investments, and reselecting investments currently operational at VHA.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation and provided meeting minutes for its Portfolio Investment Management Board and a document describing the proposed alignment and interdependencies between the 11 governance boards. We will continue to monitor the implementation of the proposed relationships and review any additional guidance issued that further describes the process used by the governance boards for selecting and reselecting information technology investments.
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to identify additional performance metrics to align with VHA's core business functions, and then use these metrics to determine the extent to which the department's IT systems support performance of VHA's mission.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation. In addition, the department outlined steps it intends to take to address our recommendation. These steps include developing a set of core metrics to provide continuous input into investment portfolio decisions and establishing a methodology for ensuring that information technology investments are aligned to business needs and that expected outcomes are defined prior to making the investments. The department plans to complete this work by September 2018. We will continue to monitor VA's progress on these efforts.
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that unmet IT needs identified by key program areas--pharmacy benefits management, scheduling, and community care--are addressed appropriately and that related business functions are supported by IT systems to the extent required.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation. The department has described its intention to ensure that unmet information technology needs for the pharmacy benefits management, scheduling, and community care program areas are addressed appropriately during fiscal year 2018 budget formulation. We will follow-up with VA to ascertain what needs have been addressed, closed, or reprioritized for each program office during fiscal year 2018.
    Director: Dicken, John E
    Phone: (202)512-7114

    1 open recommendations
    Recommendation: To ensure efficient use of generic drug user fees, facilitate oversight and transparency, and plan for risks, the Commissioner of FDA should develop a plan for administering user fee carryover that includes analyses of program costs and risks and reflects actual operational needs and contingencies.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    6 open recommendations
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to update the department's IT Acquisition Review governance process to increase the number of contracts and agreements (associated with both major and non-major investments) that are reviewed by the CIO and appropriate delegates.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the specific staff or positions currently within the department's IT acquisition cadre; and (2) assessing whether these staff and positions address all of the specialized skills and knowledge needed, as outlined in OMB's Office of Federal Procurement Policy's guidance for developing an IT acquisition cadre.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Director: David Powner
    Phone: (202) 512-9286

    29 open recommendations
    Recommendation: To better ensure that federal data center optimization efforts improve governmental efficiency and achieve cost savings, the Director of OMB should direct the Federal CIO to provide the necessary oversight to ensure that each agency completes their DCOI strategic plan in accordance with OMB's guidance implementing Federal Information Technology Acquisition Reform provisions (FITARA).

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.
    Recommendation: To better ensure that federal data center optimization efforts improve governmental efficiency and achieve cost savings, the Director of OMB should direct the Federal CIO to provide the necessary oversight to ensure that agency reporting of achieved data center consolidation and optimization cost savings and avoidances is consistent across all reporting mechanisms, including quarterly data submissions and agency DCOI strategic plans.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and described planned actions to address it. Specifically, the department stated that it will continue to aggregate its data center inventory and update its DCOI strategic plan by OMB's April 17, 2017, submission deadline. We reviewed the updated DCOI strategic plan and found that the department included planned savings figures for fiscal years 2016 through 2018 and achieved figures for 2016. However, Commerce did not include $517 million in historical savings that the department previously reported to the Office of Management and Budget, as was required to be included in the plan. Additionally, the department's chief information officer statement, regarding compliance with Federal Information Technology Acquisition Reform Act reporting requirements, is not yet publicly available, as is required. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Social Security Administration
    Status: Open

    Comments: The Social Security Administration agreed with our recommendation and described planned actions to address it. Specifically, the agency noted that it will continue to economize and evolve its data center optimization management and will continue to encourage open dialog and information exchange between agencies to achieve efficiencies and enhanced data center operations government-wide. We will continue to monitor the agency's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of Interior agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of Treasury has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of State
    Status: Open

    Comments: The Department of State agreed with our recommendation and described planned actions to address it. Specifically, the department described plans to acquire, subject to funding availability, automated monitoring tools for its enterprise data centers. It also described plans to engage OMB to rebaseline the closure target for its non-tiered data centers located outside the United States, based on the department's mission needs. In addition, the department noted that it is in the process of identifying the number of server rooms in the United States that meet the DCOI definition of a data center. We will continue to monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency described planned actions to address our recommendation. Specifically, the agency stated that it will update its data center optimization initiative strategic plan to include elements not reflected in the 2016 submission and will complete the plan to the extent feasible. We will continue to monitor the agency's progress in taking these actions.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration agreed with our recommendation and described planned actions to address it. Specifically, the agency stated that it would provide OMB with an update to the agency's DCOI strategic plan that would address missing elements and any identified challenges. We will continue to monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Small Business Administration
    Status: Open

    Comments: The Small Business Administration agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: The Nuclear Regulatory Commission disagreed with our recommendation. We will continue to monitor the agency's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: United States Agency for International Development
    Status: Open

    Comments: The U.S. Agency for International Development described planned actions to address our recommendation. Specifically, the agency stated it would take action to complete the missing elements in its DCOI strategic plan, including addressing any identified challenges, and submit the completed strategic plan to OMB. We will continue to monitor the agency's progress in taking these actions.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and described planned actions to address it. Specifically, the department stated that it will, through the integrated data collection process, continue to collect and report all initiatives resulting in cost savings and avoidances to ensure IT savings are being captured and realized. We will monitor the department's efforts to address this recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of Interior agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of Treasury has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of State
    Status: Open

    Comments: The Department of State agreed with our recommendation and described planned actions to address it. Specifically, the department described plans to acquire, subject to funding availability, automated monitoring tools for its enterprise data centers. It also described plans to engage OMB to rebaseline the closure target for its non-tiered data centers located outside the United States, based on the department's mission needs. In addition, the department noted that it is in the process of identifying the number of server rooms in the United States that meet the DCOI definition of a data center. We will continue to monitor the department's efforts to address our recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency described planned actions to address our recommendation. Specifically, the agency stated that it is working toward consistent reporting on cost savings and avoidances in future reporting submissions and is finalizing a cost analysis methodology to be applied to its data center optimization initiative strategy. The agency further stated that it would ensure consistent use of the process for all reporting queries. We will continue to monitor the agency's progress in taking these actions.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: United States Agency for International Development
    Status: Open

    Comments: The U.S. Agency for International Development described planned actions to address our recommendation. Specifically, the agency stated it would, in accordance with OMB, take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans. We will continue to monitor the agency's progress in taking these actions.
    Director: Daniel Bertoni
    Phone: (202) 512-7215

    5 open recommendations
    including 1 priority recommendation
    Recommendation: To further align efforts to address appeals workload and improve timeliness of decisions, and reduce the risk that efforts will not go as planned, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits; the Chairman, Board of Veterans' Appeals; and the Chief Information Officer, as appropriate, to ensure development of a timely, detailed workforce plan for recruiting, hiring and training new hires. In particular, this plan should: (1) include detailed steps and timetables for updating training curriculum (such as preparing decisions in a virtual environment) and ensuring office space (such as telework guidance); and (2) incorporate risk mitigation strategies that consider how the timing of recruitment and training dovetails with uncertain time frames for implementing a new appeals process.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA took additional steps to recruit, hire, manage space and train additional FTEs to address appeals workloads. However, detailed workforce plans would help ensure timely hiring and proper supports and training. We will close this recommendation when VA provides documentation of its actions and related guidance in several areas: agency telework plan; case adjudication in an virtual environment; status of hiring for FY17; hiring goals for FY18; space management plan indicating how FY17 and FY18 hiring will be accommodated; and plans for ongoing training for remote teleworkers.
    Recommendation: To further align efforts to address appeals workload and improve timeliness of decisions, and reduce the risk that efforts will not go as planned, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits; the Chairman, Board of Veterans' Appeals; and the Chief Information Officer, as appropriate, to develop a schedule for IT updates that explicitly addresses when and how any process reform will be integrated into new systems and when Caseflow will be ready to support a potential streamlined appeals process at its onset.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred in principle with this recommendation. In July 2017, VA reported its latest actions to address this recommendation, including documentation of the 6-month road map. However, we continue to believe that while the agile process can help mitigate risks and avoid cost overruns and delays, VA should define schedules beyond 6 months. Such planning allows VA to take additional steps to consider the scope of potential changes required by a new appeals process and have a broad plan in place to ensure that all aspects of the new process are adequately supported by Caseflow.
    Recommendation: To further align efforts to address appeals workload and improve timeliness of decisions, and reduce the risk that efforts will not go as planned, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits; the Chairman, Board of Veterans' Appeals; and the Chief Information Officer, as appropriate, to conduct additional sensitivity analyses based on the assumptions used in projection models to more accurately estimate future appeals inventories and timeliness. In doing so, consider running additional analyses on how these factors, in conjunction with one another, may affect the timeliness and cost of deciding pending appeals.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred in principle with this recommendation, noting that it plans to refine the model on a regular basis. However, we continue to believe that additional analyses of potential hiring options and of the compounded effect of assumptions that VA identified is consistent with sound practices and will help the agency anticipate and plan for different contingencies. In addition, as VA goes forward with appeals process reform and begins to collect real-time data, these data could improve modeling accuracy and serve as a valuable management tool. VA also noted plans to analyze, update and refine the model. We will consider closing this recommendation when VA completes these efforts and provides documentation of plans for modeling inventories and resource needs.
    Recommendation: To further align efforts to address appeals workload and improve timeliness of decisions, and reduce the risk that efforts will not go as planned, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits; the Chairman, Board of Veterans' Appeals; and the Chief Information Officer, as appropriate, to develop a more robust plan for closely monitoring implementation of process reform that includes metrics and interim goals to help track progress, evaluate efficiency and effectiveness, and identify trouble spots.

    Agency: Department of Veterans Affairs
    Status: Open
    Priority recommendation

    Comments: VA agreed in principle with this recommendation. However, to fully implement it, VA needs to develop a monitoring plan with metrics and interim goals for implementing appeal process reform. Although VA agreed that developing such a plan is valuable for monitoring the implementation of process reform, VA also stated that it considered this recommendation complete and noted that preparing such a detailed plan depends on appeals reform legislation being enacted. While we recognize that VA cannot assume to know the exact provisions that may be included in future enacted legislation, we consider having a more robust monitoring plan - for example, that includes metrics and interim goals to help track implementation progress, evaluate efficiency and effectiveness of the reformed process, and identify trouble spots - to be essential to the successful implementation of a new appeals process.
    Recommendation: To better understand whether appeals process reform, in conjunction with other efforts, has improved timeliness, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits; the Chairman, Board of Veterans' Appeals; and the Chief Information Officer, as appropriate to develop a strategy for assessing process reform--relative to the current process--that ensures transparency in reporting to Congress and the public on the extent to which VA is improving veterans' experiences with its disability appeals process.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred in principle with this recommendation and reported on its plans to measure veteran wait times as well as use customer satisfaction surveys to measure the success of the new appeals process. However, while we agree that metrics based on the different options could be valuable for VA, the Congress, and the public, we disagree that VA's focus on measuring timeliness by option is in the best interest of the veteran. Because veterans may pursue more than one option under VBA, the Board or both, we believe that VA's approach does not take into account the veteran's perspective of how long it took for them to receive a final appeal decision. Metrics from the veterans' overall perspective would complement, not replace, metrics for VBA, the Board, and each option. The absence of such metrics raises questions as to how the agency will ensure appropriate resources are devoted to managing appeals under the new versus old process, or intended results are achieved as the new process is implemented. Further, while the legislation requires VA to report a number of metrics, the agency still needs to implement the legislation. We will consider closing this recommendation when VA develops a plan for collecting metrics consistent with this recommendation.
    Director: Valerie Melvin
    Phone: (202) 512-6304

    1 open recommendations
    Recommendation: To increase the likelihood that its IT investments develop reliable cost estimates, the Secretary of HUD should finalize, and ensure the implementation of, guidance that incorporates the best practices called for in the GAO Cost Estimating and Assessment Guide.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In April 2017, HUD reported that the department concurred with the recommendation and noted that the Office of the Chief Information Officer (OCIO) intends to establish cost estimation guidance for IT projects within its IT Management Framework Guide, incorporating appropriate best practices from the GAO Cost Estimating and Assessment Guide. HUD anticipates completing the OCIO IT Management Framework guidance that is intended to incorporate cost estimating principles for IT projects by September 1, 2017.
    Director: Powner, David A
    Phone: (202) 512-9286

    5 open recommendations
    including 2 priority recommendations
    Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Commerce should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing IT competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: The department has not yet provided its written response to this recommendation. We will continue to monitor the department's progress in implementing the recommendation.
    Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Defense should require the Chief Information Officer, the Under Secretary of Defense for Personnel and Readiness, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) develop competencies for all staff; (2) assess competency needs regularly for all positions; (3) assess gaps in competencies for all components of the workforce; (4) develop strategies and plans to address gaps in competencies; (5) implement activities that address gaps, including developing a program management career path, if justified and cost-effective; (6) monitor the department's progress in addressing competency gaps identified for IT staff; and (7) report to department leadership on progress in addressing competency gaps.

    Agency: Department of Defense
    Status: Open

    Comments: The department has provided a written response to this recommendation and we are currently evaluating it.
    Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Health and Human Services should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process inclusive of all staff; (2) develop staffing requirements for all positions; (3) assess staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The department has provided a written response to this recommendation and we are currently evaluating it.
    Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Transportation should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish a time frame for when the department is to finalize its draft workforce planning process and maintain that process; (2) develop staffing requirements for all positions; (3) assess competency and staffing needs regularly for all positions; (4) assess gaps in staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and use of special hiring authorities, if justified and cost-effective;e (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

    Agency: Department of Transportation
    Status: Open
    Priority recommendation

    Comments: The department agreed with the recommendation and stated that it plans to fully implement the recommendation by December 2019. To fully implement this recommendation, DOT should prioritize the completion of its IT workforce planning process and then begin implementing the process in phases based on the availability of resources.
    Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of the Treasury should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements for all positions; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing for all components of the workforce; (6) implement activities that address gaps, including a career path for program managers and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps for all components of the workforce.

    Agency: Department of the Treasury
    Status: Open

    Comments: The department has not yet provided its written response to this recommendation. We will continue to monitor the department's progress in implementing the recommendation.
    Director: Timothy J. DiNapoli
    Phone: (202) 512-4841

    5 open recommendations
    including 4 priority recommendations
    Recommendation: To better promote federal agency accountability for implementing the FSSI and category management initiatives, the Administrator of Federal Procurement Policy should ensure that transition plans are submitted and monitored as required by FSSI guidance and guidance governing specific category management initiatives.

    Agency: Executive Office of the President: Office of Management and Budget: Office of Federal Procurement Policy
    Status: Open
    Priority recommendation

    Comments: In October 2016, Office of Management and Budget (OMB) staff agreed that agency transitions plans should be submitted and monitored in accordance with guidance, as GAO recommended in October 2016. OMB staff indicated that all FSSIs are now being evaluated against best in class criteria as part of the migration to a category management approach to federal procurement. Further, OMB staff stated that OMB will issue additional policy or guidance as necessary. GAO believes these actions, if implemented, would meet the intent of the recommendation. As of August 1, 2017, OMB staff indicated they are continuing efforts to implement this recommendation. Given that transition plans were also required under FSSI guidance but were not submitted or monitored, it will be important for OMB to ensure that agencies follow through on submitting required plans going forward.
    Recommendation: To better promote federal agency accountability for implementing the FSSI and category management initiatives, the Administrator of Federal Procurement Policy should update the Leadership Council charter to establish an expectation that Leadership Council agencies develop agency-specific targets for use of the solutions approved.

    Agency: Executive Office of the President: Office of Management and Budget: Office of Federal Procurement Policy
    Status: Open
    Priority recommendation

    Comments: In October 2016, OMB staff agreed with the need for agency-specific targets for use of FSSI and category management initiatives as GAO recommended. OMB staff recommended, however, that this be accomplished through the Category Management governance and reporting procedures and processes that will be instituted in upcoming guidance, rather than an update to the Leadership Council charter. In October 2016, OMB issued a draft circular on category management establishing that spend under management will be the principal measure OMB will use to assess agency adoption of category management. OMB staff indicated that they plan to evaluate at least annually agencies' spend under management results, which includes agency adoption of best in class solutions, and then review with agency leaders progress toward meeting goals. As of August 1, 2017, OMB staff indicated they are continuing efforts to implement this recommendation. Given the low agency usage of the FSSIs, without such actions, and ensuring these targets and measures are set, OMB, and specifically the Office of Federal Procurement Policy, will lack the means to monitor progress and hold large procurement agencies accountable for using existing FSSIs or best in class solutions identified under subsequent category management efforts.
    Recommendation: To better promote federal agency accountability for implementing the FSSI and category management initiatives, the Administrator of Federal Procurement Policy should revise the 2015 category management guidance to establish a process for setting targets and performance measures for each Leadership Council agency's adoption of proposed FSSIs and category management solutions and ensure agency specific targets and measures are set.

    Agency: Executive Office of the President: Office of Management and Budget: Office of Federal Procurement Policy
    Status: Open
    Priority recommendation

    Comments: In October 2016, Office of Management and Budget (OMB) staff agreed that Leadership Council agency progress towards implementing category management should be tracked and measured as we recommended. OMB staff reported that guidance is in draft form in which agency progress will be measured using the Spend Under Management (SUM) model which provides an assessment of category management maturity for each of the ten government-wide categories as evaluated against five attributes: leadership, strategy, data, tools, and metrics. OMB will assess agency progress no less than annually and will engage agency leaders in regularly reviewing progress toward their goals. In addition, OMB will track agency spend through best in class contracts and these data will likely be used as an internal category metric and shared with the agencies. Taken together, these actions are responsive to GAO?s recommendations. As of August 1, 2017, OMB staff indicated they are continuing efforts to implement this recommendation. Given the low use of the FSSIs, OMB should continue to carefully monitor category management implementations as it moves forward and ensure that OFPP uses the planned targets and measures to hold agencies accountable for individual results. In short, greater accountability can lead to increased savings.
    Recommendation: To better promote federal agency accountability for implementing the FSSI and category management initiatives, the Administrator of Federal Procurement Policy should report on agency specific targets and metrics as part of the category management Cross-Agency Priority goal.

    Agency: Executive Office of the President: Office of Management and Budget: Office of Federal Procurement Policy
    Status: Open
    Priority recommendation

    Comments: In October 2016, Office of Management and Budget (OMB) staff agreed that agency specific targets and metrics should be reported as GAO recommended in October 2016. OMB staff indicated that results achieved relative to the Category Management Cross Agency Priority (CAP) goal targets will continue to be reported on a quarterly basis on Peformance.gov but that they will likely not include agency specific targets and metrics. Rather, OMB staff indicated that agency spending through best in class solutions will be tracked and used as an internal category metric and that OMB will engage agency leaders in regularly reviewing progress toward their goals and assess agencies no less than annually. GAO believes these actions, if implemented, would meet the intent of the recommendation. As of August 1, 2017, OMB staff indicated they are continuing efforts to implement this recommendation. Given the low agency usage of the FSSIs, OMB needs to monitor progress and hold large procurement agencies accountable for using existing FSSIs or best in class solutions identified under subsequent category management efforts.
    Recommendation: To improve the management of current FSSIs, the GSA FSSI program management office should provide oversight and support to the Information Retrieval FSSI to better align their practices with current strategic sourcing guidance related to collecting and using transactional data to calculate savings.

    Agency: General Services Administration
    Status: Open

    Comments: In response to our recommendation, GSA conducted a gap analysis of the Information Retrieval FSSI and its compliance with FSSI standards and provided the Library of Congress with FSSI best practice tools and resources related to collecting transactional data and calculating savings. According to GSA, the Library of Congress intends to address gaps to support the goal of implementation in the next Information Retrieval award in 2018. GSA will monitor progress, and provide feedback and assistance.
    Director: Brian J. Lepore
    Phone: (202) 512-4523

    1 open recommendations
    Recommendation: To aid DOD in conducting future AOA processes that fully follow best practices, the Secretary of Defense should direct the Assistant Secretary of Defense for Energy, Installations, and the Environment to develop guidance requiring the use of AOA best practices, including those practices we have identified, and in this guidance, the Assistant Secretary should define the types of military construction decisions for which these AOA best practices should be required.

    Agency: Department of Defense
    Status: Open

    Comments: In its written comments, DOD did not concur with our recommendation. Specifically, DOD disputes that our 22 best practices for a reliable Analysis of Alternatives (AOA) process apply to basing or military construction decision-making processes and therefore does not believe that the department should incorporate these best practices into its military construction decision-making process. We continue to believe that our AOA best practices can be applied to a wide range of activities in which an alternative must be selected from a set of possible options, as well as to a broad range of capability areas, projects, and programs including DOD's military construction decision-making processes. As of June 22, 2017, DOD had not taken any action to implement this recommendation.
    Director: David Powner
    Phone: (202) 512-9286

    25 open recommendations
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: United States Agency for International Development
    Status: Open

    Comments: We plan to follow up on the agency's actions to implement this recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Agriculture
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Education
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Commerce
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Energy
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Social Security Administration
    Status: Open

    Comments: In its comments on a draft of our report, SSA agreed with our recommendation. Subsequent to SSA informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of the Interior
    Status: Open

    Comments: We plan to follow up on the department's actions to implement this recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Transportation
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Labor
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of the Treasury
    Status: Open

    Comments: The department said it had no comments on our draft report and recommendation. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of State
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In its comments on a draft of our report, EPA generally agreed with our recommendation. Subsequent to EPA informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: In its comments on a draft of our report, NASA concurred with our recommendation. Subsequent to NASA informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: National Science Foundation
    Status: Open

    Comments: NSF stated that it had no comments on our draft report and recommendation. We will plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Small Business Administration
    Status: Open

    Comments: In comments on a draft of our report, SBA said the report captures its current posture. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: In comments on a draft of our report, NRC stated that it generally agreed with the report. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Office of Personnel Management
    Status: Open

    Comments: In its comments on a draft of our report, OPM concurred with our recommendation. Subsequent to OPM informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Defense should direct the responsible official to modify the department's existing processes to collect and review cost, technical, and business information for the enterprise and business IT systems within the Enterprise Information Environment Mission Area applications which are currently not reviewed as part of the department's process for business systems.

    Agency: Department of Defense
    Status: Open

    Comments: In comments on a draft of our report, the department disagreed with our recommendation. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Homeland Security should direct the department's CIO to identify one high-cost function it could collect detailed cost, technical, and business information for and modify existing processes to collect and review this information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of the Interior should direct the department's CIO to document and implement a plan for establishing policy that would define a standard analytical technique for rationalizing the investment portfolio.

    Agency: Department of the Interior
    Status: Open

    Comments: We plan to follow up on the department's actions to implement this recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Labor should direct the department's CIO to consider a segmented approach to further rationalize and identify a function for which it would modify existing processes to collect and review application-specific cost, technical, and business value information.

    Agency: Department of Labor
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Director of the National Science Foundation should direct the CIO to consistently document evaluations for all applications and report cost information for them in the roadmap or other documentation.

    Agency: National Science Foundation
    Status: Open

    Comments: NSF stated that it had no comments on our draft report and recommendation. We will plan to follow up.
    Director: J. Christopher Mihm
    Phone: (202) 512-6806

    3 open recommendations
    Recommendation: The Director of the Office of Management and Budget, in consultation with the Performance Improvement Council and General Services Administration, should ensure the information presented on Performance.gov consistently complies with GPRAMA public reporting requirements for the website's content.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In July 2017, OMB staff stated that they will be partnering with a vendor to redesign Performance.gov, and plan to launch the new site in February 2018 with the fiscal year 2019 budget. Staff confirmed they will ensure that the redesigned Performance.gov site will include content that meets public reporting requirements. They stated they anticipate releasing updated agency reporting guidance in the fall of 2017 to help ensure agencies are prepared to report required data.
    Recommendation: The Director of the Office of Management and Budget, in consultation with the Performance Improvement Council and General Services Administration, should analyze and, where appropriate, implement usability test results to improve Performance.gov.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In July 2017, OMB staff stated that they will be partnering with a vendor to redesign Performance.gov, and plan to launch the new site in February 2018 with the fiscal year 2019 budget. Staff confirmed they will ensure that the redesigned Performance.gov site will include content that meets public reporting requirements. They stated they anticipate releasing updated agency reporting guidance in the fall of 2017 to help ensure agencies are prepared to report required data. In addition, OMB and PIC staff noted that the new vendor for Performance.gov (who had not been selected at that time) will help develop a strategic plan for the site that incorporates results from usability studies, and a stakeholder outreach plan that encompasses diverse groups including Congress, federal agency managers and staff, and other interested groups.
    Recommendation: The Director of the Office of Management and Budget, in consultation with the Performance Improvement Council and General Services Administration, should develop a strategic plan for the future of Performance.gov. Among other things, this plan should include: (A) the goals, objectives, and resources needed to consistently meet Digitalgov.gov and GPRAMA requirements; (B) a customer outreach plan that considers how (1) OMB informs users of changes in Performance.gov, (2) OMB uses social media as a method of communication, and (3) users access Performance.gov so that OMB could, as appropriate, deploy mobile applications to communicate effectively; and (C) a strategy to manage and archive the content and data on Performance.gov in accordance with National Archives and Records Administration guidance.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In July 2017, OMB staff stated that they will be partnering with a vendor to redesign Performance.gov, and plan to launch the new site in February 2018 with the fiscal year 2019 budget. Staff confirmed they will ensure that the redesigned Performance.gov site will include content that meets public reporting requirements. They stated they anticipate releasing updated agency reporting guidance in the fall of 2017 to help ensure agencies are prepared to report required data. In addition, OMB and PIC staff noted that the new vendor for Performance.gov (who had not been selected at that time) will help develop a strategic plan for the site that incorporates results from usability studies, and a stakeholder outreach plan that encompasses diverse groups including Congress, federal agency managers and staff, and other interested groups.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    3 open recommendations
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to update security plans to ensure the plans fully and accurately document the controls selected and intended for protecting each of the six systems.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to implement a process to effectively monitor and track training for personnel with significant security roles and responsibilities.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to ensure that personnel with significant security responsibilities receive role-based training.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the National Institute of Standards and Technology Cybersecurity Framework.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should update technical assistance that is provided to covered entities and business associates to address technical security concerns.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should revise the current enforcement program to include following up on the implementation of corrective actions.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS neither concurred nor nonconcurred with the recommendation but plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish performance measures for the Office of Civil Rights (OCR) audit program.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish and implement policies and procedures for sharing the results of investigations and audits between OCR and Centers for Medicare & Medicaid Services to help ensure that covered entities and business associates are in compliance with the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS neither concurred nor nonconcurred with the recommendation but plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Director: Asif A. Khan
    Phone: (202) 512-9869

    7 open recommendations
    Recommendation: To improve the Navy's implementation of the FIAR Guidance for its General Fund FBWT FIP and facilitate efforts to achieve SBR auditability, the Secretary of the Navy should direct the Assistant Secretary of the Navy, Financial Management and Comptroller, to prepare a level I quantitative drilldown in accordance with the FIAR Guidance.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: The Navy concurred with this recommendation and stated that it has actions planned, taken, or under way to prepare a quantitative drilldown. In August 2017 we contacted the Navy POC and requested an update on the status of this recommendation.
    Recommendation: To improve the Navy's implementation of the FIAR Guidance for its General Fund FBWT FIP and facilitate efforts to achieve SBR auditability, the Secretary of the Navy should direct the Assistant Secretary of the Navy, Financial Management and Comptroller, to prioritize audit readiness efforts for the key FBWT systems, prepare an audit strategy that identifies for each system (1) the Navy's plan for assessing the system to gain assurance that the system can be relied on; (2) the assessment types, including prioritizing the assessments based on qualitative and quantitative factors for each system; and (3) planned start and completion dates of these assessments for each system.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: The Navy concurred with this recommendation and stated that it has actions planned, taken, or under way to prioritize audit readiness efforts for key FBWT systems. In August 2017 we contacted the Navy POC and requested an update on the status of this recommendation.
    Recommendation: To improve the Navy's implementation of the FIAR Guidance for its General Fund FBWT FIP and facilitate efforts to achieve SBR auditability, the Secretary of the Navy should direct the Assistant Secretary of the Navy, Financial Management and Comptroller, to prepare, in accordance with FIAR Guidance, the documentation of control activities and information technology general computer controls for significant systems; system certifications or accreditations; system, end user, and systems documentation locations; and hardware, software, and interfaces.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: The Navy concurred with this recommendation and stated that it has actions planned, taken, or under way to document control activities, information technology general computer controls for significant systems, systems documentation locations, and hardware, software, and interfaces. In August 2017 we contacted the Navy POC and requested an update on the status of this recommendation.
    Recommendation: To improve the Navy's implementation of the FIAR Guidance for its General Fund FBWT FIP and facilitate efforts to achieve SBR auditability, the Secretary of the Navy should direct the Assistant Secretary of the Navy, Financial Management and Comptroller, to prepare an internal control assessment document for each assessable unit, summarizing control activities that are appropriately designed and in place.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: The Navy concurred with this recommendation and stated that it has actions planned, taken, or under way to prepare an internal control assessment document. In August 2017 we contacted the Navy POC and requested an update on the status of this recommendation.
    Recommendation: To improve the Navy's implementation of the FIAR Guidance for its General Fund FBWT FIP and facilitate efforts to achieve SBR auditability, the Secretary of the Navy should direct the Assistant Secretary of the Navy, Financial Management and Comptroller, to perform sufficient testing for supporting documentation to reasonably determine whether such documentation, including that for key reconciliations, is available in a sustainable manner for future audit efforts.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: The Navy concurred with this recommendation and stated that it has actions planned, taken, or under way to test the effectiveness of Fund Balance with Treasury controls, which includes assessing the availability of supporting documentation. In August 2017 we contacted the Navy POC and requested an update on the status of this recommendation.
    Recommendation: To improve the Navy's implementation of the FIAR Guidance for its General Fund FBWT FIP and facilitate efforts to achieve SBR auditability, the Secretary of the Navy should direct the Assistant Secretary of the Navy, Financial Management and Comptroller, to, for each fiscal year expected to be under audit, identify and address unusual and invalid transactions, abnormal balances, and missing data fields in the universe of collection and disbursement transactions.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: The Navy concurred with this recommendation and stated that it has actions planned, taken, or under way to obtain monthly data from Defense Finance and Accounting Service on invalid Fund Balance with Treasury transactions. In August 2017 we contacted the Navy POC and requested an update on the status of this recommendation.
    Recommendation: To improve the Navy's implementation of the FIAR Guidance for its General Fund FBWT FIP and facilitate efforts to achieve SBR auditability, the Secretary of the Navy should direct the Assistant Secretary of the Navy, Financial Management and Comptroller, to update FBWT data flowcharts and narratives to fully describe the flow of data from the Navy's receipt of collection and disbursement transaction information through the financial statement line items, including the reversal of general ledger trial balance data generated by the automated system and other entries made within Defense Departmental Reporting System - Budgetary.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: The Navy concurred with this recommendations and stated that it has actions planned, taken, or under way to develop procedures and documentation that describe the processes associated with the flow of data. In August 2017 we contacted the Navy POC and requested an update on the status of this recommendation.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    8 open recommendations
    Recommendation: To assist VA in sustaining an IT workforce with the necessary knowledge, skills, and abilities to execute its mission and goals, the Secretary of Veterans Affairs should direct the Chief Information Officer to track and review OI&T historical workforce data and projections related to leadership retirements.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that OI&T's Human Capital Management Office (HCM) had completed a succession planning project that encompassed all senior leadership and included data review and risk assessment for each position. VA also stated that OI&T tracks the gains and losses associated with its leadership positions and provided this information for fiscal year 2016. However, the department has not provided documentation that supports the assertion that historical and projected OI&T leadership retirement data was presented and discussed as part of the succession planning project and did not provide data on projected retirements for OI&T's leadership positions. Additionally, the department stated that OI&T HCM has the ability to project retirement eligibility but has not provided documentation to support this assertion. It is important that VA tracks and reviews its OI&T historical workforce data and forecasts its leadership retirements to avoid being unprepared to effectively respond to vacancies in key leadership positions.
    Recommendation: To assist VA in sustaining an IT workforce with the necessary knowledge, skills, and abilities to execute its mission and goals, the Secretary of Veterans Affairs should direct the Chief Information Officer to identify IT skills needed beyond the current fiscal year to assist in identifying future skills gaps.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that Information Technology Workforce Development (ITWD) will produce reports that identify skill gaps and will contain long-term recommendations that show the types of IT skills each organization needs to increase and which proficiency level targets need the most emphasis. As of July 2017, VA stated that ITWD reviewed, and updated where needed, the fiscal year 2017 competencies within each OI&T competency model role in order to align the models to the OI&T Transformation initiative. According to the department, the resulting updates support learning solutions that sustain and accelerate OI&T's transformation. Additionally, VA stated that 85 percent of OI&T staff completed a validated competency self-assessment and provided the OI&T fiscal year 2017 Training Gap Analysis Report which shows the strengths and gaps of OI&T by organization, trends between fiscal years 2016 and 2017, findings, next steps, and recommended actions for the next fiscal year. The department also stated that ITWD held meetings to review skill gap and learning solution reports. VA provided these reports and they present the top gaps and strengths, key findings, and next steps to address the skill gaps. While the department has taken these actions, its OI&T Training Gap Analysis Report does not identify IT skills needed beyond fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to project planning, to include (1) estimating the level of effort that will need to be expended for work products and tasks, and (2) making adjustments to the project plan to reconcile differences between estimated and available resources.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and stated that OI&T is documenting changes to processes related to project planning as it transitions from PMAS to the Veteran-Focused Integration Process (VIP). According to VA, the VIP processes will lead to better requirements elaboration and prioritization, increasing significantly the accuracy of estimates related to level of effort. Additionally, the department stated that by using short Agile sprints, the project team will be able adjust the project plan frequently to reconcile differences between estimated and available resources. As of July 2017, VA stated that all projects have transitioned to the VIP, which ensures they are incorporating the Agile methodology into the project lifecycle. According to the department, the latest version of its VIP Guide incorporates the use of daily scrum and weekly scrum of scrum meetings that can be used to frequently adjust the project plan to reconcile differences between estimated and available resources. VA stated that the project planning processes will continue to evolve beyond July and expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to requirements management, to include identifying changes to be made to plans and work products as a result of requirements baseline changes.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that OI&T is revising its documentation related to requirements management as part of the transition to the Veteran-Focused Integration Process (VIP). According to VA, requirements will be tracked using the IBM Rational Tools Suite, which will be able to provide a snapshot of the original baseline and all captured changes in the form of an audit trail that captures the history of requirement changes. As of July 2017, the department stated that all projects have transitioned to the VIP and requirements baselines and subsequent changes are tracked in the Rational Tools Suite. VA also reported that efforts in fiscal year 2017 to consolidate all mandatory architectural, design, and process methodologies into a single library of requirements were successful, which resulted in combining the full body of requirements. Additionally according to the department, versioning of the requirements will allow the office to trace specific versions of individual requirements and their evolution by time period and project inheritance. VA stated that it expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to risk management, to include (1) determining costs and benefits of implementing the risk mitigation plan for each risk and (2) collecting performance measures on risk handling activities.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that the IBM Rational Tools Suite will be used to manage risks and issues. According to VA, the tools suite will allow requirements to be linked to risks, which will provide traceability; teams will be able to track and report steps taken to mitigate risks; and an audit trail will show the history of changes made to each risk. The department also reported that the Office of Privacy and Risk will establish risk mitigation strategies for OI&T. As of July 2017, VA stated that risks data capture has been developed as a standardized process and that data on project and program risks in the Rational Tools Suite is aggregated and prepared for use to verify aggressive management, and will be included in enterprise reporting. The department stated that work is underway with the Performance Management Office and that OI&T expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to project monitoring and control, to include the 10 best practices that were missing from the guidance.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that implementation of the Veteran-Focused Integration Process (VIP) and Agile processes within OI&T will address eight of the ten best practices related to project monitoring and control that were missing from its guidance. In regard to monitoring the knowledge and skills of project staff, OI&T's IT Workforce Development (ITWD) group collects and analyzes competency assessment data, which is used in requirements gathering meetings with OI&T leaders. According to VA, during these meetings organizational needs and next steps are discussed in detail. Additionally, the department's latest version of its VIP Guide states that the product team should be cross-functional and include all skills needed to deliver a product. Further, the department reported that data management activities, issues, and impacts will be managed using VIP, Agile, and IBM Rational Tools Suite. According to its VIP Guide, OI&T expects that all products follow the Agile product management process and use the Rational Tools Suite to manage scheduled product sprints and backlog, product requirements, risks and issues, and product planning and engineering documentation, among others. Also, VA stated that Agile methodologies will require stakeholders to be involved in the daily scrum meetings, user acceptance testing, and acceptance of deliverables, which will address stakeholders being involved regularly and documenting the results of stakeholder involvement status reviews. According to the VIP Guide, the Agile development methodologies require development teams to meet often with stakeholders to ensure transparency and foster a collaborative work environment. Additionally, the department stated that critical decision events are using Rational based data assessments to report on level of satisfaction of project controls and process compliance requirements. Further, according to the VIP Guide, the Product Owner will have a key role in the decision-making process during the development of the product and will be able to regularly express concerns and/or approvals to best meet user satisfaction. The department stated that critical decision events are being held at the portfolio level, and action items from these events are being tracked. VA provided meeting minutes from critical decision events that were held in October and December 2016. The December 2016 meeting minutes identified action items and the status of those items. Although VA has taken actions to address the majority of best practices related to project monitoring and control, the department's new VIP process does not include two practices that call for (1) tracking expended effort and (2) monitoring the utilization of staff and resources. Until OI&T's documented processes for project monitoring and control fully reflect best practices, the office is at risk that its projects will not achieve expected results.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to process and product quality assurance, to include (1) documenting a description of the quality assurance reporting chain and defining how objectivity will be ensured, and (2) periodically reviewing open noncompliance issues and trends with management that is designated to receive and act on them.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that the implementation of the Veteran-Focused Integration Process (VIP), Agile processes, and the Rational Toolset within OI&T will address process and product quality assurance. According to VA, as a part of VIP, the Product Owner is engaged from intake through project completion, which will ensure that the quality of the product is maintained throughout the life cycle. Additionally the department reported that the process of periodically reviewing open non-compliance issues and trends with management that is designated to receive and act on them will be accomplished through CIOStat meetings held with OI&T senior leadership. VA also reported that the Rational Quality Manager tool is used to automate routine testing activities to identify non-compliance issues and trends. As of July 2017, the department stated that the Product Owner is beginning to have a stronger role on the project team, which enables them to assist in all types of issues, including quality assurance. VA also stated that Release Agents develop and distribute Release Readiness Reports, which provide a status of all release requirements and of traceability among requirements, deliverables, and test results. VA expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to project scheduling, to include the 9 best practices that were missing from the guidance and revise the documented processes where the guidance was contrary to best practices.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that the implementation of VIP and Agile processes within OI&T will address five of the nine best practices related to project scheduling that are missing from its guidance. According to VA, business and compliance requirements will be captured during the planning phase and maintained in the IBM Rational Tools Suite to manage scheduled project/product builds and backlog which will allow the project to more accurately maintain the schedule baseline, capture all schedule changes, and provides an audit trail of all the changes. Additionally, the department reported that the IBM Rational Tools Suite connects requirements, change orders, test cases, and test results in order to have full traceability in a closed loop system. VA also noted that the use of short development builds within Agile increases the probability of successful adherence to the schedule; and Agile provides the flexibility to make schedule changes using the backlog to prioritize requirements. As of July 2017, VA stated that Project Build Planning sessions capture and prioritize all backlog items with high level activities captured in the VIP Dashboard; and that each project task receives an estimated duration. The department also stated that the project team commits to a high level scope for each build and then the scope is solidified and committed to in detail at each Sprint Plan. According to VA, at the end of each sprint the Product Owner accepts or rejects the product of what was committed to at Sprint Planning. The department also stated that there is a high-level commitment at the Critical Decision 1 meeting; that each build gets committed to at a more granular level; and that sprint planning includes establishing a firm commitment for exactly what will be completed during the sprint. The department further stated that part of the Agile process being used by OI&T removes rigid, mandatory constraints as long as project teams follow compliance epics. Additionally, the department reported that because of the use of Agile methodology, if a task is critical today, the project team can reprioritize and address the needs of the project immediately. According to VA, Agile supports both sustainment and development projects, by allowing changes to the project backlog to address high priority functionality. VA also stated that Agile allows flexibility to shift from one build to another based on priorities and to shift backlog items based on VIP Triad priorities. Additionally, according to the department, risks are managed in the Rational Tools Suite and impediments are raised and escalated during daily scrums and scrum of scrum calls. The VIP Guide indicates that product teams are required to make timely updates to the VIP Dashboard regarding schedule and that the Rational Tools Suite will be used to manage and administer source control and baselines; manage risks and issues; and manage scheduled product sprints and backlogs. However, the VIP Guide does not include practices to (1) document that each project task should receive a duration estimate; (2)require that the project schedule be traceable horizontally and vertically; (3) sequence all activities; and (4) confirm that the critical path is valid. Until OI&T's documented processes for developing schedules fully reflect best practices, the office is at risk that schedules created for its projects will not be reliable.
    Director: David A. Powner
    Phone: (202) 512-9286

    12 open recommendations
    Recommendation: In order to improve the accuracy of IT Dashboard incremental development data, the Director of OMB should direct the Federal Chief Information Officer (CIO) to clarify existing guidance regarding what IT investments are and are not subject to requirements on the use of incremental development and how CIOs should report the status of projects that are not subject to these requirements.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) has taken initial steps to implement our recommendation. Specifically, OMB's June 2016 annual capital planning guidance for fiscal year 2018 included instructions on what types of investments were required to adhere to incremental development requirements related to the delivery of usable functionality. The guidance stated that all software development projects are required to produce usable functionality at intervals of no more than six months. Further, all major development projects within investments are required to use modular/agile principles. However, OMB's guidance still lacks direction on how CIOs are to report the status of nonsoftware projects, as we recommended. In the absence of our recommended guidance clarification, OMB is at risk of agencies continuing to be unclear about how nonsoftware development investment data are to be reported on the Dashboard, increasing the risk that data on the IT Dashboard will not always be accurate. We will continue to evaluate OMB's progress in clarifying its guidance and considering a change to provide more detailed guidance related to the reporting of nonsoftware development investment data.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the Enterprise Business Management Office within the Office of the Chief Information Officer will validate each investment reported on the Dashboard and work with program officials to ensure they appropriately update the data for the IT Dashboard. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education (Education) concurred with our recommendation and stated that the department will ensure that the data is kept current using their IT portfolio management process. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce (Commerce) concurred with our recommendation and stated that these changes would be incorporated into the department?s Dashboard reporting. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (Defense) partially concurred with our recommendation and stated that the department is taking action to update the Dashboard data as appropriate. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) concurred with our recommendation. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation (Transportation) concurred with our recommendation and stated the department was committed to ensuring the information on the IT Dashboard reflects up to date information. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury (Treasury) did not comment on our recommendation. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education (Education) concurred with our recommendation to establish a departmentwide certification policy. Education officials reported in March 2017 that the department will complete changes to its guidance by November 2017. However, until this guidance is finalized, Education will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate Education's progress in implementing this recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (Defense) did not concur with our recommendation, stating that its existing guidance was adequate in this area. However, in August 2016, Defense issued its fiscal year 2018 budget submission guidance which required each component CIO to certify that IT investments were adequately implementing incremental development. The component CIOs were to document the certification in a statement of compliance memorandum, using their agency's letterhead, and submit the memorandum to the Defense CIO. Defense officials report that this same guidance will be added to the Financial Management Regulations during summer 2017. Until this annual guidance has been updated and incorporated into the department's standing policies, Defense is at risk of overlooking this requirement in subsequent years. We will continue to evaluate Defense's progress in implementing this recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) concurred with our recommendation to establish a departmentwide certification policy. However, HHS officials reported in April 2017 that they did not have a timeframe for when the department's new certification guidance would be completed. Until this guidance is finalized, HHS will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate HHS's progress in implementing this recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury (Treasury) did not comment on our recommendations. Further, Treasury officials reported in March 2017 that it had no plans to revise its policies, as we recommended. Until the department establishes a CIO certification policy, Treasury will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate Treasury's progress in implementing this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    5 open recommendations
    Recommendation: To effectively measure 18F's performance, the Administrator of GSA should direct the Commissioner for the Technology Transformation Service to ensure that goals and associated performance measures are outcome-oriented and that performance measures have targets, including (1) performance measures and targets tied to fully recovering program costs; and (2) goals, performance measures, and targets for how the program will achieve its mission after September 2016.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration (GSA) agreed with, and has begun to take steps to implement, this recommendation. Specifically, GSA developed a quarterly performance report for fiscal year 2017 that includes an outcome-oriented goal for 18F as well as associated performance measures and targets. According to a Technology Transformation Service official, GSA plans to expand its quarterly performance report for fiscal year 2018 to reflect additional 18F goals and performance measures, including measures tied to fully recovering program costs. We will continue to evaluate GSA's progress in implementing this recommendation.
    Recommendation: To effectively measure 18F's performance, the Administrator of GSA should direct the Commissioner for the Technology Transformation Service to assess actual results for each performance measure.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration (GSA) agreed with, and has begun to take steps to implement, this recommendation. Specifically, GSA developed a quarterly performance report for fiscal year 2017 that includes an outcome-oriented goal for 18F as well as associated performance measures with targets. Additionally, GSA has assessed actual results of the performance measures for the first two quarters of fiscal year 2017. According to a Technology Transformation Service official, GSA plans to expand its quarterly performance report for fiscal year 2018 to include additional 18F goals and performance measures. We will continue to evaluate GSA's progress in implementing this recommendation.
    Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to ensure that all goals and associated performance measures are outcome-oriented and that performance measures have targets.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB developed three goals for U.S. Digital Service (USDS): (1) rethink how the federal government builds and buys digital services; (2) expand the use of common, platforms, services, and tools; and (3) bring top technical talent into public service. In addition, OMB established performance measures with targets for its third goal and for each of the program's major projects. However, OMB has not established performance measures for the first two USDS goals. Further, the program's third goal is not outcome-oriented. We will continue to evaluate OMB's progress in implementing this recommendation.
    Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to assess actual results for each performance measure.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB assessed the results of performance measures for one of the U.S. Digital Service (USDS) program's goals--bring top technical talent into public service--and for each of the program's major projects. However, OMB has not established performance measures for the other two USDS goals--rethink how the federal government builds and buys digital services; and expand the use of common, platforms, services, and tools. We will continue to evaluate OMB's progress in implementing this recommendation.
    Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to update USDS policy to clearly define the responsibilities and authorities governing the relationships between CIOs and the digital service teams and require existing agency digital service teams to address this policy. In doing so, the Federal Chief Information Officer should ensure that this policy is aligned with relevant federal law and OMB guidance on CIO responsibilities and authorities.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. In particular, OMB updated its digital service team policy to require that teams appropriately inform their chief information officers (CIO) regarding U.S. Digital Service (USDS) projects. However, the policy does not describe the responsibilities or authorities governing the relationships between CIOs and digital service teams. We will continue to evaluate OMB's progress in implementing this recommendation.
    Director: Neumann, John
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To ensure that DOE's control activities continue to be relevant and effective for managing supply chain risk, the Secretary should direct the Under Secretary for Nuclear Security, as the Administrator of the NNSA, to work with the Office of Intelligence and Counterintelligence and other DOE organizations, as appropriate, to assess the circumstances that might warrant using the enhanced procurement authority, and (1) if this assessment identifies circumstances that might warrant using the authority, the Secretary should direct the Under Secretary for Nuclear Security to work with other DOE organizations, as appropriate, to establish processes for using it and examine whether adequate resources are in place to support those processes, and (2) communicate the results of this assessment to the relevant congressional committees for their use in determining whether to extend the authority past its current termination date.

    Agency: Department of Energy
    Status: Open

    Comments: In an October 7, 2016, letter the Under Secretary for Nuclear Security and Administrator of the National Nuclear Security Administration (NNSA) said he agreed with GAO's recommendation to assess situations that might warrant the use of the enhanced procurement authority and, should specific circumstances be identified for use of the authority, NNSA would develop a process for its use. The assessment would include an examination of resources to support use of the authority. NNSA would work with other Department of Energy organizations as appropriate in conducting the assessment. The results would be shared with relevant congressional committees, as GAO recommended. NNSA had anticipated completion of the assessment by March 2017, but on June 1, 2017, NNSA officials told us they anticipated the completion date would be September 30, 2017.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    7 open recommendations
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to update the CEDCAP program office cost estimate to reflect the current status of the program as soon as appropriate information becomes available.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In May 2017, the Census Bureau provided summary documentation that included the fiscal year 2015 through 2021 estimated lifecycle costs for the Census Enterprise Data Collection and Processing (CEDCAP) program; however, this information lacked the level of detail needed to determine whether the cost estimate reflects the current status of the program. In addition, in June 2017, the Bureau developed a draft version of the CEDCAP Cost Analysis Requirements Description (CARD), which included descriptions of technical and programmatic features of the program and is intended to serve as the basis for preparing the Program Office Estimate and the Independent Cost Estimate. However, as of August 2017, the CARD had not yet been finalized. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to ensure that updates to the status of risks are consistently documented for CEDCAP's Internet and Mobile Data Collection and Survey (and Listing) Interview Operational Control projects.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In August 2017, the Census Bureau provided risk management documentation, including a risk management plan and risk review board meeting minutes. However, this information did not include updated risk registers that documented risk status for the Census Enterprise Data Collection and Processing (CEDCAP) Internet and Mobile Data Collection and Survey (and Listing) Interview Operational Control projects. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: TTo ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to ensure that CEDCAP's Internet and Mobile Data Collection, Survey (and Listing) Interview Operational Control, and Centralized Operational Analysis and Control projects establish detailed risk mitigation plans on a consistent basis and that the Internet and Mobile Data Collection and Centralized Operational Analysis and Control projects establish trigger events for all relevant risks.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In August 2017, the Census Bureau provided risk management documentation, including a risk management plan and risk review board meeting minutes. However, this documentation did not include detailed risk mitigation plans for risks related to the Census Enterprise Data Collection and Processing (CEDCAP) Internet and Mobile Data Collection, Survey (and Listing) Interview Operational Control, and Centralized Operational Analysis and Control projects. The Bureau's risk management documentation also did not include trigger events for all relevant risks for the Internet and Mobile Data Collection and Centralized Operational Analysis and Control projects. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to define, document, and implement a repeatable process to establish complete alignment between CEDCAP and 2020 Census programs by, for example, maintaining a single dependency schedule.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation, but has not yet taken steps to implement it. In August 2016, we reported that several issues can result from the lack of a single dependency schedule, including the need to manually identify activities, the inability to be dynamically responsive to change, and a limited ability to ensure that both the Census Enterprise Data Collection and Processing (CEDCAP) and 2020 Census program are planning and measuring their activities according to the same agreed upon timeframe. However, as of August 2017, the Bureau had not yet established a single dependency schedule to ensure complete alignment between the CEDCAP and 2020 Census programs. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to establish a comprehensive and integrated list of all interdependent risks facing the CEDCAP and 2020 Census programs, and clearly identify roles and responsibilities for managing this list.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation, but has not yet taken steps to implement it. In August 2016, we reported that several issues can result from the lack of an integrated risk register, including inconsistencies in tracking and managing interdependent risks, redundant efforts to manage risks, and potentially conflicting risk mitigation efforts. As of August 2017, the Census Bureau had not yet developed an integrated risk register for the Census Enterprise Data Collection and Processing (CEDCAP) and 2020 Census programs or documented the roles for managing it. Instead, Bureau officials stated that they flag risks in the risk register that affect both programs. However, as of August 2017, the Bureau had not provided evidence that relevant risks for both programs are flagged in the risk registers. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to identify when the 74 requirements related to redistricting data program and data products and dissemination will be tested.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In June 2017, Census Bureau officials stated that, as part of the 2018 End-to-End Census Test, program-level integration testing of the requirements related to the redistricting program and the data products and dissemination are planned to occur from April 3, 2018, to August 1, 2018. However, as of August 2017, the Bureau had not provided supporting documentation for its plans for program-level integration testing of the requirements related to the redistricting program and data products and dissemination. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to make developing a better understanding of and identifying requirements related to non-ID response validation a high and immediate priority, or consider alternatives to avoid late definition of such requirements.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In April 2017, the Census Bureau documented high-level milestones related to implementing a fraud detection process in an initial effort to better understand non-ID response validation. However, as of August 2017, the Bureau had not finalized the fraud detection process or documented milestones for implementing the non-ID response validation process. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Director: James R. McTigue, Jr.
    Phone: (202) 512-9110

    2 open recommendations
    Recommendation: To enhance the budget process and to improve transparency, the Commissioner of Internal Revenue, to the extent feasible, should ensure that the CJ includes data by appropriation account on the amount of funding requested to maintain current services for each future state theme.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: As Treasury works with IRS to improve the quality and accuracy of budget data, the Secretary of the Treasury should ensure sufficient controls are in place to make certain that the information technology investment reports generated from the SharePoint Investment Knowledge Exchange are accurate. This includes, for example, taking steps to reduce the need for manual corrections to the data.

    Agency: Department of the Treasury
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    9 open recommendations
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD Chief Information Officer (CIO), and other entities, as appropriate, to develop a detailed JIE scope statement that is verified by stakeholders and approved by the Executive Committee.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had made progress in implementing the recommendation. Specifically, the department developed a draft Joint Information Environment (JIE) scope statement that can provide the context and framework for reporting, tracking, and controlling JIE activities. According to written comments on the status of the recommendation provided by the department in July 2017, this scope statement will be presented to the JIE Executive Committee in August 2017 for approval. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to establish a plan for managing, documenting, and communicating scope.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had made progress in implementing the recommendation. Specifically, the department developed a draft JIE scope statement, which documents the scope of JIE and describes how updates to its scope will be periodically reviewed and approved. According to written comments on the status of the recommendation provided by the department in July 2017, the draft will be presented to the JIE Executive Committee in August 2017 for approval. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable JIE cost estimate and baseline, consistent with the best practices described in this report.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had not implemented the recommendation. According to written comments on the status of the recommendation provided by the department, it developed cost baselines for two components of JIE. However, it did not develop cost estimates for the other JIE components. Specifically, the JIE Executive Committee approved the cost estimate for the Joint Regional Security Stacks in April 2017. In addition, the department's comments stated that the cost baseline for the Mission Partner Environment-Information System (MPE-IS) was included in the MPE-IS Business Case Analysis and presented to the department's Office of Cost Assessment and Program Evaluation in July 2016. We are in the process of reviewing the cost estimates for these components. The department further stated that as solutions for other JIE efforts are established, their cost baselines will be added as appropriate.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JIE schedule management plan and reliable schedule, consistent with practices described in this report.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the department had not implemented the recommendation. We will continue to monitor the department's efforts to address this recommendation by periodically requesting and evaluating updated information.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JRSS schedule management plan and reliable JRSS schedule and schedule baseline, consistent with practices described in this report.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had not fully implemented this recommendation. In March 2017, the JIE Executive Committee approved a schedule baseline for the Non-secure Internet Protocol Router network component of JRSS. In addition, the Executive Committee memo approving this schedule baseline indicated that the Executive Committee planned to review and approve a schedule baseline for the Secure Internet Protocol Router network component of JRSS by the end of fiscal year 2017. However, the department has not demonstrated that it has a schedule management plan or that its schedule was developed consistent with the practices described in our report.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to complete an assessment to determine the number of staff and the specific skills and abilities needed to effectively achieve JIE, consistent with the workforce planning practices described in this report.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had not implemented the recommendation. In its June 2016 written comments on a draft of our report, the department stated that the National Institute of Standards and Technology and the Office of Personnel Management were to publish a coding structure in response to the Federal Cybersecurity Workforce Assessment Act of 2015. DOD stated that this structure would inform steps DOD planned to take to identify the type of personnel and specific skills required to support enterprise operations and services and the government capabilities needed to effectively achieve JIE. However, as of July 2017, the department had not demonstrated that it has taken action to implement our recommendation.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a strategy for conducting JIE security assessments that describes the resources needed to execute the strategy, responsible organizations, and a schedule to complete the assessments.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department had not implemented the recommendation. We will continue to monitor the department's efforts to address this recommendation by periodically requesting and evaluating updated information.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a strategy and schedule to transition JRSS to the Risk Management Framework, and develop the security plan required by the new framework.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had not implemented this recommendation. In January 2017, the Joint Regional Security Stacks (JRSS) program received a six-month provisional Risk Management Framework Authority to Operate. According to a July 2017 update from the department on the status of this recommendation, the JRSS program management office was in the process of requesting another six-month provisional authority to operate. However, the department has not developed a strategy and schedule to complete transition of JRSS to the Risk Management Framework or developed the security plan required by the framework.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable Joint Regional Security Stacks (JRSS) cost estimate and baseline, consistent with practices described in this report.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense had taken steps to address the recommendation and we are in the process of reviewing documentation the department provided in July 2017 to determine if it sufficiently addresses the recommendation. Specifically, in April 2017, the JRSS program office documented the methodology, ground rules, and assumptions, among other things, used to develop the cost estimate we reviewed in our report, and the JIE Executive Committee established the estimate as its JRSS cost baseline. We are in the process of reviewing the cost estimate documentation and will update this status after completing the review.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    9 open recommendations
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of the Department of Homeland Security (DHS) should direct the Director of USCIS to direct the USCIS Chief Information Officer (CIO), in coordination with the DHS CIO and the Chief of the Office of Transformation Coordination (OTC), to review and update, as needed, existing policies and guidance and consider additional controls to complete planning for software releases prior to initiating development and ensure software meets business expectations prior to deployment.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, the U.S. Citizenship and Immigration Services (USCIS) within the Department of Homeland Security (DHS) had taken steps to address this recommendation. In particular, in June 2017, USCIS provided an updated policy, dated April 2017, governing planning and deploying software releases. USCIS also demonstrated partial compliance with that policy. For example, it provided some release planning review documentation for recent releases that are required by the updated policy, including readiness review memos for releases 7.2 and 8.1. However, USCIS did not demonstrate that the program responsible for developing the USCIS Electronic Immigration System (USCIS ELIS) was consistently following its updated policy. For example, USCIS did not demonstrate that the program was completing all planning activities prior to initiating development, as called for in its updated policy. Moreover, the agency did not demonstrate compliance with its previous policy for all software releases planned and deployed since our July 2016 report. We will continue to work with USCIS to monitor actions the agency is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to consistently implement the principles of the framework adopted for Agile software development.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in May 2017, USCIS provided updated policy governing the development of software releases, dated April 2017, along with release planning artifacts specific to USCIS ELIS. The updated policy included an appendix devoted to generally accepted agency practices and applying Agile principles in the agency. However, USCIS had not clearly indicated if USCIS ELIS was to implement the practices described in the policy. For example, the updated policy did not require program compliance with the generally accepted agency practices. Moreover, supporting artifacts from the release planning process did not always define a commitment to a particular development methodology or set of development practices. For example, the team process agreements, which describe how members of individual teams will work with each other, did not indicate if developers were to adhere to the practices described in updated USCIS policy. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to define and consistently execute appropriate roles and responsibilities for individuals responsible for development activities consistent with its selected development framework.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in June 2017, USCIS provided updated policy, dated April 2017, governing the development of software releases and release planning artifacts. The updated policy and release documentation defined some roles and responsibilities that were previously only described by USCIS in its informal November 2014 management model, such as the authority and responsibility of a product owner. However, program documentation and policy did not define all of the roles and responsibilities. For example, program documentation and policy did not define the roles and responsibilities of a facilitator, or Scrum Master, which is a position identified in leading practices for software development using Scrum, the development methodology previously identified by the program. In addition, USCIS did not demonstrate that it had defined and committed to an updated development methodology for software releases. Such a defined methodology will impact expectations for the roles and responsibilities in software development. Without such a defined methodology or approach to Agile software development, it is not clear if roles and responsibilities defined by previously documented approach to Agile software development are still applicable for the current development approach. Moreover, documentation associated with program releases and updated policy did not define all of the roles and responsibilities for positions described by USCIS in its May 2017 written response to GAO. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to identify all system users and involve them in release planning activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, DHS and USCIS had not provided information demonstrating that the department has addressed this recommendation. In October 2016, DHS provided a written response stating that the USCIS Office of Information Technology and Office of Transformation Coordination were working closely with the various USCIS directorates to obtain and integrate feedback through regular review sessions with the end users and through additional end user testing. However, as of July 2017, DHS and USCIS have not provided new information about the status of this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to write user stories that identify user roles, include estimates of complexity, take no longer than one sprint to complete, and describe business value.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had provided GAO with documentation intended to demonstrate that the agency had taken steps to address this recommendation. For example, in May 2017, USCIS provided updated policy governing the development of software releases along with release planning artifacts specific to USCIS ELIS and an Independent Verification and Validation assessment. The agency also provided a series of backlogs that captured user stories for some software releases. In addition, the Independent Verification and Validation assessment indicated that the program was tracking user story quality as part of assessing whether value was continuously discovered and aligned to the mission. However, the assessment report provided to GAO indicated a negative trend for this outcome. Moreover, USCIS policy no longer set expectations regarding user story development. In addition, supporting artifacts from the release planning process did not always define a commitment to a particular development methodology, which is turn impacts the expectations for writing user stories. Finally, backlogs provided by USCIS did not cover all releases in development since our July 2016 report and did not include enough detail to assess all aspects of the user story process (e.g., story size and user involvement). We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to establish outcomes for Agile software development.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in April 2017, USCIS issued updated policy governing software development at the agency. The updated policy included an appendix devoted to generally accepted agency practices and applying Agile principles in the agency. This appendix also included a set of ten outcomes associated with using Agile practices at USCIS. For example, outcomes included that value is continuously discovered and aligned to the mission. However, the updated policy did not require program compliance with the practices and principles described in the appendix. Moreover, the agency did not demonstrate that USCIS ELIS had committed to achieving a specific set of outcomes for Agile software development, such as the outcomes described in the USCIS policy. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to monitor program performance and report to appropriate entities through the collection of reliable metrics.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in May 2017, USCIS provided updated policy governing the development of software that called for teams to prepare an Operations Monitoring Plan or dashboard showing the practices, tools, and measures that will monitor applications in production. The agency also provided a series of documents from internal systems and processes intended to monitor performance, such as a product dashboard for analyzing code quality (i.e., SonarQube) and a report from its Independent Verification and Validation team. However, the program was undergoing a re-baseline and had yet to document updated cost, schedule, and performance expectations against which to monitor. Moreover, the agency did not demonstrate that other metrics, such as customer satisfaction and team velocity, were being reliably collected. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To help manage the USCIS ELIS system, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update existing policies and guidance and consider additional controls to conduct unit and integration, and functional acceptance tests, and code inspection consistent with stated program goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in May 2017, USCIS provided artifacts from internal systems in place to monitor software development performance. These metrics monitored aspects of testing, such as code quality and code coverage. However, the program did not provide an updated Test and Evaluation Master Plan, which is a document it will produce as part of its ongoing effort to re-baseline. A Test and Evaluation Master Plan sets the testing expectations for the program as agreed upon with its stakeholders in DHS and USCIS. The updated plan will provide a basis for further evaluation of the steps DHS and USCIS have taken to address this recommendation. Moreover, the agency did not demonstrate that functional acceptance tests were being conducted in accordance with stated program goals. For example, the agency did not provide acceptance criteria or the associated tests demonstrating that user stories passed the defined acceptance criteria. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To help manage the USCIS ELIS system, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update existing policies and guidance and consider additional controls to develop complete test plans and cases for interoperability and end user testing, as defined in the USCIS Transformation Program Test and Evaluation Master Plan, and document the results.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, DHS and USCIS had not provided information demonstrating that they had addressed this recommendation. In October 2016, DHS provided a written response indicating that an internal process for revisiting the USCIS ELIS Test and Evaluation Master Plan had been initiated, with participation from all relevant stakeholder groups. A Test and Evaluation Master Plan sets the testing expectations for the program as agreed upon with its stakeholders in DHS and USCIS. The updated plan will provide a basis for further evaluation of the steps DHS and USCIS have taken to address this recommendation. The letter also stated that USCIS had begun to work on a policy for new interoperability test procedures. Moreover, the letter added that end user testing is a continuing activity, including providing feedback of observed issues into the development queue, with the slow launch of the naturalization capabilities in USCIS ELIS being a model. However, as of July 2017, DHS and USCIS had not provided new information about the status of this recommendation. We will continue to work with DHS and USCIS to obtain additional documentation about actions they are taking to address this recommendation.
    Director: John Neumann
    Phone: (202) 512-3841

    7 open recommendations
    Recommendation: To ensure that USPTO's collaborative efforts on classification help examiners find relevant prior art, USPTO should work with the European Patent Office (EPO) to identify a target level of consistency of Cooperative Patent Classification decisions between USPTO and EPO and develop a plan to monitor consistency to achieve the target.

    Agency: Department of Commerce: Patent and Trademark Office
    Status: Open

    Comments: According to the agency's action plan, USPTO has begun ongoing meetings with EPO on quality assurance. USPTO aims to agree to a target level, develop and deploy any needed IT, and begin monitoring and implementing corrective actions by first quarter of 2019.
    Recommendation: To ensure that USPTO is able to take full advantage of its investment in new information technology tools and capabilities, USPTO should develop and periodically update a documented strategy to identify key sources of nonpatent literature for individual technology centers and to assess the optimal means of providing access to these sources, such as including them in USPTO's search system.

    Agency: Department of Commerce: Patent and Trademark Office
    Status: Open

    Comments: According to the agency's action plan, USPTO will begin assessing nonpatent literature usage and develop a strategy for optimizing its usage by November 2017.
    Recommendation: To improve its monitoring of prior art searches and provide USPTO the ability to examine and address trends in prior art search quality at the technology center level, USPTO should develop written guidance on what constitutes a thorough prior art search within each technology field (i.e., mechanical, chemical, electrical), technology center, art area, or art unit, as appropriate, and establish goals and indicators for improving prior art searches.

    Agency: Department of Commerce: Patent and Trademark Office
    Status: Open

    Comments: According to the agency's action plan, USPTO will establish goals and indicators for prior art searches by December 2017.
    Recommendation: To improve its monitoring of prior art searches and provide USPTO the ability to examine and address trends in prior art search quality at the technology center level, USPTO should ensure that sufficient information is collected in reviews of prior art searches to assess the quality of searches at the technology center level, including how often examiners search for U.S. patents, foreign patents, and nonpatent literature.

    Agency: Department of Commerce: Patent and Trademark Office
    Status: Open

    Comments: According to the agency's action plan, USPTO will complete an evaluation of the master review form used to collect information on prior art search by April 2017 and will have performed a sufficient number of reviews by September 2017 to assess search quality at the technology center level.
    Recommendation: To improve its monitoring of prior art searches and provide USPTO the ability to examine and address trends in prior art search quality at the technology center level, USPTO should use the audits and supervisory reviews to monitor the thoroughness of examiners' prior art searches and improvements over time.

    Agency: Department of Commerce: Patent and Trademark Office
    Status: Open

    Comments: According to the agency's action plan, USPTO will develop metrics for prior art search quality and processes to incorporate information learned from these metrics by June 2017.
    Recommendation: To ensure that examiners have sufficient time to conduct a thorough prior art search, USPTO should, in conjunction with implementing the recommendation from our patent quality report to analyze the time examiners need to perform a thorough examination, specifically assess the time examiners need to conduct a thorough prior art search for different technologies.

    Agency: Department of Commerce: Patent and Trademark Office
    Status: Open

    Comments: According to the agency's action plan, USPTO will complete analyses of examiner's required duties and current time expectancies and determine what, if any, additional time should be given by September 2017.
    Recommendation: To ensure that examiners have the technical competence needed to complete thorough prior art searches, USPTO should assess whether the technical competencies of examiners in each technology center match those necessary; develop strategies to address any gaps identified, such as a technical training strategy; and establish measures to monitor progress toward closing any gaps.

    Agency: Department of Commerce: Patent and Trademark Office
    Status: Open

    Comments: According to the agency's action plan, USPTO will develop assessment tools and plans to address any gaps identified, as well as measure progress towards closing any gaps by December 2017.
    Director: David A. Powner
    Phone: (202) 512-9286

    4 open recommendations
    Recommendation: To help IRS improve its process for determining IT funding priorities and to provide timely information on the progress of its investments, the Commissioner of IRS should direct the Chief Technology Officer to document IRS's process for selecting and prioritizing operations support activities.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In its August 2016 statement of actions to address our recommendations, IRS reported that it was documenting the process for selecting and prioritizing all non-Business Systems Modernization activities, and noted that it expects to have draft documentation by September 2016, and finalized documentation no later than April 2017. We will be following-up with the agency to obtain documentation of actions taken to address this recommendation, and will update this status accordingly.
    Recommendation: To help IRS improve its process for determining IT funding priorities and to provide timely information on the progress of its investments, the Commissioner of IRS should direct the Chief Technology Officer to establish, document, and implement policies and procedures for selecting new and reselecting ongoing business systems modernization activities, consistent with IRS's process for prioritizing operations support priorities, which addresses (1) prioritization and comparison of IT assets against each other, (2) criteria for making selection and prioritization decisions, and (3) ensuring IRS executives' final funding decisions on IT proposals are based on IRS's prioritization process.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In its August 2016 statement of actions to address our recommendations, IRS highlighted process improvements, which it noted would influence its efforts to address this recommendation. IRS committed to documenting the prioritization policies and procedures for its Business Systems Modernization activities as these new process improvements stabilize. We will be following-up with IRS to obtain documentation of actions taken to address this recommendation, and will update this status accordingly.
    Recommendation: To help IRS improve its process for determining IT funding priorities and to provide timely information on the progress of its investments, the Commissioner of IRS should direct the Chief Technology Officer to modify existing processes for Foreign Account Tax Compliance Act (FATCA) and Return Review Program (RRP) for measuring work performed by IRS staff to incorporate best practices, including accounting for actual work performed and using the level of effort measure sparingly.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In its August 2016 statement of actions to address our recommendations, IRS stated it would evaluate the use of a more quantitative measure for work performed and thereby use the level of effort measure sparingly. IRS stated that it would meet with GAO to discuss the results of this evaluation by the end of January 2017. We plan to meet with IRS in the near future to discuss this recommendation, and will update this status accordingly.
    Recommendation: To help IRS improve its process for determining IT funding priorities and to provide timely information on the progress of its investments, the Commissioner of IRS should direct the Chief Technology Officer to report on actual costs and scope delivery at least quarterly for the Customer Account Data Engine 2 and the Affordable Care Act Administration. For these investments, IRS should develop metrics similar to FATCA and RRP.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In its August 2016 statement of actions to address our recommendations, IRS stated that the Customer Account Data Engine 2 program management office is currently standing up processes to report on planned versus actual costs and scope delivery on a monthly basis. Additionally, IRS stated that it would consider the approach currently being used by the Foreign Account Tax Compliance Act and Return Review Program investments. The agency stated that development work for the Affordable Care Act Administration investment was minimal, and as a result, application of this recommendation would not be beneficial. We will be following-up with IRS to obtain documentation of actions taken to address this recommendation, and will update this status accordingly.
    Director: Mark Goldstein
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To improve access to and awareness and applicability of ITS resources for ITS deployment, the Secretary of Transportation should direct the ITS Joint Program Office (JPO), in coordination with the Federal Transit Administration (FTA), to develop a strategy to raise awareness of JPO's training, technical assistance, and knowledge resources for transit ITS deployment in the transit community.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with GAO's recommendation and stated that its Professional Capacity Building Program has two initiatives under development that will raise awareness of existing Intelligent Transportation System knowledge resources. First, the department will develop an overall course catalog that will describe all existing resources offerings. Second, the department will develop a new strategic plan that will utilize information from the updated course catalog as well as internal analyses to determine which new knowledge resources need to be developed to meet the needs of the transit community. As of June 2017, GAO is awaiting the Department's response regarding the status of its efforts to implement this recommendation.
    Recommendation: To improve access to and awareness and applicability of ITS resources for ITS deployment, the Secretary of Transportation should direct the ITS JPO, in coordination with FTA, to include ITS adoption by small urban and rural transit providers in ITS monitoring efforts.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with GAO's recommendation and stated that the Federal Transit Administration is considering the development of a small urban and rural Intelligent Transportation System survey component as part of its 2019 Intelligent Transportation System Deployment Survey. As of June 2017, GAO is awaiting the Department's response regarding the status of its efforts to implement this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    22 open recommendations
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Education
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address it. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Energy
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO will update the CIO's OMB IT Dashboard Standard Operating Procedure to include the evaluation and assessment of active risks. This effort is to be completed by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department agreed with this recommendation and, in a written response, stated that it plans to address this recommendation with the following actions: (1) developing a method to review and assign ratings for active risks that will be incorporated into CIO ratings and (2) integrating the risk rating methodology into a new process for all major investments' CIO ratings. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it is amending its current monthly review process to ensure that risks are factored into its IT Dashboard CIO ratings. VA expects to complete this effort during the first quarter of 2017. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of State
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address the recommendation. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Office of Personnel Management
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Defense, Education, and Homeland Security; and the Commissioner of the Social Security Administration should direct their CIOs to update their CIO ratings at least as frequently as required in OMB's guidance.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) disagreed with this recommendation. In its written response, the Department noted that its semi-annual reporting is consistent with FITARA requirements and is documented in its OMB-approved FITARA Implementation Plan. After the publication of our report in June 2016, OMB issued its "Fiscal Year 2018 IT Budget-Capital Planning Guidance." This guidance removes the mandatory reporting frequency, but states that OMB expects that the CIOs would evaluate and rate their investments at specific times, including when the investment business cases are submitted to OMB in the agency budget request and when the business cases are prepared for the President's Budget release. In light of this new guidance, we analyzed the Department's update frequency for its 34 major investments (as listed on the IT Dashboard in June 2017). From June 2016 through May 2017, we found that 26 of the investments' ratings were updated once: in May 2017. The other 8 investments were not updated during this timeframe. Prior to this, the last DOD rating updates were made in March 2016, over a year beforehand. This analysis shows that DOD is not adhering to either its own semi-annual reporting requirements or to OMB's expectations. As such, we are not closing the recommendation at this time. We will continue to monitor the IT Dashboard for changes to DOD's update frequency. We maintain that frequent rating updates help ensure that the information on the Dashboard is timely and accurately reflects recent changes. Without such updates, the CIO ratings on the IT Dashboard may not reflect the current level of investment risk.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO Enterprise Business Management Office is updating its program assessment guideline. The updated guideline will include risk-based scores as the basis for its investment ratings. The Department expects to release this new guideline by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Education
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address it. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department agreed with our recommendation and, in a written response, stated that the CIO has revised the IT Dashboard assessment criteria to directly incorporate the degree of risk represented in the investments' Business Case documents. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Energy
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO will update its IT Dashboard Standard Operating Procedure to include an active risk sub-criteria comprised of probability and impact scores. This effort is to be completed by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. According to HHS, these risk areas reflect both internal and external risks that affect an investment's ability to accomplish its goals. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Social Security Administration
    Status: Open

    Comments: The agency partially agreed with our recommendation and, in a written response, stated that its CIO rating criteria includes a review of the level of risk facing an investment relative to that investment's ability to accomplish its goals. The written statement also notes that the CIO receives regular updates from key stakeholders on investment risks and mitigation plans. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of the Treasury
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it plans to require investment managers to assess operational risks detailing the probability and impact of pending threats to success. VA expects to complete this effort during the first quarter of 2017. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of State
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address the recommendation. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The agency disagreed with the recommendation and has not provided an update on its actions to address the recommendation. We will continue to monitor the implementation of this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    16 open recommendations
    including 4 priority recommendations
    Recommendation: The Director of OMB should identify and publish a specific goal associated with its non-provisioned O&M spending measure.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The agency agreed with the recommendation. In April 2017, OMB indicated that it has been working with agencies on their Strategic Plans and associated performance goals and measures, but that it would be premature to say whether there would be a specific goal on its non-provisioned O&M spending measure. We will continue to monitor the implementation of this recommendation.
    Recommendation: The Director of OMB should commit to a firm date by which its draft guidance on legacy systems will be issued, and subsequently direct agencies to identify legacy systems and/or investments needing to be modernized or replaced.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The agency agreed with the recommendation. In April 2017, OMB stated that it was updating the draft guidance on legacy systems and were unable to provide a date when they would be issuing it. We will continue to monitor the implementation of this recommendation.
    Recommendation: To monitor whether existing investments are meeting the needs of their agencies, the Secretaries of Commerce and the Treasury should direct the respective agency CIO to ensure that required analyses are performed on investments in the operations and maintenance phase.

    Agency: Department of Commerce
    Status: Open

    Comments: The agency agreed with the recommendation. In a May 2017 written update, the agency stated that it had updated its Capital Planning and Investment Control handbook with instructions on conducting operational analyses. However, the agency was unable to demonstrate that operational analyses were being completed on an annual basis, as required. We will continue to monitor the implementation of this recommendation.
    Recommendation: To monitor whether existing investments are meeting the needs of their agencies, the Secretaries of Commerce and the Treasury should direct the respective agency CIO to ensure that required analyses are performed on investments in the operations and maintenance phase.

    Agency: Department of the Treasury
    Status: Open

    Comments: The agency had no comment on the recommendation. In June 2017, Treasury provided an update on the IRS's efforts to ensure that operational analyses are performed on investments in the operations and maintenance phase. However, the recommendation is intended to address issues at the department level and not just at the IRS. Treasury declined to provide an update at the department level. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The agency agreed with the recommendation and in July 2017 stated that the department has drafted a Legacy Systems Modernization Framework. DHS is waiting for OMB?s draft guidance to be issued to ensure compliance. As a result, they now estimate this will be completed by December 2017. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Agriculture
    Status: Open

    Comments: The agency agreed with the recommendation. As of May 2017, the agency stated that it had taken steps to improve its overall IT governance processes, and in particular, its oversight of legacy systems. These steps included, implementing its FITARA strategy, creating a Cloud Strategy and Policy Office, and two new executive oversight groups. In addition, the agency stated that it planned to complete an IT Modernization Plan in calendar year 2018. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Commerce
    Status: Open

    Comments: The agency agreed with the recommendation. In May 2017, the agency stated that it was continuously assessing its current IT portfolio for opportunities to retire or modernize its mission critical legacy systems. Specifically, Commerce stated that it had identified two candidate systems for modernization--the National Weather Service Telecommunications Gateway and the USPTO Examiner Automated Search Tool. However, it is unclear how these plans will relate to OMB's guidance. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Defense
    Status: Open

    Comments: The agency partially concurred with the recommendation, and stated that it would continue to identify, prioritize, and manage legacy systems that should be modernized or replaced, based on existing DOD policies, using existing department processes, consistent to the extent practicable with OMB's draft guidance. In June 2017, the department stated that its position has not changed; the department believes that no corrective actions are necessary or planned. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Energy
    Status: Open
    Priority recommendation

    Comments: The department partially agreed with the recommendation and in an April 2017 update stated that the department has begun an initiative to migrated corporate business IT systems to cloud service providers. The department added that they were coordinating with their program offices to identify and prioritize other IT systems for migration. The department intends to review any forthcoming OMB guidance, and will consider early implementation of such guidance, as applicable to the department, when the guidance is provided. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The agency agreed with the recommendation and in a September 2016 written update stated that the office of the CIO is working to identify and plan to modernize or replace IT systems. As of July 2017, the agency had not responded to requests for updates on the implementation of this recommendation. We will continue to monitor this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Social Security Administration
    Status: Open

    Comments: The agency agreed with the recommendation and as of May 2017, the agency stated that it was working on finishing its Information Technology Modernization Plan that outlines 5 major applications that it plans to update. However, since OMB had not yet issued its legacy system guidance, it is unknown whether this plan is consistent with OMB's guidance. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Justice
    Status: Open

    Comments: The agency agreed with the recommendation. As of May 2017, the agency stated that it was completing the initial steps of an assessment to provide a qualitative and definitive list of systems which meet criteria for retirement and/or decommission. This assessment is to review the complexity of work per system, and provide a rough order of magnitude cost estimate on a system-by-system basis. Further, VA is in the process of decommissioning the BDN and PAID systems mentioned in our report. The decommissioning of BDN is in the planning stage and the agency estimates the project to cost $100 million to complete. The replacement of PAID has been occurring in incremental phases, but the agency did not provide an estimated date of retirement. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Transportation
    Status: Open

    Comments: The agency agreed with the recommendation and stated that work is underway to identify systems in need of modernization and upgrade. The department anticipated being able to close the recommendation 90 days after OMB issues guidance on legacy systems. Further, in a recent update, the agency stated that it had recently started a project to create an integrated inventory of Transportation's systems. According to the agency, through this project, it has been able to identify duplication and opportunities to create efficiencies. The next phase of this project is a future state diagram and a roadmap to show planned modernizations and possible divestments of legacy systems. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of the Treasury
    Status: Open
    Priority recommendation

    Comments: The agency had no comment on the recommendation. In a June 2017, Treasury provided an update on the IRS's efforts to modernize the IRS's legacy systems. However, the recommendation is intended to address issues at the department level and not just at the IRS. Treasury declined to provide an update at the department level. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Veterans Affairs
    Status: Open
    Priority recommendation

    Comments: The agency agreed with the recommendation. As of May 2017, the agency stated that it was completing the initial phase of an assessment to provide a qualitative and definitive list of systems which meet criteria for retirement and/or decommission. This assessment will review the complexity of work per system, and provide a rough order of magnitude cost estimate on a system-by-system basis. Further, VA is in the process of decommissioning the BDN and PAID systems mentioned in our report. The decommissioning of BDN is in the planning stage and the agency estimates the project to cost $100 million to complete. The replacement of PAID has been occurring in incremental phases, but the agency did not provide an estimated date of retirement. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: The agency agreed with the recommendation and stated that it plans to work with OMB upon the publication of OMB's guidance to identify opportunities for modernization. In an April 2017 update, the agency stated that it had extended plans to replace the systems mentioned in the report by several years. As of August 2017, the agency stated that it had finalized a new capital planning guide which includes investment review policy to identify opportunities for modernization and away from legacy systems. However, it is too soon to tell if it is in line with OMB's forthcoming guidance. We will continue to monitor the implementation of this recommendation.
    Director: J. Christopher Mihm
    Phone: (202) 512-6806

    1 open recommendations
    Recommendation: To improve the transparency of public reporting on CAP goal progress, the Director of OMB should, working with the PIC, report on Performance.gov the actions that CAP goal teams are taking, or plan to take, to develop performance measures and quarterly targets.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We reviewed selected CAP goals quarterly performance information on the Performance.Gov website as of Q4 of FY 2016, which updates the status of the CAP goals through September 2016. Some of the selected CAP goals have updated and new performance measures, but it was not clear the extent to which CAP goal teams included information on the actions they are taking to develop such measures, consistent with our recommendation. We contacted OMB in June 2017 on the current status of this recommendation. We will provide an update to its status once OMB responds to our request.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    17 open recommendations
    including 7 priority recommendations
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update security assessment plans for selected systems to ensure they include the test procedures to be performed.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system to support updates of security assessment plans that include the test procedures to be performed. Subsequent to NASA informing us that security assessment plans for selected systems include these test procedures, we plan to verify the agency's actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should re-evaluate security control assessments for selected systems to ensure that they comprehensively test technical controls.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation, and will re-evaluate the selected systems' security control assessments to ensure that technical controls will be comprehensively tested. NASA officials said that they expect to complete this action by January 15, 2018. Subsequent to NASA informing us that it has implemented the recommendation, we plan to verify the agency's actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update remedial action plans for selected systems, to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system that generates plans of actions and milestones (POA&Ms), but has not yet provided sufficient examples of remedial action plans for the selected systems. Subsequent to NASA informing us that it has updated POA&Ms for the selected systems to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates, we plan to verify these actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update the continuous monitoring strategy to include metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has issued an updated continuous monitoring strategy, but this strategy does not clearly identify specific metrics to be used. Subsequent to NASA informing us that the strategy includes metrics, ongoing status monitoring of metrics, and reporting of security status, we plan to verify these actions.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. NRC supplied documents regarding its cybersecurity assessment process, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update remedial action plans for selected systems, to include responsible organization, estimated funding, funding source, and scheduled completion dates.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency provided evidence that it is including the responsible organization and scheduled completion dates in its plans of action and milestones (POA&Ms). While the estimated funding and source of funding do not appear in the POA&Ms, the agency has indicated that this data is available elsewhere. We are following up with NRC to verify this information.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update the standard that addresses continuous monitoring to include metrics and ongoing status monitoring.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency expects to publish a revised computer security standard in 2018.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented, and where other plans are cross-referenced, ensure that the other system's plan appropriately addresses the control.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM concurred with our recommendation. The agency intends to migrate security plans to an automated system in order to improve management of security controls.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM partially concurred with our recommendation. OPM is in the process of reviewing its procedures for identifying employees and contractors who directly access its information systems and reviewing the training requirements for those individuals, as well as specialized training requirements, and how compliance is tracked.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM did not concur with our recommendation. OPM is developing additional standards for evaluating technical-controls testing and will incorporate these standards into its oversight of security assessments, once the standards are complete.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update remedial action plans for selected systems, to include source of funding and updated completion dates.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with our recommendation. OPM is in the process of migrating POA&Ms to a new automated system that will allow the source of funding to be included in plans of action and milestones.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA stated that all high-impact security controls have been addressed, and the agency expects to include all controls in one plan. Subsequent to the agency informing us that it has implemented the recommendation, we plan to verify its actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is tracking specialized training for staff who have significant security responsibilities. GAO plans to request further documentation and verify the completeness of VA's actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA has assessed technical controls, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update remedial action plans for selected systems, to include estimated funding and funding source.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is including more information in its remedial action plans for selected systems, but did not demonstrate that it is including estimated funding and funding sources in these plans.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should develop a continuous monitoring strategy that addresses organization-defined metrics, frequency of monitoring metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA is developing a new framework to address the people, processes, technology, and performance monitoring mechanisms identified in the Information Security Continuous Monitoring (ISCM) Maturity Model. This framework and supporting program plan are linked to the Department of Homeland Security Continuous Diagnostics and Mitigation (CDM) phase 1 deployment that is ongoing and anticipated to be completed by the fourth quarter of 2017. VA's ISCM program plan and framework have been delayed to accommodate these changes.
    Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. In addition OMB provided limited access to a document describing best practices for federal security operation centers. GAO is requesting further access to this document on best practices in order to determine whether OMB has adequately addressed the recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    4 open recommendations
    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to establish a plan to address the limitations in the program's efforts to test security controls, including ensuring that any changes in the system's inventory do not materially affect test results.

    Agency: Department of Commerce
    Status: Open

    Comments: NOAA agreed with our recommendation and has established a plan to address the limitations we identified in the program's efforts to test security controls. NOAA's plan outlines several actions, and the agency plans to complete these actions by Summer 2017. We will continue to evaluate NOAA's progress in implementing its planned actions.
    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to, when establishing plans of action and milestones to address critical and high risk vulnerabilities, schedule the completion dates within 30 days, as required by agency policy.

    Agency: Department of Commerce
    Status: Open

    Comments: NOAA agreed with our recommendation and has established a plan to address it. This plan includes multiple actions that are to be completed by the end of July 2017. We will continue to evaluate NOAA's progress.
    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to ensure that the agency and program are tracking and closing a consistent set of incident response activities.

    Agency: Department of Commerce
    Status: Open

    Comments: NOAA agreed with our recommendation and has made progress in addressing it. Specifically, NOAA developed a pilot of a new incident tracking and reporting system to manage its response activities. NOAA plans to complete additional steps to implement this recommendation. We will continue to evaluate NOAA's progress in addressing this recommendation.
    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to evaluate the costs and benefits of different launch scenarios for the Polar Follow-on program based on updated satellite life expectancies to ensure satellite continuity while minimizing program costs.

    Agency: Department of Commerce
    Status: Open

    Comments: NOAA agreed with this recommendation and provided some documentation on its efforts to evaluate different launch scenarios. However, the agency has not yet provided all of the documentation needed to confirm that this recommendation has been addressed. We continue to work with NOAA to obtain and review the documentation needed to address this recommendation.
    Director: Diana Maurer
    Phone: (202) 512-9627

    6 open recommendations
    including 6 priority recommendations
    Recommendation: To improve transparency and better ensure that face recognition capabilities are being used in accordance with privacy protection laws and policy requirements, the Attorney General should assess the PIA development process to determine why PIAs were not published prior to using or updating face recognition capabilities, and implement corrective actions to ensure the timely development, updating, and publishing of PIAs before using or making changes to a system.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: DOJ officials did not concur with this recommendation, and stated that the FBI has established practices that protect privacy and civil liberties beyond the requirements of the law. DOJ officials stated that it will internally evaluate the PIA process as part of the Department's overall commitment to improving its processes, not in response to our recommendation. In March 2017, we followed up with DOJ to obtain its current position on our recommendation. DOJ continues to believe that its approach in designing the NGI system was sufficient to meet legal privacy requirements and that our recommendation represents a "checkbox approach" to privacy. We disagree with DOJ's characterization of our recommendation. We continue to believe that the timely development and publishing of future PIAs would increase transparency of the department's systems. We recognize the steps the agency took to consider privacy protection during the development of the NGI system. We also stand by our position that notifying the public of these actions is important and provides the public with greater assurance that DOJ components are evaluating risks to privacy when implementing systems. As a result, the recommendation remains open and unimplemented.
    Recommendation: To improve transparency and better ensure that face recognition capabilities are being used in accordance with privacy protection laws and policy requirements, the Attorney General should assess the SORN development process to determine why a SORN was not published that addressed the collection and maintenance of photos accessed and used through NGI for the FBI's face recognition capabilities prior to using NGI-IPS, and implement corrective actions to ensure SORNs are published before systems become operational.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: DOJ agreed, in part, with our recommendation and submitted the SORN for publication to the Federal Register on April 21, 2016, and it was published on May 5, 2016. DOJ did not agree that the publication of a SORN is required by law. We disagree with DOJ's interpretation regarding the legal requirements of a SORN. The Privacy Act of 1974 requires that when agencies establish or make changes to a system of records, they must notify the public through a SORN published in the Federal Register. DOJ's comments on our draft report acknowledge that the automated nature of face recognition technology and the sheer number of photos now available for searching raise important privacy and civil liberties considerations. DOJ officials also stated that the FBI's face recognition capabilities do not represent new collection, use, or sharing of personal information. We disagree. We believe that the ability to perform automated searches of millions of photos is fundamentally different in nature and scope than manual review of individual photos, and the potential impact on privacy is equally fundamentally different. By assessing the SORN development process and taking corrective actions to ensure timely development of future SORNs, the public would have a better understanding of how personal information is being used and protected by DOJ components. As a result, the recommendation remains open and unimplemented.
    Recommendation: To better ensure that face recognition capabilities are being used in accordance with privacy protection laws and policy requirements, the Director of the Federal Bureau of Investigation should conduct audits to determine the extent to which users of NGI-IPS and biometric images specialists in FACE Services are conducting face image searches in accordance with Criminal Justice Information Services Division policy requirements.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In March 2017, DOJ provided us with the audit plan the CJIS Audit Unit developed in June 2016 for NGI-IPS users. In addition, DOJ reported that the CJIS Audit Unit began assessing NGI-IPS requirements at participating states in conjunction with its triennial National Identity Services audit and that, as of February 2017, the unit had conducted NGI-IPS audits of four states. Further, DOJ officials said CJIS developed an audit plan of the FACE Services Unit to coincide with the existing triennial FBI internal audit for 2018. However, DOJ did not provide the audit plan for the FACE Services Unit. DOJ officials said the methodology would be the same as the audit plan for NGI-IPS, but that methodology does not describe oversight on use of information obtained from external systems accessed by FACE Services employees. Therefore, we believe DOJ is making progress towards meeting the recommendation, but has not fully implemented our recommendation.
    Recommendation: To better ensure that face recognition systems are sufficiently accurate, the Director of the Federal Bureau of Investigation should conduct tests of NGI-IPS to verify that the system is sufficiently accurate for all allowable candidate list sizes, and ensure that the detection and false positive rate used in the tests are identified.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In comments on our draft report in 2016, and reiterated during recommendation follow-up, as of March 2017, DOJ did not concur with this recommendation. DOJ officials stated that the FBI has performed accuracy testing to validate that the system meets the requirements for the detection rate, which fully satisfies requirements for the investigative lead service provided by NGI-IPS. We disagree with DOJ. A key focus of our recommendation is the need to ensure that NGI-IPS is sufficiently accurate for all allowable candidate list sizes. Although the FBI has tested the detection rate for a candidate list of 50 photos, NGI-IPS users are able to request smaller candidate lists (between 2 and 50 photos). FBI officials stated that they do not know, and have not tested, the detection rate for other candidate list sizes. According to these officials, a smaller candidate list would likely lower the detection rate because a smaller candidate list may not contain a likely match that would be present in a larger candidate list. However, according to the FBI Information Technology Life Cycle Management Directive, testing needs to confirm the system meets all user requirements. Because the accuracy of NGI-IPS's face recognition searches when returning fewer than 50 photos in a candidate list is unknown, the FBI is limited in understanding whether the results are accurate enough to meet NGI-IPS users' needs. DOJ officials also stated that searches of NGI-IPS produce a gallery of likely candidates to be used as investigative leads, not for positive identification. As a result, according to DOJ officials, NGI-IPS cannot produce false positives and there is no false positive rate for the system. We disagree with DOJ. The detection rate and the false positive rate are both necessary to assess the accuracy of a face recognition system. Generally, face recognition systems can be configured to allow for a greater or lesser number of matches. A greater number of matches would generally increase the detection rate, but would also increase the false positive rate. Similarly, a lesser number of matches would decrease the false positive rate, but would also decrease the detection rate. Reporting a detection rate of 86 percent without reporting the accompanying false positive rate presents an incomplete view of the system's accuracy. As a result, the recommendation remains open and unimplemented.
    Recommendation: To better ensure that face recognition systems are sufficiently accurate, the Director of the Federal Bureau of Investigation should conduct an operational review of NGI-IPS at least annually that includes an assessment of the accuracy of face recognition searches to determine if it is meeting federal, state, and local law enforcement needs and take actions, as necessary, to improve the system.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: As of March 2017, FBI officials stated they implemented the recommendation by submitting a paper to solicit feedback from users through the Fall 2016 Advisory Policy Board Process. Specifically, officials said the paper requested feedback on whether the face recognition searches of the NGI-IPS are meeting their needs, and input regarding search accuracy. According to FBI officials, no users expressed concern with any aspect of the NGI-IPS meeting their needs, including accuracy. Although FBI's action of providing working groups with a paper presenting GAO's recommendation is a step, the FBI's actions do not fully meet the recommendation. The FBI's paper was presented as informational, and did not result in any formal responses from users. We disagree with the FBI's conclusion that receiving no responses on the informational paper fulfills the operational review recommendation, which includes determining that NGI-IPS is meeting user's needs. As such, we continue to recommend the FBI conduct an operational review of NGI-IPS at least annually.
    Recommendation: To better ensure that face recognition systems are sufficiently accurate, the Director of the Federal Bureau of Investigation should take steps to determine whether each external face recognition system used by FACE Services is sufficiently accurate for the FBI's use and whether results from those systems should be used to support FBI investigations.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In comments on our draft report in 2016, and reiterated during recommendation follow-up in 2017, DOJ officials did not concur with this recommendation and had no plans to implement it. DOJ officials stated that the FBI has no authority to set or enforce accuracy standards of face recognition technology operated by external agencies. In addition, DOJ officials stated that the FBI has implemented multiple layers of manual review that mitigate risks associated with the use of automated face recognition technology. Further, DOJ officials stated there is value in searching all available external databases, regardless of their level of accuracy. We disagree with the DOJ position. We continue to believe that the FBI should assess the quality of the data it is using from state and federal partners. We acknowledge that the FBI cannot and should not set accuracy standards for the face recognition systems used by external partners. We also do not dispute that the use of external face recognition systems by the FACE Services Unit could add value to FBI investigations. However, we disagree with FBI's assertion that no assessment of the quality of the data from state and federal partners is necessary. We also disagree with the DOJ assertion that manual review of automated search results is sufficient. Even with a manual review process, the FBI could miss investigative leads if a partner does not have a sufficiently accurate system. By relying on its external partners' face recognition systems, the FBI is using these systems as a component of its routine operations and is therefore responsible for ensuring the systems will help meet FBI's mission, goals and objectives. The recommendation remains open and unimplemented.
    Director: Randall B. Williamson
    Phone: (202) 512-7114

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To help provide reasonable assurance that VHA achieves its long-term goal of modernizing its claims processing system, the Secretary of Veterans Affairs should direct the Under Secretary for Health to ensure that the agency develops a sound written plan that includes the following elements: (1) a detailed schedule for when VHA intends to complete development and implementation of each major aspect of its new claims processing system; (2) the estimated costs for implementing each major aspect of the system; and (3) the performance goals, measures, and interim milestones that VHA will use to evaluate progress, hold staff accountable for achieving desired results, and report to stakeholders the agency's progress in modernizing its claims processing system.

    Agency: Department of Veterans Affairs
    Status: Open
    Priority recommendation

    Comments: As of June 2017, VHA's Office of Community Care is in the process of consolidating VA's community care programs, and as part of this process it plans to transition to a third party administrator for the purposes of claims processing. While an active procurement is underway, VHA still needs to develop a written plan to fully implement this recommendation. VHA's written plan must include details about the schedule, cost estimates, performance goals, and interim milestones associated with transitioning to a third party administrator for the purposes of processing claims for VA community care.
    Director: Heather Krause
    Phone: (202) 512-6806

    5 open recommendations
    Recommendation: To help enhance efforts to expand shared services and improve the management of the Administrative Services Franchise Fund (ASFF), the Secretary of Transportation should direct the FAA Administrator to make pricing information, such as ranges of prices, for the ASFF's lines of business publicly available, as appropriate, to help potential customers and agency decision makers understand prices and different choices of services.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with the recommendation. According to FAA, representatives from FAA's Administrative Services Franchise Fund are serving on the Office of Management and Budget's Shared Services Governance Board--a decision-making body for government-wide shared services initiatives. The Board is working with the General Services Administration's Unified Shared Services Management office on the standardization of publicly available pricing information for the FAA fund and other funds across the government and the forum in which to publish such information. FAA expects to provide an update on how it is addressing this recommendation by November 30, 2017.
    Recommendation: To help enhance efforts to expand shared services and improve the management of the ASFF, the Secretary of Transportation should direct the FAA Administrator to make the ASFF's strategic goals and performance metrics publicly available to help potential customers and agency decision makers understand how the fund is performing on the services provided.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with the recommendation. According to FAA, representatives from FAA's Administrative Services Franchise Fund are serving on the Office of Management and Budget's Shared Services Governance Board--a decision-making body for government-wide shared services initiatives. The Board is working with the General Services Administration's Unified Shared Services Management office on the standardization of performance metrics for shared service providers (including the FAA fund) and the forum on which to publically share such information. FAA expects to provide an update on how it is addressing this recommendation by November 30, 2017.
    Recommendation: To help enhance efforts to expand shared services and improve the management of the Treasury Franchise Fund (TFF), the Secretary of the Treasury should make pricing information, such as ranges of prices, for the Administrative Resource Center Information Technology Services and Shared Services Programs (SSP) lines of business publicly available, as appropriate, to help potential customers and agency decision makers understand prices and different choices of services.

    Agency: Department of the Treasury
    Status: Open

    Comments: Treasury concurred with the recommendation. In March 2017, GAO contacted Treasury for a status update on how the recommendation is being addressed. We will update the status when the update is received.
    Recommendation: To help enhance efforts to expand shared services and improve the management of the TFF, the Secretary of the Treasury should develop a more complete set of performance metrics for the TFF's SSP line of business to help managers of the SSP line of business, current and potential customers, and agency decision makers monitor and oversee how the fund is performing on the services provided.

    Agency: Department of the Treasury
    Status: Open

    Comments: Treasury concurred with the recommendation. In March 2017, GAO contacted Treasury for a status update on how the recommendation is being addressed. We will update the status when the update is received.
    Recommendation: To help enhance efforts to expand shared services and improve the management of the TFF, the Secretary of the Treasury should develop an operating reserve policy that documents all existing review processes that relate to management of the TFF's operating reserves. These documented policies should include information on how fund managers are to assess the operating reserves, including guidelines to evaluate, use, and maintain the operating reserves over time.

    Agency: Department of the Treasury
    Status: Open

    Comments: Treasury concurred with the recommendation. In March 2017, GAO contacted Treasury for a status update on how the recommendation is being addressed. We will update the status when the update is received.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    4 open recommendations
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to document artifacts that support recommendation closure consistent with SEC policy.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to document a comprehensive physical inventory of the systems and applications in the production environment.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to provide personnel appropriate access to continuous monitoring reports and tools to monitor, evaluate, and remedy identified weaknesses.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to institute a process and assign the necessary personnel to review information produced by the vulnerability scanning tools to monitor, evaluate, and remedy identified weaknesses.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    6 open recommendations
    Recommendation: To ensure that agencies are provided with more complete guidance for contracts for cloud computing services, the Director of OMB should include all ten key practices in future guidance to agencies.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We are following up with OMB on its service level agreement (SLA) guidance to agencies.
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretary of Defense should direct the appropriate officials to ensure key practices are fully incorporated for cloud services as the contracts and associated SLAs expire. These efforts should include updating the Department of Defense memorandum on acquiring cloud services and current Defense Acquisition Regulations System to more completely include the key practices.

    Agency: Department of Defense
    Status: Open

    Comments: We are following up with DOD on updating their service level agreement (SLA) guidance.
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We are following up with DHS on the finalization of its service level agreement (SLA) guidance.
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We are following up with HHS on their service level agreement (SLA) guidance.
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

    Agency: Department of the Treasury
    Status: Open

    Comments: We are following up with Treasury on their service level agreement (SLA) guidance.
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: We are following up with VA on their service level agreement (SLA) guidance.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    5 open recommendations
    Recommendation: To ensure that FEMA's IT systems can adequately support its ability to respond to major disasters, the Secretary of DHS should direct the FEMA Administrator to define the scope, implementation strategy, and schedule of the agency's overall modernization approach, with related goals and measures for effectively overseeing the effort. At a minimum, the agency should update its IT strategic plan and complete its modernization plan.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security concurred with this recommendation, and reported on actions taken to update its IT Modernization Plan such as conducting cross-functional work sessions to establish an actionable implementation roadmap in line with agency priorities. However, as of April 2017, we have not yet obtained evidence that FEMA has fully updated its IT strategic plan and completed its modernization plan to address the weaknesses identified in our report. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure that FEMA's IT systems can adequately support its ability to respond to major disasters, the Secretary of DHS should direct the FEMA Administrator to establish time frames for current and future IT workforce planning during its modernization efforts and ensure all regions and offices are included in these initiatives.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security concurred with, and has taken steps to implement our recommendation. For example, the department stated that FEMA completed the assessment of skills gap and identified and prioritized the skills required to staff and sustain the core competencies required to successfully implement FEMA's IT modernization efforts. However, we have not yet validated the agency actions to establish time frames for current and future IT workforce planning during its modernization efforts. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure that FEMA adequately manages the selected emergency management systems, the FEMA Administrator should direct the DAIP, EMMIE, and IPAWS program offices, in conjunction with the FEMA CIO, to implement complete program plans that define overall budget and schedule, key deliverables and milestones, assumptions and constraints, description and assignment of roles and responsibilities, staffing and training plans, and an approach for maintaining these plans.

    Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
    Status: Open

    Comments: The Department of Homeland Security concurred with our recommendation and in response updated its program management plans that support the program offices of the Disaster Assistance Improvement Plan, Emergency Management Mission Integrated Environment, and Integrated Public Alert and Warning System. The program plans addressed some of the weaknesses we identified in our report. For example, the program management plans identified and described the overall program management processes and methods to be used during all phases of projects and defined key deliverables and milestones, roles and responsibilities, staffing and training and an approach for maintaining the plans. However, the plans did not clearly define the knowledge and skills needed to carry out the program or provide sufficient details on the budget and scheduling for the programs under review. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure that FEMA adequately manages the selected emergency management systems, the FEMA Administrator should direct the DAIP, EMMIE, and IPAWS program offices, in conjunction with the FEMA CIO, to implement a system integration plan that include all systems to be integrated with the system, roles and responsibilities for all relevant participants, the sequence and schedule for every integration step, and how integration problems are to be documented and resolved.

    Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
    Status: Open

    Comments: The Department of Homeland Security concurred with, and has taken steps to implement our recommendation. For example, the department reported that the system owner for DAIP, EMMIE, and IPAWS programs have updated their respective system integration plans to address the risks identified within the recommendation. In addition, the agency provided documentation such as the IPAWS Integrated Logistics Support Plan, as well as the quality control plan, and test execution plans for both the DAIP and EMMIE programs. However, we have not yet completed our analysis and validated the agency actions on this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: As part of the effort of improving IT management at the three programs, the FEMA Administrator should direct the CIO to ensure that FEMA policy for managing IT programs includes guidance for implementing the key management practices.

    Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
    Status: Open

    Comments: The Department of Homeland Security concurred with the recommendation. In its November 2016 update, FEMA reported that the System Owner for DAIP, EMMIE, and IPAWS have updated their respective IT management program and plans and coordinated with the FEMA CIO to address the risks identified within the recommendation. However, we have not yet validated the agency actions on this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David J. Wise
    Phone: (202) 512-2834

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To enhance the agency's ability to effectively respond in the event of a real-world vehicle cyberattack, the Secretary of Transportation should direct NHTSA to work expeditiously to finish defining and then to document the agency's roles and responsibilities in response to a vehicle cyberattack involving safety-critical systems, including how NHTSA would coordinate with other federal agencies and stakeholders involved in the response.

    Agency: Department of Transportation
    Status: Open
    Priority recommendation

    Comments: As of May 2017, DOT had taken steps to address our recommendation, defining NHTSA's roles and responsibilities to address cybersecurity incidents that involve automotive safety critical systems under its existing processes and authorities. NHTSA also recognized the need to coordinate with other entities, including other federal agencies. However, NHTSA expects that it will need to update and improve its response and coordination plan based on new learning, experience, executive orders, and federal guidance. In addition, NHTSA plans to conduct a pilot program in fiscal year 2018 to determine whether adjustments to its current processes need to be made in light of the Department of Homeland Security's National Cyber Incident Response Plan.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: To improve the oversight of privacy and security controls over the state-based marketplaces, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to define procedures for overseeing state-based marketplaces, to include day-to-day activities of the relevant offices and staff.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The agency concurred with the recommendation and stated that it plans to implement it. Subsequent to the agency informing us that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the oversight of privacy and security controls over the state-based marketplaces, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to require continuous monitoring of the privacy and security controls over state-based marketplaces and the environments in which those systems operate to more quickly identify and remediate vulnerabilities.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The agency concurred with the recommendation and stated that it plans to implement it. Subsequent to the agency informing us that it has taken action, we plan to verify whether implementation has occurred.
    Director: Steve D. Morris
    Phone: (202) 512-3841

    6 open recommendations
    Recommendation: To strengthen USDA's ability to better manage and monitor the progress of the Blueprint, including efforts to streamline and improve administrative services, the Secretary of Agriculture should direct the Assistant Secretary for Administration to develop a complete list identifying all of the Blueprint efforts under way and document key information needed to monitor their progress, such as status of implementation, time frames for completion, and related performance measures.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of March 2017, we have requested an update from the coordinator for USDA's Blueprint for Stronger Service on USDA's actions, if any, to implement this recommendation.
    Recommendation: To strengthen USDA's ability to better manage and monitor the progress of the Blueprint, including efforts to streamline and improve administrative services, the Secretary of Agriculture should direct the Assistant Secretary for Administration to reexamine the adequacy of the staff and budget resources committed to the day-to-day management of the Blueprint, and further leverage existing departmental resources as needed.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of March 2017, we have requested an update from the coordinator for USDA's Blueprint for Stronger Service on USDA's actions, if any, to implement this recommendation.
    Recommendation: To improve USDA's efforts to identify and track the benefits of the Blueprint, the Secretary of Agriculture should direct the Assistant Secretary for Administration to document the methodologies used to calculate any savings claimed for the Blueprint effort to ensure any such estimate is based on quality information.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of March 2017, we have requested an update from the coordinator for USDA's Blueprint for Stronger Service on USDA's actions, if any, to implement this recommendation.
    Recommendation: To improve USDA's efforts to identify and track the benefits of the Blueprint, the Secretary of Agriculture should direct the Chief Financial Officer to develop a cost-effective method, using existing data systems, to collect and track USDA's spending on administrative services to identify baseline spending and target areas for future cost savings.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of March 2017, we have requested an update from the coordinator for USDA's Blueprint for Stronger Service on USDA's actions, if any, to implement this recommendation.
    Recommendation: To improve USDA's efforts to identify and track the benefits of the Blueprint, the Secretary of Agriculture should direct the Assistant Secretary for Administration to systematically identify and track nonfinancial benefits from USDA's Blueprint efforts to better gauge the Blueprint's progress and more fully report its results.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of March 2017, we have requested an update from the coordinator for USDA's Blueprint for Stronger Service on USDA's actions, if any, to implement this recommendation.
    Recommendation: To enhance USDA's efforts to share lessons learned from the Blueprint, the Secretary of Agriculture should direct the Assistant Secretary for Administration to maintain and promote existing web-based collaboration tools, including keeping information in these tools current, for agencies and staff offices to report their experiences and lessons learned from their Blueprint efforts to help strengthen internal information sharing and inform future efforts.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of March 2017, we have requested an update from the coordinator for USDA's Blueprint for Stronger Service on USDA's actions, if any, to implement this recommendation.
    Director: David Powner
    Phone: (202) 512-9286

    26 open recommendations
    including 1 priority recommendation
    Recommendation: To better ensure that federal data center consolidation and optimization efforts improve governmental efficiency and achieve cost savings, the Secretaries of the Departments of the Interior, State, Transportation, and the Treasury; the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration and Small Business Administration; the Directors of the National Science Foundation and Office of Personnel Management; and the Chairman of the Nuclear Regulatory Commission should take action to address challenges in establishing, and to complete, planned data center cost savings and avoidance targets for fiscal years 2016 through 2018.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation (Transportation) agreed with our recommendation, and has taken initial steps to implement it. In April 2016, the department stated in correspondence to GAO that it's Office of the Chief Information Officer (OCIO) was actively engaging with the department's Operating Administrations and was reconciling its original cost savings and avoidance targets to develop and update a yearly calculation as part of Transportation's multi-year strategy to consolidate and optimize its data centers. The department added that periodic updates would be provided to OCIO leadership and the CIO Council, with reconciled cost savings and avoidance targets for fiscal years 2017 and 2018 expected to be updated by September 30, 2016. However, as of July 2017, Transportation has not updated its Data Center Optimization Strategic Plan to include planned cost savings and avoidances targets for fiscal years 2016 through 2018. We will continue to monitor and evaluate the department's progress in implementing this recommendation and update accordingly.
    Recommendation: To better ensure that federal data center consolidation and optimization efforts improve governmental efficiency and achieve cost savings, the Secretaries of the Departments of the Interior, State, Transportation, and the Treasury; the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration and Small Business Administration; the Directors of the National Science Foundation and Office of Personnel Management; and the Chairman of the Nuclear Regulatory Commission should take action to address challenges in establishing, and to complete, planned data center cost savings and avoidance targets for fiscal years 2016 through 2018.

    Agency: Department of State
    Status: Open

    Comments: The Department of State agreed with our recommendation, and has taken initial steps to implement it. In June 2016, the department stated in correspondence to GAO that it was in the process of reviewing pending guidance on the Office of Management and Budget's Data Center Optimization Initiative (DCOI). The department further stated that once the DCOI guidance was issued, the department would update its targets and finalize a plan to more adequately address cost savings and avoidance targets for fiscal years 2016 through 2018. However, as of July 2017, the department has not updated its Data Center Optimization Strategic Plan to include planned cost savings and avoidances targets for fiscal years 2016 through 2018. We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: To better ensure that federal data center consolidation and optimization efforts improve governmental efficiency and achieve cost savings, the Secretaries of the Departments of the Interior, State, Transportation, and the Treasury; the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration and Small Business Administration; the Directors of the National Science Foundation and Office of Personnel Management; and the Chairman of the Nuclear Regulatory Commission should take action to address challenges in establishing, and to complete, planned data center cost savings and avoidance targets for fiscal years 2016 through 2018.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, EPA stated in correspondence to GAO that it planned to establish a single data center within each of several specific geographical areas. For each data center selected for retention, the agency stated that it planned to make upgrades to address any potential capacity or performance issues, but noted that the specific plans for each data center slated for consolidation were under development. EPA stated that the resulting total cost savings were under assessment and had not yet been determined. However, as of July 2017, EPA has not updated its Data Center Optimization Strategic plan to include planned cost and savings and avoidances targets for fiscal years 2016 through 2018. We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: To better ensure that federal data center consolidation and optimization efforts improve governmental efficiency and achieve cost savings, the Secretaries of the Departments of the Interior, State, Transportation, and the Treasury; the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration and Small Business Administration; the Directors of the National Science Foundation and Office of Personnel Management; and the Chairman of the Nuclear Regulatory Commission should take action to address challenges in establishing, and to complete, planned data center cost savings and avoidance targets for fiscal years 2016 through 2018.

    Agency: National Science Foundation
    Status: Open

    Comments: The National Science Foundation has not yet taken steps to implement our recommendation. As of July 2017, National Science Foundation has not updated its Data Center Optimization Strategic plan to included planned cost and savings and avoidances targets for fiscal years 2016 through 2018. We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: To better ensure that federal data center consolidation and optimization efforts improve governmental efficiency and achieve cost savings, the Secretaries of the Departments of the Interior, State, Transportation, and the Treasury; the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration and Small Business Administration; the Directors of the National Science Foundation and Office of Personnel Management; and the Chairman of the Nuclear Regulatory Commission should take action to address challenges in establishing, and to complete, planned data center cost savings and avoidance targets for fiscal years 2016 through 2018.

    Agency: Small Business Administration
    Status: Open

    Comments: The Small Business Administration agreed with our recommendation, but has not yet taken steps to implement it. As of July 2017, the Small Business Administration has not updated its Data Center Optimization Strategic plan to included planned cost and savings and avoidances targets for fiscal years 2016 through 2018. We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security (DHS) agreed with our recommendation, and has taken initial steps to implement it. In April 2016, the department stated in correspondence to GAO that its Office of the Chief Information Officer (OCIO) developed a scorecard to track progress for each of the data center optimization areas. According the department's scorecard, the department reported meeting 3 of 10 optimization targets, but did not meet the remaining 7 targets. DHS's OCIO noted that they would update this scorecard quarterly in alignment with Federal Data Center Consolidation Initiative data collection. DHS's OCIO expected to complete implementation of this recommendation by November 30, 2016. However, as of July 2017, DHS reports on the Office of Management and Budget's (OMB) IT Dashboard that it does not yet meet any of the five data center optimization metric targets that OMB currently requires agencies to report against (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Department of Agriculture generally agreed with our recommendation, and has taken initial steps to implement it. Specifically, as of July 2017, the department reports on the Office of Management and Budget's (OMB) IT Dashboard that it meets one (server virtualization) of the five data center optimization metric targets that OMB currently requires agencies to report against. However, the department also reports that it does not yet meet the remaining four targets (server utilization and monitoring, energy metering, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation, and has taken initial steps to implement it. In May 2016, the department stated in correspondence to GAO that it will work with its bureaus to develop and publish an annual strategic plan. The strategic plan will, among other things, describe a list of specific planned actions to improve data center optimization progress. For example, the department stated that, to increase facility utilization, the Bureau of Economic Analysis is co-locating computing resources within the Census Bureau's Bowie Computer Center. Further, Census planned to market the Bowie Computer Center as an opportunity for government-wide co-location. In addition, the department stated that the National Oceanic and Atmospheric Administration is building greater network capacity to National Weather Service forecast offices and will aim to reduce the number of local systems at forecast offices that are currently considered data centers (122 in total). However, as of July 2017, the Department of Commerce reports on the Office of Management and Budget's (OMB) IT Dashboard that it does not yet meet any of the five data center optimization metric targets that OMB currently requires agencies to report against. We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) agreed with our recommendation, and has taken initial steps to implement it. In June 2016, the department stated in correspondence to GAO that it is considering several actions to improve optimization progress in the areas that we reported as not meeting the Office of Management and Budget's (OMB) established targets. For example, DOD stated that it is moving toward on-premises and off-premises commercial cloud hosting services to enable migration of workloads to more efficient environments intended to improve the virtualization and density metrics. Further, the department stated that its Chief Information Officer is working directly with the services to reconcile the instances of multiple Installation Processing Nodes on individual bases, posts, camps, and stations. DOD also stated that all of these actions will enable the closure of additional data centers, increase efficiencies in all categories, and drive greater savings. However, as of July 2017, the Department of Defense reports on the OMB IT Dashboard that it does not yet meet any of the five data center optimization metric targets that OMB currently requires agencies to report against. We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy (Energy) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, Energy stated in correspondence to GAO that it had established an enterprise-wide Data Center Working Group that is chartered to identify best practices in data center metering, optimization, consolidation and cloud migration (and to support these practices throughout the department). According to Energy, this working group is intended to serve as a focus group for communicating information related to the Federal Information Technology Acquisition Reform Act (FITARA), departmental strategy and implementation, and the Office of Management and Budget (OMB) requirements for data centers, as well as to provide summary data center performance status to all members. However, as of July 2017, Energy reports on OMB's IT Dashboard that it does not yet met any of the five data center optimization metric targets that OMB currently requires agencies to report against. We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: The Department of Housing and Urban Development (HUD) agreed with our recommendation, and has taken steps to implement it. In May 2016, the department stated in correspondence to GAO that its ability to attain the Office of Management and Budget's (OMB) established target value for the three remaining optimization metrics would require the department to further consolidate data center resources and migrate from contractor-owned and operated data centers to multi-tenant, shared data centers. The department further stated that this effort would be accomplished under the HUD Enterprise and Architecture Transition initiative that was restructuring infrastructure services and was targeting data center migrations to be completed by July 2017. The department also stated that it expected to be able to provide fiscal year 2017 optimization metrics data that met or exceeded OMB's target values by February 2018. However, as of July 2017, the department states that, due to data center migration dependencies on two smaller infrastructure transition projects, the data center migration project schedule is delayed until the first quarter of fiscal year 2018. We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services agreed with our recommendation, and has taken initial steps to implement it. In May 2016, the department stated in correspondence to GAO that it would work to improve the data center optimization metrics that did not meet the Office of Management and Budget's (OMB) established targets. The department further stated that it expected to have a more detailed approach available through a Data Center Strategy, which was expected before the end of fiscal year 2016 . However, as of July 2017, the department reports on OMB's IT Dashboard that it meets only one (power usage efficiency) of the five data center optimization metric targets OMB currently requires agencies to report against. The department further reports that it does not meet the remaining four targets (related to server utilization and monitoring, energy metering, server virtualization, and data center facility space). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Social Security Administration
    Status: Open

    Comments: The Social Security Administration agreed with our recommendation, and has taken initial steps to implement it. In April 2016, the agency stated in correspondence to GAO that it was in the process of transitioning to a new data center. While undergoing this transition, the agency stated that it was working to optimize its new data center and will have the capability to report on the Office of Management and Budget's optimization targets once the transition is complete. The agency expected to complete these steps by September 2016. As of July 2017, SSA reports on the Office of Management and Budget's (OMB) IT Dashboard that it meets three (energy metering, data center facility space and power usage efficiency) of the five data center optimization metric targets that OMB currently requires agencies to report against. However, SSA reports that it does not meet the remaining two targets (related to server utilization and monitoring, and server virtualization). We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of the Interior (Interior) agreed with our recommendation, and has taken initial steps to implement it. In April 2016, the department stated in correspondence to GAO that its Office of the Chief Information Officer (OCIO) was developing data center optimization metrics to measure bureau and office progress in meeting optimization targets. The department added that these metrics would become part of the 2016 OCIO Organizational Assessment, a scorecard used to measure bureau and office progress against predefined targets. However, as of July 2017, Interior reports on the Office of Management and Budget's (OMB) IT Dashboard that it does not yet meet any of the five data center optimization metric targets that OMB currently requires agencies to report against (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice (Justice) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, Justice stated in correspondence to GAO that it was developing plans to migrate the remaining non-core data centers to the department's three Core Enterprise Facilities (CEFs) and/or commercial cloud services by the end of fiscal year 2019. The department added that, as these migrations occur, its data center footprint and facility utilization should continue to improve and the percentage of servers and operating systems residing in the CEFs should significantly exceed federal data center consolidation targets. Justice also stated that it engaged with external representatives to perform an energy efficiency assessment at its core enterprise facility in Virginia, which resulted in significant improvements at the data center and improved the overall power usage efficiency across the department's core data centers. However, as of July 2017, Justice reported on the Office of Management and Budget's (OMB) IT Dashboard that it does not meet any of the five data optimization metric targets that OMB currently requires agencies to report against (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation (Transportation) agreed with our recommendation, and has taken initial steps to implement it. In April 2016, Transportation stated in correspondence to GAO that it centralized its data center consolidation efforts in fiscal year 2015 and, in early fiscal year 2016, completed reconciliation of its actual and planned data centers closures, as well as related performance data. The department also stated that it planned to continue towards measuring and making improvements to meet the Office of Management and Budget's (OMB) data center optimization performance metric targets. Transportation noted that periodic updates provided to its Office of the Chief Information Officer leadership and the Chief Information Officer Council would identify challenges in meeting the Office of Management and Budget's optimization metric targets. However, as of July 2017, Transportation reports on OMB's IT Dashboard that it does not meet any of the five data optimization metric targets that OMB currently requires agencies to report against (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, power usage efficiency). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor (Labor) agreed with this recommendation, and has taken initial steps to implement it. In April 2016, the department stated in correspondence to GAO that it had closed 23 percent of its data centers and, by the end of 2019, the department plans to close 61 percent of its data centers. Further, Labor stated that it has made significant progress in the development of a fully virtualized common operating environment. According to the department, these efforts are designed to improve optimization metrics performance. However, as of July 2017, the department reports on the Office of Management and Budget's (OMB) IT Dashboard that it does not yet met any of the five data center optimization metric targets that OMB currently requires agencies to report against (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury (Treasury) generally agreed with our recommendation, and has taken initial steps to implement it. However, as of July 2017, Treasury reports on the Office of Management and Budget's (OMB's) IT Dashboard that it does not met any of the five data optimization metric targets that OMB currently requires agencies to report against (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Veterans Affairs
    Status: Open
    Priority recommendation

    Comments: The Department of Veterans Affairs (VA) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, the department stated in correspondence to GAO that it had not yet taken action to improve optimization progress in the areas that we reported as having weaknesses. Specifically, the department stated that the Office of Management and Budget (OMB) was in the process of changing the fiscal year 2016 through 2018 closure targets and data center optimization metrics under the Federal Information Technology Acquisition Reform Act, which it planned to complete by the end of July 2016. Upon receipt of the targets, VA stated that it needed to assess the impact on strategies already under way, which it planned to complete by mid-fiscal year 2017. As of July 2017, the department reports on OMB's IT Dashboard that it meets only one (power usage efficiency) of the five data center optimization metric targets that OMB currently requires agencies to report against. In addition, the department reports that it does not meet the remaining four targets (related to server utilization and monitoring, energy metering, server virtualization, and data center facility space). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of State
    Status: Open

    Comments: The Department of State agreed with our recommendation, and has taken initial steps to implement it. In June 2016, the department stated in correspondence to GAO that it planned to follow the Office of Management and Budget's (OMB) guidance on optimizing data centers and would take action to improve the defined areas that Data Center Optimization Initiative identifies. Specifically, as of July 2017, the department reports on OMB's IT Dashboard that it meets only one (power usage efficiency) of the five data center optimization metric targets that OMB currently requires agencies to report against. However, the department reported that it does not meet the remaining four targets (related to server utilization and monitoring, energy metering, server virtualization, and data center facility space). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency agreed with our recommendation, and has taken initial steps to implement it. In May 2016, the agency stated in correspondence to GAO that it had directed data center stakeholders to place an emphasis on virtualizing physical servers and moving server-based applications to the cloud or a core data center. The agency added that the estimated increase for each optimization metric would be determined after data consolidation plans were finalized. As of July 2017, EPA reports on the Office of Management and Budget's (OMB) IT Dashboard that it meets three (energy metering, server virtualization, and power usage efficiency) of the five data center optimization metric targets OMB currently requires agencies to report against. However, EPA reports that it does not yet met the remaining two targets (related to server utilization and monitoring, and data center facility space). We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration (GSA) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, the agency stated in correspondence to GAO that it had developed an action plan to improve optimization progress. For example, GSA's action plan stated that the agency planned to create a new inventory of their data centers in order to establish a baseline to help in planning for data center closures, as well as collecting more accurate data for cost saving calculations. The agency also planned to create a new and better cost saving model and noted that it planned to refresh the cost model semi-annually. Finally, GSA intended to improve the required metrics set forth by the Office of Management and Budget (OMB) by eliminating physical machines and increasing virtualization whenever possible. As of July 2017, GSA reports on OMB's IT Dashboard that it meets one (server utilization and monitoring) of the five data center optimization metric targets that OMB currently requires agencies to report against. However, GSA reports that it does not meet the remaining four targets (related to energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, NASA stated in correspondence to GAO that it planned to develop improvement strategies for each deficient metric and hold meetings with all of the data center owners to explain the improvement strategies and further educate the data center owners on how to create efficiencies. NASA added that the anticipated completion for this is July 2017. However, as of July 2017, NASA reports on the Office of Management and Budget's (OMB) IT Dashboard that it does not meet any of the five data optimization metric targets that OMB currently requires agencies to report against (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: The Nuclear Regulatory Commission (NRC) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, NRC stated in correspondence to GAO that it was pursuing development of a hybrid data center that will allow many data center functions to be performed in the cloud, allowing for more optimization, including the ability to better meet optimization targets (including those related to both cost savings and optimization) established by the Office of Management and Budget (OMB) through the Data Center Optimization Initiative. As of July 2017, NRC reports on OMB's IT Dashboard that it meets one (server virtualization) of the five data center optimization metric targets that OMB currently requires agencies to report against. However, the agency reports that it does not meet the remaining four targets (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Office of Personnel Management
    Status: Open

    Comments: The Office of Personnel Management (OPM) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, OPM stated in correspondence to GAO that it was committed to meeting the targets associated with the agency's data center optimization efforts. The agency added that challenges would be addressed as plans evolved to meet current targets and within current funding. As of July 2017, OPM reports on the Office of Management and Budget's (OMB) IT Dashboard that it meets only one (server virtualization) of the five data center optimization metric targets that OMB currently requires agencies to report against. However, the agency reports that it does not meet the remaining four targets (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the agency's progress in implementing this recommendation and update accordingly.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: United States Agency for International Development
    Status: Open

    Comments: The U.S. Agency for International Development (USAID) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, USAID stated in correspondence to GAO that it was planning to take action to improve progress in the remaining two areas that we reported as not meeting the Office of Management and Budget's (OMB) optimization targets, including addressing any identifying challenges. The agency noted that its target completion date for implementing our recommendation was February 2017. However, as of July 2017, USAID reports on OMB's IT Dashboard that it does not yet meet the server utilization and monitoring metric target, which is the only metric applicable to USAID. We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    11 open recommendations
    Recommendation: To ensure that the HRIT investment receives necessary oversight and attention, the Secretary of Homeland Security should direct the Under Secretary of Management to ensure that the HRIT executive steering committee is consistently involved in overseeing and advising HRIT, including approving key program management documents, such as HRIT's operational plan, schedule, and planned cost estimate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS provided documentation demonstrating that the HRIT executive steering committee is consistently involved in overseeing and advising HRIT in response to our recommendation. DHS also provided documentation demonstrating that the Executive Steering Committee approved HRIT's operational plan for fiscal years 2016-2018. However, DHS still needs to demonstrate that the HRIT ESC has approved the schedule and cost estimate for HRIT.
    Recommendation: To address HRIT's poor progress and ineffective management, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Human Capital Officer to direct the HRIT investment to update and maintain a schedule estimate for when DHS plans to implement each of the strategic improvement opportunities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to HRIT officials, in response to our recommendation, DHS has developed an implementation plan, including a schedule estimate, for addressing HRIT's strategic improvement opportunities. We will continue to follow-up with them for documentation of this implementation plan.
    Recommendation: To address HRIT's poor progress and ineffective management, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Human Capital Officer to direct the HRIT investment to develop a complete life-cycle cost estimate for the implementation of HRIT.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In response to our recommendation, DHS prepared an independent cost estimate for the HRIT investment. When developing this estimate, the cost estimators made many assumptions about HRIT's strategic improvement opportunities that had not yet been defined, such as the scope and the preliminary acquisition strategies for each. We will continue to follow-up with DHS for supporting documentation for this estimate in order to better understand it.
    Recommendation: To address HRIT's poor progress and ineffective management, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Human Capital Officer to direct the HRIT investment to document and track all costs, including components' costs, associated with HRIT.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with the recommendation and is working to implement it. While DHS provided certain cost tracking information for HRIT, this information was incomplete and did not demonstrate ongoing tracking of all costs. We will continue to follow-up with DHS to obtain additional documentation.
    Recommendation: To address HRIT's poor progress and ineffective management, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Human Capital Officer to direct the HRIT investment to update and maintain the department's human resources system inventory.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS provided its updated human resources systems inventory that it developed in response to our recommendation. According to officials, the list is reviewed and updated on an annual basis or as-needed when a system is deployed or retired. We will continue to monitor this recommendation to ensure that DHS is maintaining this inventory.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to establish a time frame for deciding whether PALMS will be fully deployed at the Federal Emergency Management Agency (FEMA) and the U.S. Coast Guard (USCG), and determine an alternative approach if the learning and/or performance management capabilities of PALMS are deemed not feasible for the U.S. Immigration and Customs Enforcement, FEMA, the Transportation Security Administration, or USCG.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS officials stated that PALMS will not be fully deployed at FEMA, USCG, ICE, or TSA. The officials stated that future Human Resources Information Technology (HRIT) programs will include enhancing learning management and performance management capabilities. Officials stated that the details related to these efforts are to be discussed in the HRIT strategic improvement opportunity implementation plan. We will continue to follow-up with DHS for documentation of this plan.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to develop a comprehensive life-cycle cost estimate, including all government and contractor costs, for the PALMS program.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS officials stated that the PALMS program will move into an operations and maintenance phase once the PALMS learning management capabilities are deployed to U.S. Secret Service. As such, DHS does not plan to develop an updated life-cycle cost estimate (LCCE) for PALMS. We will continue to follow-up with DHS for documentation of PALMS's actual costs, including government costs.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to develop and maintain a single comprehensive schedule that includes all government and contractor activities, and includes all planned deployment milestones related to performance management.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In response to our recommendation, the PALMS program office updated its integrated master schedule. However, this schedule has not been appropriately maintained. We will continue to follow-up with DHS officials on this recommendation.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to track and monitor all costs associated with the PALMS program.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with the recommendation and is working to implement it. DHS provided certain cost tracking information for PALMS, but this information did not include government costs or certain past PALMS costs, such as 2017 costs for the Federal Law Enforcement Training Centers' ongoing use of PALMS. We will continue to follow-up with DHS officials on this recommendation.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to document PALMS's progress and milestone reviews, including all issues and corrective actions discussed.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In response to our recommendation, DHS is documenting certain PALMS progress reviews. We have requested documentation related to U.S. Secret Service's deployment of PALMS, to determine whether the Service conducted and documented a milestone review prior to deploying the system.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to establish a comprehensive risk log that maintains an aggregation of all up-to-date risks (including both government- and vendor-identified)and associated mitigation plans. Additionally, within the comprehensive risk log, the PALMS program office should (1) identify and document planned completion dates for each risk mitigation step (where appropriate), and (2) prioritize the risks by determining each risk's relative priority and overall risk level.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In response to our recommendation, DHS updated its PALMS risk register. However, this register was not comprehensive. We will continue to follow-up with DHS officials on this recommendation.
    Director: John Neumann
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To better ensure that the activities carried out under the ITM program do not duplicate the efforts of other federal loan guarantee programs, such as SBA's 7(a) program, the Secretary of Commerce should direct EDA to work with SBA and NIST to further identify any gaps in capital access that may be present that the program could fill, and then develop marketing materials and conduct outreach to help target those gaps.

    Agency: Department of Commerce
    Status: Open

    Comments: Partially addressed. As of November 2016 the Economic Development Administration (EDA) had begun taking action on GAO's February 2016 recommendation to work with SBA and NIST to identify gaps in capital access and develop marketing materials and conduct outreach based on any gaps identified for the Federal Loan Guarantees for Innovative Technologies in Manufacturing program (ITM). Due to delays in establishing the program, however, these efforts are still in progress. According to EDA officials, as of November 28, 2016 EDA contractors working on the ITM program had held a preliminary discussion with SBA to discuss program marketing, outreach and potential gaps in capital access that the ITM program may be able to fill, among other topics, but had not yet initiated additional coordination with NIST. We continue to believe that coordination with SBA and NIST to identify gaps in capital access, and then marketing the program to target those gaps could help EDA ensure that ITM program activities do not duplicate the efforts of other federal loan guarantee programs.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    9 open recommendations
    Recommendation: The Secretary of Homeland Security should direct Network Security Deployment (NSD) to determine the feasibility of enhancing NCPS's current intrusion detection approach to include functionality that would detect deviations from normal network behavior baselines.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 Update: In Feb. 2017, DHS officials stated that they have continued pilot activities that will enable DHS to identify suspicious network activity based on anomalous behavior and reputation and have collected lessons learned that are being tracked by the NCPS Program Management Office. Officials added that DHS had identified a contractor to support the transition of the pilot, including drafting an implementation plan; however, it had yet to award a contract due to lack of resources. As such, the agency did not have an estimated date on the completion of a draft plan for how the transition would be implemented. We requested that DHS provide a copy of the draft implementation plan for our review, when it became available. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct NSD to determine the feasibility of developing enhancements to current intrusion detection capabilities to facilitate the scanning of traffic not currently scanned by NCPS.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the NCPS Program Management Office is working with participating Internet Service Providers (ISP) to develop plans to support IPv6 for Traffic Aggregation, DNS redirection, and SMTP quarantining capabilities. Officials stated that an implementation plan that would include all ISP schedules for all planned intrusion prevention services would be available in the third quarter of fiscal year 2017. Additionally, regarding encrypted traffic, officials stated that it is conducting an analysis of Security on Encrypted Traffic (SonET) to better understand options for addressing the challenges, viability of options, and how the issue is being addressed at a broader industry level. The study is scheduled to continue through the fourth quarter of fiscal year 2017. We asked DHS to provide the ISP implementation plans (when finalized) and any findings from the ongoing SCADA and Encrypted traffic studies. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct United States Computer Emergency Readiness Team (US-CERT) to update the tool it uses to manage and deploy intrusion detection signatures to include the ability to more clearly link signatures to publicly available, open-source data repositories.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS stated that the NCPS PMO is working with participating Internet Service Providers (ISP) to develop plans to support IPv6 for Traffic Aggregation, DNS redirection, and SMTP quarantining capabilities. Officials stated that an implementation plan that would include all ISP schedules for all planned intrusion prevention services would be available in the third quarter of fiscal year 17. Additionally, officials stated that NSD is conducting an analysis on Security on Encrypted Traffic (SonET) to better understand options for addressing the challenges, viability of options, how the issue is being addressed at a broader industry level. The study will continue through the fourth quarter of fiscal year 2017. We asked DHS to provide the ISP implementation plans (when finalized) and any output/results (findings) from the ongoing studies DHS has related to SCADA and Encrypted traffic. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct US-CERT to consider the viability of using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, as an input into the development and management of intrusion detection signatures.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that enhancements were made so that Continuous Diagnostics and Mitigation program (CDM) data can be viewed with the Cyber Indicators Analysis Program (CIAP). Officials stated that the CDM data now may be combined with known vulnerability findings from NCATS and known threats collected from the CIAP system to further prioritize signature development as necessary. We have requested a meeting with DHS to observe the described enhancements. We believe that we will be able to close this recommendation, once we observe the claimed enhancements.
    Recommendation: The Secretary of Homeland Security should direct US-CERT to develop a timetable for finalizing the incident notification process, to ensure that customer agencies are being sent notifications of potential incidents, which clearly solicit feedback on the usefulness and timeliness of the notification.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 Update: In Feb. 2017, DHS stated that US-CERT is in the process of developing a targeted survey of EINSTEIN customers (based off of a prior survey). Additionally, US-CERT has updated the Incident Reporting Guidelines to address previously mentioned process concerns. We have requested a copy of these guidelines and will review the modifications made within. Additionally, DHS stated that modifications to the Remedy ticketing system are underway that would allow for the inclusion of user feedback. These changes are anticipated to be implemented by October 2017. We likely would not be able to close this recommendation until we could review the results of the modifications.
    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop metrics that clearly measure the effectiveness of NCPS's efforts, including the quality, efficiency, and accuracy of supporting actions related to detecting and preventing intrusions, providing analytic services, and sharing cyber-related information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the Office of Cyber Security and Communications (CS&C) had developed, refined, and were baselining a first set of measures that relate to the Einstein 3A program. Further, they are considering adding one of these measures as an addition to the measures tracked in support of the yearly Government Performance and Results Act (GPRA) required reporting in FY 2018. Additionally, DHS officials stated they are developing information sharing related measures, including exploring how its public and private sector recipients of information measure the value cyber threat indicators and defensive measures. In March 2017, we requested a copy of the developed measures, when they became available. This recommendation will remain open until we are able to review the developed metrics and the subsequent data they are to measure.
    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop clearly defined requirements for detecting threats on agency internal networks and at cloud service providers to help better ensure effective support of information security activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS provided memos that gave an overview of the planned enhancements to the Continuous Diagnostics and Mitigation (CDM) program that included references to cloud providers. However, DHS did not provide any specific requirements for us to review. We have requested a follow-up meeting to review the specific requirements developed in support of the planned enhancements described in the provided memos. We will not be able to close this recommendation until we can review the developed requirements and determine that cloud providers are appropriately covered.
    Recommendation: The Secretary of Homeland Security should direct NSD to develop processes and procedures for using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, to help ensure DHS is using a risk-based approach for the selection/development of future NCPS intrusion prevention capabilities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS stated that the NCPS Program Management Office has made enhancements to the Continuous Diagnostics and Mitigation (CDM) dashboard, but had yet to fully develop the CDM/NCPS data correlation. In March 2017, we asked for update on the status of data correlation, once available. In order to close this recommendation, we would need to review this model and determine how, if at all, the vulnerability information was used as part of a risk-based approach to intrusion prevention.
    Recommendation: The Secretary of Homeland Security should direct NSD to work with their customer agencies and the Internet service providers to document secure routing requirements in order to better ensure the complete, safe, and effective routing of information to NCPS sensors.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the agency worked with the Office of Management and Budget to develop a draft Trusted Internet Connections Reference Architecture. This architecture is to serve as the new guidance for agencies on perimeter security capabilities as well as alternative routing strategies. In March 2017, we requested a copy of the guidance to review the alternative routing guidance. This recommendation will remain open until we have been able to review the information above.
    Director: Valerie Melvin
    Phone: (202) 512-6304

    2 open recommendations
    Recommendation: To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to establish schedules and milestones for completing a version of an IT strategic plan that incorporates elements to align the plan's strategies with agency-wide priorities; includes results-oriented goals and performance measures that support the agency's mission, along with targets for measuring the extent to which outcomes of IT initiatives support FDA's ability to achieve agency-wide goals and objectives; identifies key IT initiatives that support the agency's goals; and describes interdependencies among the initiatives.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: FDA concurred with the recommendation and stated that the agency plans to implement it. We contacted the agency in March 2017 and have requested documents regarding FDA's actions to address the recommendation. We are waiting to receive the documents. We will update the status of the agency's actions after we receive and evaluate their response.
    Recommendation: To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to implement the plan to ensure that expected outcomes of the agency's key IT initiatives are achieved.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: FDA concurred with the recommendation and stated that the agency plans to implement it. We contacted the agency in March 2017 and have requested documents regarding FDA's actions to address the recommendation. We are waiting to receive the documents. We will update the status of the agency's actions after we receive and evaluate their response.
    Director: Timothy M. Persons
    Phone: (202) 512-6412

    2 open recommendations
    Recommendation: To help ensure that biosurveillance-related funding is directed to programs that can demonstrate their intended capabilities, and to help ensure sufficient information is known about the current Gen-2 system to make informed cost-benefit decisions about possible upgrades and enhancements to the system, the Secretary of Homeland Security should direct the Assistant Secretary for Health Affairs and other relevant officials within the Department to not pursue upgrades or enhancements to the current BioWatch system until the Office of Health Affairs (OHA): (1) establishes technical performance requirements, including limits of detection, necessary for a biodetection system to meet a clearly defined operational objective for the BioWatch program by detecting attacks of defined types and sizes with specified probabilities; (2) assesses the Gen-2 system against these performance requirements to reliably establish its capabilities; and (3) produces a full accounting of statistical and other uncertainties and limitations in what is known about the system's capability to meet its operational objectives.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help reduce the risk of acquiring immature detection technologies, the Secretary of Homeland Security should direct the Assistant Secretary for Health Affairs, in coordination with the Under Secretary for Science and Technology, to use the best practices outlined in this report to inform test and evaluation actions for any future upgrades or changes to technology for BioWatch.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: William Shear
    Phone: (202) 512-8678

    6 open recommendations
    including 1 priority recommendation
    Recommendation: To improve management of the Small Business Administration and to ensure that SBA assesses the effectiveness of its programs, the SBA Administrator should prioritize resources to conduct additional program evaluations.

    Agency: Small Business Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management of the Small Business Administration and to ensure that SBA fully meets GPRAMA requirements, the SBA Administrator should use the results of additional evaluations it conducts in its strategic planning process and ensure the agency's next strategic plan includes required information on program evaluations, including a schedule of future evaluations.

    Agency: Small Business Administration
    Status: Open
    Priority recommendation

    Comments: SBA officials stated that, as of October 2016, the agency had taken several steps to prioritize resources and establish an implementation plan for future evaluations, including hiring its first lead program evaluator to develop a long-term evaluation agenda and initiating four program evaluations. They stated that once completed, the evaluations would be incorporated into the agency's fiscal year 2018-2022 strategic plan. As of May 2017, SBA had started reviewing guidance on drafting this plan, which is due in February 2018.
    Recommendation: To improve management of the Small Business Administration and to improve SBA's human capital management, the SBA Administrator should incorporate into its next training plan key principles such as goals and measures for its training programs and input on employee development goals.

    Agency: Small Business Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management of the Small Business Administration and to ensure that SBA's organizational structure helps the agency meet its mission, the SBA Administrator should document the assessment of the agency's organizational structure, including any necessary changes to, for example, better ensure areas of authority, responsibility, and lines of reporting are clear and defined.

    Agency: Small Business Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management of the Small Business Administration and to improve SBA's program and management guidance, the SBA Administrator should set time frames for periodically reviewing and updating its SOPs as appropriate.

    Agency: Small Business Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management of the Small Business Administration and to help ensure that SBA's IT operations and maintenance investments are continuing to meet business and customer needs and the agency's strategic goals, the SBA Administrator should direct the appropriate officials to perform an annual operational analysis on all SBA investments in accordance with OMB guidance.

    Agency: Small Business Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Timothy J. DiNapoli
    Phone: (202) 512-4841

    13 open recommendations
    including 6 priority recommendations
    Recommendation: To improve efforts to strategically source IT services within the Army, the Secretary of the Army should direct its strategic sourcing accountable official to conduct a comprehensive analysis of Army IT services spending to determine the extent to which requirements can be addressed by Computer Hardware, Enterprise Software and Solutions (CHESS) or other strategic sourcing approaches, and based on this analysis, consider opportunities to reduce duplicative contracts.

    Agency: Department of Defense: Department of the Army
    Status: Open
    Priority recommendation

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Army, the Secretary of the Army should direct its strategic sourcing accountable official to implement utilization metrics and mandatory use or consideration policies.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Army, the Secretary of the Army should direct its strategic sourcing accountable official to develop guidance and overarching goals and metrics for savings.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Army, the Secretary of the Army should direct its strategic sourcing accountable official to conduct a review of the benefits and disadvantages of standardized labor categories for CHESS or future contracts.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Navy, the Secretary of the Navy should direct its strategic sourcing accountable official to conduct a comprehensive analysis of IT services spending to determine the extent to which requirements can be addressed by the existing contracts or other strategic sourcing approaches and based on this analysis, reduce duplicative contracts.

    Agency: Department of Defense: Department of the Navy
    Status: Open
    Priority recommendation

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Navy, the Secretary of the Navy should direct its strategic sourcing accountable official to implement utilization metrics and monitor agency efforts to comply with the Navy's existing use policies for IT services.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Air Force, the Secretary of the Air Force should direct its strategic sourcing accountable to conduct a comprehensive analysis of IT services spending to determine the extent to which requirements can be addressed by Network-Centric Solutions (NETCENTS) or other strategic sourcing approaches, and based on this analysis, reduce duplicative contracts.

    Agency: Department of Defense: Department of the Air Force
    Status: Open
    Priority recommendation

    Comments: DOD concurred with our three recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Air Force, the Secretary of the Air Force should direct its strategic sourcing accountable to implement utilization metrics.

    Agency: Department of Defense: Department of the Air Force
    Status: Open

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Air Force, the Secretary of the Air Force should direct its strategic sourcing accountable to develop guidance and overarching goals and metrics for savings.

    Agency: Department of Defense: Department of the Air Force
    Status: Open

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Air Force, the Secretary of the Air Force should direct its strategic sourcing accountable to conduct a review of the benefits and disadvantages of standardized labor categories for primary strategic sourcing vehicles such as NETCENTS.

    Agency: Department of Defense: Department of the Air Force
    Status: Open

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within NASA, the Administrator of NASA should direct its strategic sourcing accountable official to use its 2014 spend analysis to determine the extent to which requirements can be addressed by the IT Infrastructure Integration Program or other strategic sourcing approaches, and based on this analysis, reduce duplicative contracts.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA agreed with this recommendation. To fully implement it, NASA needs to successfully implement its planned actions, including (1) implement new strategic sourcing policies in the NASA federal acquisition regulation supplement, (2) revise the 2014 spend analysis by December 14, 2017, and (3) require strategic sourcing of IT services by December 2018 for services such as mobile communications, telecommunications, cloud computing, and seat management.
    Recommendation: To improve efforts to strategically source IT services within NASA, the Administrator of NASA should direct its strategic sourcing accountable official to implement utilization metrics and mandatory use policies.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA partially agreed with this recommendation. Specifically, NASA agreed to establish metrics, but sought to employ mandatory consideration policies, where applicable, instead of mandatory use policies. We agreed that the proposed approach would meet the intent of our recommendation. To fully implement this recommendation, NASA needs to successfully implement its planned actions, including (1) revising the NASA strategic sourcing guide to include establishment of utilization metrics, and (2) issuing updated strategic sourcing policies in the NASA federal acquisition regulation supplement to include mandatory use policies.
    Recommendation: To improve efforts to strategically source IT services within NASA, the Administrator of NASA should direct its strategic sourcing accountable official to develop guidance and overarching goals and metrics for savings.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA agreed with this recommendation. To fully implement this recommendation, NASA needs to successfully implement its planned actions, including (1) issuing updated strategic sourcing policies in the NASA federal acquisition regulation supplement, (2) updating its strategic sourcing website, and (3) updating the NASA strategic sourcing guide to include the setting of goals or baselines as a method of evaluating the strategic sourcing approach.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    2 open recommendations
    Recommendation: To improve the oversight of states' marketplace IT projects, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to ensure that all CMS senior executives from IT and business units who are involved in the establishment of state marketplace IT projects review and approve funding decisions for these projects.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In 2015, Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) concurred with the recommendation. The department, in its agency comments, stated that it already included senior executives in its funding decisions for these projects. However, as noted in our report, CMS did not provide evidence that key senior executives from CCIIO, CMCS, and OTS were involved in various funding decisions associated with the states' IT projects. For example, CMS did not demonstrate that senior-level executives from all relevant business and IT units were involved in the initial approval of grant awards or the release of restricted IT funds from marketplace grants as states progressed with their projects. In addition, CMS did not provide evidence of senior executive involvement in the approval of Medicaid funds for marketplace IT projects. Furthermore, as of March 10, 2017, CMS still had not provided evidence that it had taken such actions to support the implementation of this recommendation. By ensuring such executive involvement, CMS would increase accountability for decisions to fund states' IT projects and ensure that these decisions are well informed in order to make efficient use of federal funds.
    Recommendation: To improve the oversight of states' marketplace IT projects, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to ensure that states have completed all testing of marketplace system functions prior to releasing them into operation.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In 2015, Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) concurred with the recommendation. The department noted that it would continue to follow its guidelines to determine if state marketplace system functions are ready for release. The department added that it would work closely with state-based marketplaces to improve their systems and verify that system requirements are met and fully tested before approving them for release into production. While CMS drafted guidance to update its process in June 2016, which required states to submit certain testing reports and supporting documentation, as of March 10, 2017, the agency had not provided evidence that it had determined that state systems had been sufficiently tested for release into operations.
    Director: David Powner
    Phone: (202) 512-9286

    17 open recommendations
    Recommendation: To better ensure that agencies' IT savings are being reinvested in the most efficient and effective manner possible, the Director of OMB should direct the Federal CIO to ensure that agencies complete their reinvestment plans, in accordance with established requirements, and maintain those plans on an ongoing basis.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has taken initial steps to implement, our recommendation. In May 2016, OMB released updated guidance for agency's quarterly data submissions that noted the importance of providing savings reinvestment information. Specifically, OMB strongly encouraged agencies to provide reinvestment information where feasible, including a description of the activities that were funded using any savings achieved. OMB further noted that failing to provide such information might result in an agency being unable to accurately track its reinvestments. However, the May 2016 guidance notes that providing this reinvestment information is not required. As of May 2017, OMB had not yet updated its guidance for agencies quarterly data submissions to require reinvestment information. We will continue to evaluate OMB's progress in implementing this recommendation.
    Recommendation: To better ensure that agencies' IT savings are being reinvested in the most efficient and effective manner possible, the Director of OMB should direct the Federal CIO to require agencies to track actual reinvestment performance and define performance targets for agencies' reinvestments, as done previously.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2017, OMB had not issued additional guidance to require agencies to track actual reinvestment performance or defined performance targets for agencies' reinvestments. We will continue to evaluate OMB's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Agriculture should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Department of Agriculture agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2017, the department's integrated data collection submission to the Office of Management and Budget had not been updated to include reinvestment plans for all reported cost savings and avoidance initiatives. For example, the department reported about $25 million in cost savings and avoidances related to its data center consolidation efforts, but did not include plans regarding how these savings would be reinvested. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, as part of any future update to the department's information resource management strategic plan or equivalent document, the Secretary of Commerce should direct the CIO to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2017, the department had not updated its IT Resource Management Strategic plan to include the approach to reinvesting savings from the consolidation of commodity IT resources. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Commerce should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2017, the department's integrated data collection submission to the Office of Management and Budget had not been updated to include reinvestment plans for all reported cost savings and avoidance initiatives. For example, the department reported about $26 million in cost savings and avoidances related to its server virtualization efforts, but did not include plans regarding how these savings would be reinvested. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Defense should direct the Defense CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense partially agreed with our recommendation and has taken initial steps to implement it. Specifically, as of May 2017, the department reported approximately $331.4 million in data center consolidation cost savings in its quarterly integrated data collection submission to the Office of Management and Budget. Although the department's submission notes that it plans to reinvest these savings in the agency's core mission, it did not provide any further detail regarding these reinvestment plans. In addition, the department did not report any information technology cost savings and avoidance initiatives related to its business system modernization efforts, which it had previously reported to GAO as an area with substantial savings. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: In addition, to improve the U.S. Army Corps of Engineers' IT savings reinvestment plans, the Secretary of Defense should direct the Secretary of the Army, as part of any future update to the U.S. Army Corps of Engineers' IRM strategic plan or equivalent document, to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

    Agency: Department of Defense
    Status: Open

    Comments: The U.S. Army Corps of Engineers agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2017, the agency had not yet updated its Information Resources Management Strategic Plan to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Health and Human Services should direct the CIO, as part of any future update to the department's IRM strategic plan or equivalent document, to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) agreed with, and has taken initial steps to implement, our recommendation. Specifically, in November 2015, the department stated that its Office of the Chief Information Officer will include reinvestment strategies in its next update of the HHS Information Resource Management Strategic Plan. According to the department, the updated strategic plan was expected to be completed by the end of September 2016. However, as of May 2017, the agency had not yet updated its Information Resources Management Strategic Plan to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Homeland Security should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2017, the department's integrated data collection submission to the Office of Management and Budget had not been updated to include reinvestment plans for all reported cost savings and avoidance initiatives. For example, the department did not include reinvestment plans for two cost avoidances strategies related to the Office of Management and Budget's PortfolioStat initiative that have resulted approximately $96 million in cost avoidances. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Housing and Urban Development should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: The Department of Housing and Urban Development agreed with, and has taken initial steps to implement, our recommendation. Specifically, as of May 2017, the department updated its integrated data collection submission to include reinvestment plans for one of the seven cost savings and avoidance initiatives reported. However, the six remaining initiatives, with savings and avoidances totaling approximately $6 million, did not include reinvestment plans. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's tracking of reinvestments, the Secretary of Labor should direct the CIO to use existing governance mechanisms and any improvements resulting from the implementation of FITARA to improve tracking of how savings have been reinvested.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor has taken initial steps to implement our recommendation. As of November 2015, the department stated that it was planning improvements in the area of information technology (IT) investment management in accordance with the Office of Management and Budget's June 2015 guidance for implementing the December 2014 IT reform law (commonly referred to as the Federal Information Technology Acquisition Reform Act or FITARA). The department added that these improvements would include the tracking of how savings have been reinvested. Subsequently, in May 2016, the department finalized its FITARA Implementation Plan. While the implementation plan discusses planned actions to improve the Chief Information Officer's involvement in agency IT budget requests, acquisition requests, and program management, it did not specifically discuss planned actions to improve the tracking of how information technology savings have been reinvested. In addition, as of May 2017, the department had not documented any FITARA implementation milestones that discussed making improvements in the tracking of how savings are reinvested. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of State should direct the CIO, as part of any future update to the department's IRM strategic plan or equivalent document, to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

    Agency: Department of State
    Status: Open

    Comments: The Department of State has not yet taken steps to implement our recommendation. Specifically, as of May 2017, the agency had not yet updated its Information Technology Strategic Plan to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of the Treasury should direct the CIO, as part of any future update to the department's IRM strategic plan or equivalent document, to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury has not yet taken steps to implement our recommendation. Specifically, as of May 2017, the agency had not yet updated its Information Resources Management Strategic Plan to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of the Treasury should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to use any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury has not yet taken steps to implement our recommendation. Specifically, as of May 2017, the department's integrated data collection submission did not include reinvestment plans for all reported cost savings and avoidance initiatives. For example, the department reported about $1.07 billion in cost savings and avoidances from its information technology infrastructure efficiency initiatives, but did not provide information regarding how it plans to reinvest these savings and avoidances. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Veterans Affairs should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs agreed with, and has taken initial steps to implement, our recommendation. Specifically, in November 2015, the department's Chief of Staff stated that the Office of Information and Technology was working to establish an office to closely monitor program performance, schedule, return on investment, and total cost of ownership, which will enable reinvestment opportunities. However, as of May 2017, the department's integrated data collection submission did not include reinvestment plans for all of the reported cost savings and avoidance initiatives. For example, the department reported about $177 million in cost savings and avoidances from the renegotiation of an enterprise agreement for software licenses, but did not provide information regarding how it plans to reinvest these savings and avoidances. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the agency's IT savings reinvestment plans, the Administrator of the Environmental Protection Agency should direct the CIO to ensure that the agency's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2017, the agency's integrated data collection submission did not include reinvestment plans for all of the reported cost savings and avoidance initiatives. For example, the agency reported about $3 million in cost savings and avoidances related to two shared services initiatives, but did not provide information regarding how it plans to reinvest these savings and avoidances. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To improve the agency's IT savings reinvestment plans, the Director of the Office of Personnel Management should direct the CIO, as part of any future update to the agency's IRM strategic plan or equivalent document, to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

    Agency: Office of Personnel Management
    Status: Open

    Comments: The Office of Personnel Management (OPM) agreed with our recommendation, but has not yet taken action to implement it. Specifically, in November 2015, OPM's Acting Director stated that information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) would be included in future updates to OPM's Strategic IT Plan. However, as of May 2017, the agency had not yet updated its strategic plan to include this information. We will continue to evaluate the OPM's progress in implementing this recommendation.
    Director: Brenda S. Farrell
    Phone: (202) 512-3604

    3 open recommendations
    including 3 priority recommendations
    Recommendation: To provide decision makers with appropriate and more complete information on the continuing implementation, management, and oversight of the DHA, the Secretary of Defense should direct the Assistant Secretary of Defense (Health Affairs) to develop a comprehensive requirements assessment process that accounts for needed future skills through the consideration of potential organizational changes and helps ensure appropriate consideration of workforce composition through the determination of the final status of military personnel within the DHA.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: As of April 2017, DOD has taken some steps to implement this action. According to an April 2017 letter from the Acting Principal Deputy Assistant Secretary of Defense (Health Affairs), DOD has established processes and procedures to create an overall personnel management process which are documented in a draft Administrative Instruction estimated to be finalized and published by July 31, 2017.
    Recommendation: To provide decision makers with appropriate and more complete information on the continuing implementation, management, and oversight of the DHA, the Secretary of Defense should direct the Assistant Secretary of Defense (Health Affairs) to develop a plan for reassessing and revalidating personnel requirements as the missions and needs of the DHA evolve over time.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: As of April 2017, DOD has taken some steps to implement this action. According to an April 2017 letter from the Acting Principal Deputy Assistant Secretary of Defense (Health Affairs), DOD has established processes and procedures to create an overall personnel management process which are documented in a draft Administrative Instruction estimated to be finalized and published by July 31, 2017.
    Recommendation: To provide decision makers with appropriate and more complete information on the continuing implementation, management, and oversight of the DHA, the Secretary of Defense should direct the Assistant Secretary of Defense (Health Affairs) to determine the future of the Public Health and Medical Education and Training shared services by either identifying common functions to consolidate to achieve cost savings or by developing a justification for the transfer of these functions from the military services to the DHA that is not premised on cost savings.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: As of April 2017, DOD has taken some steps to implement this action. According to an April 2017 letter from the Acting Principal Deputy Assistant Secretary of Defense (Health Affairs), DOD has changed the designation of its Public Health function from a shared service to a division. This change recognizes the distinction that we previously highlighted between a shared service, or the consolidation of functions previously performed by the military services, and a transfer of functions from the military services to the DHA. The letter states that DOD is in the process of assessing business case analyses for various efficiency efforts, with one proposal estimated to save $613 million over three years. DOD has not taken similar action with regard to its Medical Education and Training shared service. As we previously reported in our prior update, while DOD cites future cost savings in its modeling and simulation and online learning product lines, we reported in 2014 that these initiatives overlap with the DHA's Contracting and Procurement and Information Technology shared services. For example, while cost savings for Modeling and Simulation are allocated to the Medical Education and Training Directorate, implementation costs are to be incurred by the Contracting and Procurement shared service. This recommendation will remain open until DOD either identifies common functions to consolidate within Medical Education and Training to achieve cost savings or develops a justification for the transfer of these functions from the military services to the DHA that is not premised on cost savings.
    Director: Michael Courts
    Phone: (202) 512-8980

    2 open recommendations
    Recommendation: To further improve State's processing of nonimmigrant visas, the Secretary of State should evaluate the relative impact of efforts undertaken to reduce nonimmigrant visa interview wait times to help managers make informed future resource decisions.

    Agency: Department of State
    Status: Open

    Comments: According to State officials, State's Bureau of Consular Affairs (CA) is committed to putting procedures in place that will provide all of the necessary management information to assess the relative impact of process improvement efforts. State officials said that CA has expanded collection of detailed nonimmigrant visa productivity data from posts that account for nearly 65 percent of the worldwide NIV workload. That data will provide a basis for future analysis of the impact of process or program changes on adjudicator productivity. State, however, has not completed an evaluation of the relative impact of their efforts.
    Recommendation: To further improve State's processing of nonimmigrant visas, the Secretary of State should document a plan for obtaining end user (i.e., consular officers) input to help improve end user satisfaction and prioritize enhancements to information technology systems.

    Agency: Department of State
    Status: Open

    Comments: State informed GAO that it has taken some steps to gather additional end-user input, such as centrally tracking and then prioritizing input and expanding the use of Agile development methodology that will permit more frequent updates of software that end users desire. State, however, has not provided evidence of a documented plan for obtaining end user input to help improve end user satisfaction and prioritize enhancements to information technology systems.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    5 open recommendations
    including 1 priority recommendation
    Recommendation: To improve VA's efforts to effectively complete the development and implementation of VBMS, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits and the Chief Information Officer to develop an updated plan for VBMS that includes (1) a schedule for when VBA intends to complete development and implementation of the system, including capabilities that fully support disability claims, pension claims, and appeals processing and (2) the estimated cost to complete development and implementation of the system.

    Agency: Department of Veterans Affairs
    Status: Open
    Priority recommendation

    Comments: The Department of Veterans Affairs (VA) concurred with our recommendation calling for an updated plan for the Veterans Benefits Management System. However, as of June 2017, the department had not developed a plan that included a schedule for when the Veterans Benefits Administration intends to complete development and implementation of the system, as well as the estimated cost of doing so. We will continue to monitor VA's actions in response to this recommendation.
    Recommendation: To improve VA's efforts to effectively complete the development and implementation of VBMS, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits and the Chief Information Officer to establish goals for system response time and use the goals as a basis for periodically reporting actual system performance.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs (VA) concurred with this recommendation and reported that the Veterans Benefits Management System (VBMS) program office has developed draft metrics for performance of the system. Specifically, VA stated that the office has established key performance indicators as a basis for monitoring the response times of the most commonly executed user transactions (or work events) within VBMS. According to the department, these indicators have been incorporated into the application's continuous monitoring tools for all service level agreements and these agreements are enforced by the VA Service Level Management Board. Nevertheless, as of June 2017, VA had not identified its goals for VBMS response times, nor had the department reported actual system response times. We will continue to monitor VA's actions toward addressing this recommendation.
    Recommendation: To improve VA's efforts to effectively complete the development and implementation of VBMS, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits and the Chief Information Officer to reduce the incidence of high- and medium-priority level defects that are present at the time of future VBMS releases.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs (VA) concurred with this recommendation and, in June 2017, reiterated its plans and procedures for decreasing the incidences of defects in each system release. However, the incidences of high- and medium-priority level defects at the time of recent VBMS releases (i.e., releases 10.1 and 11.0) had increased relative to the number of defects present at the time of the earlier release (i.e., release 8.1) that we described in our report. We will continue to monitor VA's actions and progress in response to this recommendation.
    Recommendation: To improve VA's efforts to effectively complete the development and implementation of VBMS, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits and the Chief Information Officer to develop and administer a statistically valid survey of VBMS users to determine the effectiveness of steps taken to make improvements in users' satisfaction.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs (VA) concurred with this recommendation and in January 2017, conducted a survey of VBMS users that was sent to over 16,000 claims processors at each of its 56 regional offices. Although 52 percent of respondents indicated that they were very satisfied or satisfied with VBMS, the department received only about 2500 responses to the survey for a 15 percent response rate. This low response rate raises concern about whether the survey results are statistically valid. We have requested additional information from VA to determine any actions the department has taken to ensure the statistical validity of its survey results and will assess any information that is provided.
    Recommendation: To improve VA's efforts to effectively complete the development and implementation of VBMS, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits and the Chief Information Officer to establish goals that define customer satisfaction with VBMS and report on actual performance toward achieving the goals based on the results of GAO's survey of VBMS users and any future surveys VA conducts.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs (VA) concurred with this recommendation and conducted a survey of VBMS users in January 2017. However, as of June 2017, the department had yet to develop customer satisfaction goals for VBMS that would provide users with an expectation of the system response times they should anticipate, and management with an indication of how well the system is performing relative to performance goals.
    Director: J. Alfredo Gómez
    Phone: (202) 512-3841

    3 open recommendations
    Recommendation: The EPA Administrator should direct OGD to develop a timetable with milestones and identify and allocate resources for adopting electronic records management for all 10 regional offices.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: Implementation efforts ongoing. According to EPA officials, the Office of Grants and Debarment established an agency-wide electronic grants record workgroup in FY 16 Q1. The workgroup identified the contents of the electronic grant file, technical options and evaluation criteria. OGD has initiated an alternatives analysis and expects to present the results of that analysis to the Grants Management Council in FY 17 Q1. Once the GMC selects the technical approach, the Agency will identify available funding for implementation through the budget process.
    Recommendation: The EPA Administrator should direct OGD to implement plans for adopting an up-to-date and comprehensive IT system by 2017 that will provide accurate and timely data on agencywide compliance with grants management directives.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: Implementation efforts ongoing. According to EPA officials, OGD is already underway with a multi-modular project to upgrade the agency's grants management IT system (IGMS). Module 2 of 3 is on schedule for deployment in FY17 Q1. The final Module is on schedule for deployment, in early FY18. OGD will incorporate in the project performance tracking of priority directives in accordance with the policy framework of the new Grants Management Plan.
    Recommendation: Until the new IT system is implemented, the EPA Administrator should direct OGD to develop ways to more effectively use existing web-based tools to better monitor agencywide compliance with grants management directives.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: Implementation efforts ongoing. According to EPA officials, OGD has already developed the capability to provide managers cumulative annual baseline monitoring data. Further capabilities of web-based tools, namely the replacement of OGD's primary tool Quik Reports, are on schedule for deployment in FY17 Q1. This effort combined with updates to the Grants Datamart will provide valuable long term enhancements for the Agency's grant reporting needs.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    4 open recommendations
    Recommendation: To facilitate oversight and inform decision making regarding their respective department's interoperability-related activities, the Secretaries of Defense and Veterans Affairs, working with the Interagency Program Office, should ensure related goals are defined to provide a basis for assessing and reporting on the status of interoperability-related activities and the extent to which interoperability is being achieved by the departments' modernized electronic health record systems.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) and the Department of Veterans Affairs (VA) are working to define goals to provide a basis for assessing and reporting on the status of interoperability-related activities and the extent to which interoperability is being achieved by the departments' modernized electronic health record systems. Specifically, according to the DOD/VA Interagency Program Office (IPO), the office, in conjunction with the departments, has employed use cases in the Joint Interoperability Plan to define the interoperability-related goal areas, which are to be used as the basis for the development of outcome-oriented metrics, assessments, and reporting. The departments, the IPO, and workgroups within the Health Executive Committee's data sharing areas have focused on the feasibility and development of metrics aligned to six use cases as they relate to electronic health record interoperability between DOD and VA and outcomes to service members, veterans, and healthcare providers. The IPO reports that the work to establish these goals will be completed by December 2017. GAO will continue to review the results of these efforts.
    Recommendation: To facilitate oversight and inform decision making regarding their respective department's interoperability-related activities, the Secretaries of Defense and Veterans Affairs, working with the Interagency Program Office, should ensure related goals are defined to provide a basis for assessing and reporting on the status of interoperability-related activities and the extent to which interoperability is being achieved by the departments' modernized electronic health record systems.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs (VA) and the Department of Defense (DOD) are working to define goals to provide a basis for assessing and reporting on the status of interoperability-related activities and the extent to which interoperability is being achieved by the departments' modernized electronic health record systems. Specifically, according to the DOD/VA Interagency Program Office (IPO), the office, in conjunction with the departments, has employed use cases in the Joint Interoperability Plan to define the interoperability-related goal areas, which are to be used as the basis for the development of outcome-oriented metrics, assessments, and reporting. The departments, the IPO, and workgroups within the Health Executive Committee's data sharing areas have focused on the feasibility and development of metrics aligned to six use cases as they relate to electronic health record interoperability between VA and DOD and outcomes to service members, veterans, and healthcare providers. The IPO reports that the work to establish these goals will be completed by December 2017. GAO will continue to review the results of these efforts.
    Recommendation: To facilitate oversight and inform decision making regarding their respective department's interoperability-related activities, the Secretaries of Defense and Veterans Affairs, working with the Interagency Program Office, should update IPO guidance to reflect the metrics and goals identified.

    Agency: Department of Defense
    Status: Open

    Comments: According to the Department of Defense (DOD)/Department of Veterans Affairs (VA) Interagency Program Office (IPO), the office has issued an update to the Health Data Interoperability Management Plan that documents the IPO's role and outlines governance for supporting interoperability between the departments. The IPO is also in the process of updating additional guidance to describe the benefits of interoperability and reflect associated outcome-oriented metrics and goals. Specifically, IPO officials reported that the IPO's Joint Interoperability Plan is transitioning to the Joint Interoperability Strategic Plan and is expected to be finalized in November 2017. GAO will review this guidance once it is approved by DOD and VA.
    Recommendation: To facilitate oversight and inform decision making regarding their respective department's interoperability-related activities, the Secretaries of Defense and Veterans Affairs, working with the Interagency Program Office, should update IPO guidance to reflect the metrics and goals identified.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: According to the Department of Defense (DOD)/Department of Veterans Affairs (VA) Interagency Program Office (IPO), the office has issued an update to the Health Data Interoperability Management Plan that documents the IPO's role and outlines governance for supporting interoperability between the departments. The IPO is also in the process of updating additional guidance to describe the benefits of interoperability and reflect associated outcome-oriented metrics and goals. Specifically, IPO officials reported that the IPO's Joint Interoperability Plan is transitioning to the Joint Interoperability Strategic Plan and is expected to be finalized in November 2017. GAO will review this guidance once it is approved by VA and DOD.
    Director: Brian J. Lepore
    Phone: (202) 512-4523

    1 open recommendations
    Recommendation: In order to improve the comprehensiveness and accuracy of certain data submitted by the military services to OSD and reported in the Energy Reports--such as potentially underreported data on mitigation costs and inaccurate data on both disruptions' duration and cost--the Secretary of Defense should direct the Secretaries of Army, Navy, and Air Force, the Commandant of the Marine Corps, and the Assistant Secretary of Defense for Energy, Installations and Environment to work together to improve the effectiveness of data validation steps in DOD's process for collecting and reporting utilities disruption data. For example, the military services and OSD could determine whether more time in the 5-month process should be devoted to data validation and whether equal priority should be given to validating all types of data included in the Energy Reports.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with the recommendation to improve the effectiveness of data validation steps in DOD's process for collecting and reporting utilities disruption data. In a memo from April 2016, DOD stated that it determined that focusing on the minimization of data input errors at the installation level was the most effective strategy to improve the effectiveness of data validation. Further, resolving initial input errors was determined to be the least resource and cost intensive approach to improve data quality. Therefore, DOD updated its data collection template for utility disruptions to include a dropdown menu so that users can use it to select the category of utility service that was disrupted. In addition, DOD stated that it expects to continue to work with the services and Defense Agencies in the next reporting cycle for the Annual Energy Management Report to improve the effectiveness of data validation steps.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    1 open recommendations
    Recommendation: To help ensure that the department can better achieve business process reengineering and enterprise architecture outcomes and benefits, the Secretary of Defense should utilize the results of our portfolio manager survey to determine additional actions that can improve the department's management of its business process reengineering and enterprise architecture activities.

    Agency: Department of Defense
    Status: Open

    Comments: DOD developed a plan, using the results of our survey, to improve the department's management of its business process reengineering and enterprise architecture activities; however, key milestones have not yet been completed. Specifically, in January 2017, the department issued a business enterprise architecture (BEA) improvement plan. The plan was intended to address BEA usability and deficiencies in information supporting the investment management process. As part of the plan, the department identified opportunities to address the results of our survey. For example, according to the plan, our survey results were utilized to identify opportunities for improving management and integration of existing enterprise business processes and investments; assessing duplication early in the analysis phase and finding process and capability reuse across the department; and providing a federated BEA information environment and capabilities to discover and exchange information from other sources. The plan included delivering three major capabilities. As of September 2017, the Office of the Deputy Chief Management Officer stated that the delivery dates for the three capabilities were as follows: Business Capability Acquisition Cycle content ingest and investment reviews by June 2018; process and system reviews within and across domains by June 2018; and development and integration of functional strategies by December 2018. Further, the office stated that dates were subject to a contract being awarded. We will continue to monitor the department's efforts to implement the recommendation.
    Director: Michele Mackin
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To ensure consistent implementation and documentation of actions relating to interagency agreements, the Secretary of Veterans Affairs should ensure that planned training on interagency agreements reaches the full range of program and contracting officials, particularly those who only occasionally award interagency agreements.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with this recommendation, and developed training based on the revised policy on interagency agreements issued in October 2016. GAO requested information in June 2017 on how VA will ensure this training reaches the full range of program and contracting officials, but as of September 2017 we have not yet received these details.
    Director: Lawrance Evans
    Phone: (202) 512-8678

    4 open recommendations
    Recommendation: To ensure that NCUA has adequate authority to determine the safety and soundness of credit unions, Congress should consider modifying the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions.

    Agency: Congress
    Status: Open

    Comments: In July 2015, we suggested that Congress modify the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions. As of October 2016, Congress had not granted NCUA such authority.
    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency: Department of the Treasury: Office of the Comptroller of the Currency
    Status: Open

    Comments: In July 2015, we recommended that the Office of the Comptroller of the Currency (OCC) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In September 2015, OCC stated that it is taking two actions to respond to our recommendation. First, the agency is integrating the Cybersecurity Assessment Tool (Tool), developed by OCC and other federal financial institution regulators, into OCC's ongoing IT examinations of national banks and federal savings associations. Officials believe that the Tool will provide OCC with a repeatable and measurable process for assessing both the level of risk and the maturity of risk management processes within and across OCC-supervised institutions. Also, officials believe that data gathered in this process will allow OCC to monitor industry trends and identify new or emerging weaknesses where additional guidance or supervisory actions may be needed. Furthermore, the Tool will help OCC allocate examiner resources and better target examiner training. OCC began integrating the Tool in selected examinations in December 2015. Second, OCC stated that it enhanced its guidance and procedures for examiners to identify and aggregate supervisory concerns into matters requiring attention (MRAs), which are the mechanism OCC uses to communicate supervisory concerns to bank management and directors. OCC believes that the enhancements will facilitate systemic categorization of supervisory concerns that strengthen recording, monitoring, and analyzing of volumes and trends across bank portfolios. Also, the enhanced guidance discusses the relationship between MRAs, interagency ratings, OCC's risk assessment system, and enforcement actions. OCC believes that these process enhancements combined with the integration of the Tool, will improve its ability to assess information security practices at medium and small institutions. We will continue to monitor OCC's progress in implementing the Tool and the resulting trend analyses that the Tool is intended to facilitate.
    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency: Federal Reserve System
    Status: Open

    Comments: In July 2015, we recommended that the Board of Governors of the Federal Reserve System (Board) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. As of October 2016, the Board had not provided an update on its efforts to address this recommendation.
    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency: National Credit Union Administration
    Status: Open

    Comments: In July 2015, we recommended that the National Credit Union Administration (NCUA) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In July 2016, NCUA told us that it and the other federal financial institution regulators issued the Cybersecurity Assessment Tool (Tool) in June 2015 to provide a comprehensive method for institutions to benchmark their cybersecurity programs. Officials believe that the Tool will allow examiners to consistently and methodically look at credit union risks and trends, as well as collect detailed information on the risks and mitigating controls employed by credit unions. When the Tool is fully implemented, officials expect to be able to aggregate risk indicators and program gaps across the credit union industry to improve resource deployment and enhance cybersecurity supervisory oversight. NCUA plans to begin pilot testing the Tool in late 2016 with program integration targeted for July 2017. We will continue to monitor NCUA's progress with this program and revisit our recommendation in July 2017.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Chairman of FCC should evaluate the effectiveness of FCC's accessibility-related public outreach efforts and ensure those efforts incorporate key practices identified in this report, such as defining objectives and establishing process and outcome metrics.

    Agency: Federal Communications Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David Powner
    Phone: (202) 512-9286

    5 open recommendations
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to establish and implement an improvement plan to guide the agency in adopting recognized best practices and following agency policy.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA developed a Strategic IT Roadmap to assist the agency's business and IT leadership in prioritizing IT investments. In addition, FSA stated that it will develop and document a comprehensive improvement plan that is to delineate tactical steps, timelines, and performance metrics to track incremental progress in adopting recognized best practices and program management capabilities. We will continue to monitor the agency's progress in documenting and implementing its improvement plan.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in developing and managing system requirements before proceeding with any further system development to deliver previously envisioned MIDAS functionality. Specifically, the Administrator should ensure that requirements are complete, unambiguous, and prioritized; commitment to requirements is obtained through a formal requirements baseline; differences (or gaps) between the requirements and capabilities of the intended solution (including commercial off-the-shelf solutions) are analyzed; strategies to address any gaps are developed; and requirements are traced forward and backward among development products.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA reported that it will improve the rigor and adherence to requirements management processes for all IT projects, utilizing processes and tools that will support the integrity of the requirements throughout the lifecycle, to ensure that requirements are complete, formally baselined, gaps are analyzed, and fully traceable forward and backward. FSA also noted that it is pursuing an enhanced, more comprehensive governance structure that will further support its commitment to increasing rigor and adherence to defined requirements management processes. We will continue to monitor the agency's implementation of these efforts.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in planning and monitoring projects. Specifically, the Administrator should ensure that project plans include predefined expectations for cost, schedule, and deliverables before proceeding with any further system development; updates to the project plan are made through change control processes; and progress against the project plan, including work performed by contractors, is monitored.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA noted that it began an initiative to improve the agency's use of capital planning guidance from the Office of Management and Budget and would prepare corrective action plans to address identified weaknesses in fiscal year 2016. FSA also noted that it was conducting a series of training classes on capital planning and IT project management across the agency, developing a risk management program, and strengthening the use of earned value management. We will continue to monitor the agency's progress on its project planning efforts.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in system testing. Specifically, the Administrator should establish well-defined test plans before proceeding with any further system development, and ensure that testing of (a) individual system components, (b) the integration of system components, and (c) the end-to-end system are conducted.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA stated that going forward the agency will adhere to recognized best practices and agency policy in pursuing consistent or increased rigor around system testing. The agency noted that it plans to demonstrate that its testing capabilities are consistent and repeatable across all FSA IT projects. We will continue to monitor the agency's implementation of these efforts.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in executive-level IT governance before proceeding with any further system development. Specifically, an executive-level governance board should (1) review and approve a comprehensive business case that includes a life cycle cost estimate, a cost-benefit analysis, and an analysis of alternatives for proposed solutions that are to provide former MIDAS requirements prior to their implementation; (2) ensure that any programs that are to accommodate former MIDAS requirements are fully implementing the IT program management disciplines and practices identified in this report; (3) conduct a post-implementation review and document lessons learned for the MIDAS investment; and (4) reassess the viability of the MIDAS technical solution before investing in further modernization technologies.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA stated that, as part of its organizational transformation efforts, the CIO is evaluating its governance structure and updating the charter for the agency-wide IT investment review board with the support of the agency's Executive Leadership Council. FSA also noted that it will adhere to the department's governance framework and processes. We will continue to monitor the agency's implementation of these efforts and how they address our recommendation.
    Director: Joseph W. Kirschbaum
    Phone: (202) 512-9971

    4 open recommendations
    Recommendation: To further enhance the department's efforts to protect its classified information and systems from insider threats, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to, in planned supplemental planning guidance to be developed, identify actions beyond the minimum standards that components should take to enhance their insider-threat programs.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To further enhance the department's efforts to protect its classified information and systems from insider threats, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to evaluate and document the extent to which current assessments provide a continuing analysis of gaps for all DOD components; report to Congress on the results of this evaluation; and direct that the overall results of these self- and independent assessments be reviewed by the Office of the Under Secretary of Defense for Intelligence.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To further enhance the department's efforts to protect its classified information and systems from insider threats, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to provide DOD components supplemental guidance that directs them to incorporate risk assessments into their insider-threat programs.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To further enhance the department's efforts to protect its classified information and systems from insider threats, the Secretary of Defense should identify an insider-threat program office to support the Under Secretary of Defense for Intelligence's responsibilities in managing and overseeing DOD and components' insider-threat programs.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    27 open recommendations
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Commerce should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce has not yet implemented this recommendation. In response to our report, the department said it planned to address the recommendation by the second quarter of fiscal year 2016. However, as of August 2017, it had not demonstrated that it had done so. We will continue to monitor the department's progress.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Commerce should ensure a reliable department-wide inventory of mobile service contracts is developed and maintained.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce has not yet implemented this recommendation. In response to our report, the department said it planned to address the recommendation by the second quarter of fiscal year 2016. However, as of August 2017, it had not demonstrated that it had done so. We will continue to monitor the department's progress.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Commerce should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce has not yet implemented this recommendation. In response to our report, the department said it planned to address the recommendation by the second quarter of fiscal year 2016. However, as of August 2017, it had not demonstrated that it had done so. We will continue to monitor the department's progress.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Defense should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

    Agency: Department of Defense
    Status: Open

    Comments: As of August 2017, the Department of Defense had not implemented this recommendation. In July 2016, the department reported that it does not maintain a single, centralized device-level inventory and, instead, the military departments track and manage their own devices and contracted wireless services as separate enterprises. However, as we stated in our report, the inventory need not be generated centrally at the headquarters level; the department can compile a comprehensive inventory using its components' complete inventories. We will continue to monitor the department's efforts to address this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Defense should ensure a reliable department-wide inventory of mobile service contracts is developed and maintained.

    Agency: Department of Defense
    Status: Open

    Comments: As of August 2017, the Department of Defense had not implemented this recommendation. The department updated its mobile services contract inventory in August 2015; however, as of August 2017, the department had not demonstrated that it has maintained the inventory. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Health and Human Services should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services has not implemented this recommendation. In April 2016, an audit liaison in the Office of the Chief Information Officer reported that each component maintains processes and procedures for device management. However, as of August 2017, the department had not provided evidence that components have established procedures that address the elements of our recommendation. We will continue to monitor the department's implementation of this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Homeland Security should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security has taken steps to implement this recommendation. Specifically, it developed inventories for the two components we reviewed. The department also reported that it had identified all components' devices. However, as of August 2017, it had not provided evidence that all the components had an inventory of unique devices and associated services. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Homeland Security should ensure a reliable department-wide inventory of mobile service contracts is developed and maintained.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security has taken steps to implement the recommendation, but more needs to be done. Specifically, in May 2017, the department developed an enterprise-wide inventory of mobile service contracts; however, the department has not demonstrated that it has maintained the inventory quarterly. We will continue to monitor the department's efforts to fully implement the recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Homeland Security should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security has not implemented the recommendation. In August 2017, a Program Management Specialist in the Office of the Chief Information Office described steps the department was taking as it considers a follow-on to its department-wide blanket purchase agreement for wireless expense management services. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Interior should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of the Interior has not implemented this recommendation. As of May 2017, the department was in the process of migrating its cellular service contracts to the General Services Administration's federal wireless strategic sourcing initiative blanket purchase agreement as its agency-wide solution for mobile devices and services. According to the department, the initiative requires awardee(s) and orderers to conduct a complete inventory of devices and legacy service contracts as they transition to the blanket purchase agreement. According to the department's transition plan, the transition is to be complete by February 2018. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Interior should ensure a reliable department-wide inventory of mobile service contracts is developed and maintained.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of the Interior has not implemented this recommendation. As of May 2017, the department was in the process of migrating its cellular service contracts to the General Services Administration's federal wireless strategic sourcing initiative blanket purchase agreement as its agency-wide solution for mobile devices and services. According to the department, the initiative requires awardee(s) and orderers to conduct a complete inventory of devices and legacy service contracts as they transition to the blanket purchase agreement. According to the department's transition plan, the transition is to be complete by February 2018. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Attorney General should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice has taken steps to implement this recommendation. Specifically, in response to our findings, the department's Chief Information Officer issued a memo that required components to establish procedures for regular reviews of invoices for wireless services to identify unused and underused devices or services, as well as any over-usage charges to service plans. However, as of August 2017, the department had not demonstrated that its components had implemented the requirements. We will continue to monitor the department's progress.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of State should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

    Agency: Department of State
    Status: Open

    Comments: The Department of State has not yet implemented this recommendation. In July 2017, the department stated that it planned to transition its mobile devices and services to the General Services Administration's Federal Strategic Sourcing Initiative. However, the department has not addressed developing an inventory of mobile devices and services. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of State should ensure a reliable department-wide inventory of mobile service contracts is maintained.

    Agency: Department of State
    Status: Open

    Comments: The Department of State has not implemented this recommendation. In July 2017, the department stated that it plans to transition its mobile devices and services to the General Services Administration's Federal Strategic Sourcing Initiative. However, the department has not addressed developing an inventory of mobile service contracts. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of State should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of State
    Status: Open

    Comments: The Department of State has not yet implemented this recommendation. In July 2017, the department stated that it was in the process of implementing a Telecommunications Expense Management System to provide visibility into mobile spending, asset management, usage, and tracking. However, the department has not provided evidence that it has established procedures that address the elements of our recommendation . We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Transportation should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation has not yet demonstrated that it has implemented our recommendation. Specifically, as of August 2017, neither of the two components we reviewed in May 2015 had addressed the weaknesses we identified in their procedures. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Treasury should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury has not yet implemented this recommendation. In May 2016, the Department of the Treasury stated that it had performed data calls to collect data on mobile device inventories across the department. However, as of August 2017, the department had not demonstrated that it had established a department-wide inventory of mobile devices and services. We will monitor the department's progress in implementing this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Veterans Affairs should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs has not yet implemented this recommendation. The department stated that its Office of Information and Technology drafted documentation for the development and implementation of a system to manage spending on mobile devices and services. However, the solution had not been funded. The department stated that a target date for addressing the recommendation is December 2017, conditional upon available funds.
    Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the Environmental Protection Agency should ensure a complete inventory of mobile devices and associated services is established.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency had taken steps to implement this recommendation. Specifically, it reported that it had conducted a management review and identified improvements to ensure that the agency has a complete inventory of mobile devices and services. However, as of August 2017, it had not demonstrated that it had established a complete inventory. We will continue to monitor the agency's progress.
    Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the Environmental Protection Agency should ensure procedures to monitor and control spending are established agency-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency has not yet implemented this recommendation. The agency stated that program offices receive quarterly mobile device usage reports and are requested to review them. However, as of August 2017, the agency had not provided documented procedures that address the elements of our recommendation.
    Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the National Aeronautics and Space Administration should ensure a complete inventory of mobile devices and associated services is established.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) has not yet implemented the recommendation. In August 2017, officials from NASA's Office of the Chief Information Officer stated that the agency plans to address the recommendation through a strategic sourcing approach the agency is developing and estimates implementing in fiscal year 2018. The officials stated that the agency expects to fully address the recommendation by December 2018.
    Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the National Aeronautics and Space Administration should ensure a reliable inventory of mobile service contracts is developed and maintained.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics Administration (NASA) has not yet implemented the recommendation. In August 2017, officials from NASA's Office of the Chief Information Officer stated that the agency plans to address the recommendation through a strategic sourcing approach the agency is developing and estimates implementing in fiscal year 2018. The officials stated that the agency expects to fully address the recommendation by March 2019.
    Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the National Aeronautics and Space Administration should ensure procedures to monitor and control spending are established agency-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) has not implemented the recommendation. In August 2017, officials from NASA's Office of the Chief Information Officer stated that the agency plans to address the recommendation through an Enterprise Mobility Service Contract that it plans to fully transition to by July 2019. The officials stated that the contract will allow the agency to monitor and optimize usage.
    Recommendation: To help the agency effectively manage spending on mobile devices and services, the Commissioner of the Social Security Administration should ensure a complete inventory of mobile devices and associated services is established.

    Agency: Social Security Administration
    Status: Open

    Comments: The Social Security Administration (SSA) described steps it was taking to address our recommendation. Specifically, the agency stated that it had deployed and is operating a Mobile Expense Management System that will be used to maintain an enterprise-wide inventory of mobile devices and associated services once all the agency's mobile service contracts/accounts have been successfully consolidated onto one of the agency's blanket purchasing agreements. SSA expected to complete this consolidation in the September to October 2016 timeframe. However, as of August 2017, the agency had not demonstrated that it had implemented the recommendation. We will continue to monitor its progress in implementing this recommendation.
    Recommendation: To help the agency effectively manage spending on mobile devices and services, the Commissioner of the Social Security Administration should ensure procedures to monitor and control spending are established agency-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Social Security Administration
    Status: Open

    Comments: The Social Security Administration (SSA) described steps it was taking to address this recommendation. Specifically, the agency stated that representatives from various agency components were working to develop and document the policies, guidelines, processes, and procedures to effectively implement an enterprise model for mobile provisioning and management. SSA expects to complete this effort in fiscal year 2017. As of August 2017, the agency had not demonstrated that it had addressed the recommendation. We will continue to monitor its progress in implementing this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Treasury should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury has not yet implemented this recommendation. In May 2016, the department stated that it had awarded two contracts to facilitate mobile device management, and had advised its bureaus to track, analyze, and manage mobile device use and cost in accordance with GAO guidance at their level until migration to the department-wide contracts has been completed. However, as of August 2017, the department had not demonstrated that it had established department-wide procedures to monitor and control spending on mobile devices and services. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To better enable OMB to oversee agency efforts to consolidate mobile telecommunications contracts, the Director should measure and report progress in achieving its goal of cost savings through consolidation, as described in the 2012 Digital Government Strategy.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: As of August 2017, the Office of Management and Budget (OMB) had made progress in implementing this recommendation by requiring agencies to track savings; however, it had not yet reported progress in achieving its goal of cost savings. Specifically, in August 2016, OMB issued a policy requiring covered agencies to appoint, by November 2016, a dedicated lead for mobile devices and services. The official is expected to work closely with senior agency officials to establish and maintain an agency-wide inventory of mobile contracts, identify opportunities for contract consolidation, and track savings, among other things. In addition, according to an official in OMB's Office of Federal Procurement, a team led by OMB, the General Services Administration, and the departments of Defense and Homeland Security, is to develop an approach for measuring savings related to mobile devices and services.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    3 open recommendations
    Recommendation: To improve Transformation Program governance, the Secretary of DHS should direct the Under Secretary for Management to ensure that the Acquisition Review Board is effectively monitoring the Transformation Program's performance and progress toward a predefined cost and schedule; ensuring that corrective actions are tracked until the desired outcomes are achieved; and relying on complete and accurate program data to review the performance of the Transformation Program against stated expectations.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of August 2017, the Department of Homeland Security (DHS) had demonstrated that it had taken steps to address this recommendation, but additional steps were needed. Since we issued this recommendation in May 2015, the Office of Program Accountability and Risk Management (PARM), which serves as the Acquisition Review Board (ARB) executive secretariat and is to oversee DHS's acquisition portfolio, in coordination with the Office of the Chief Information Officer, has actively increased program oversight. For example, beginning in May 2015, the U.S. Citizenship and Immigration Services (USCIS) demonstrated that it submitted data supporting cost, schedule, and technical performance metrics to DHS on a monthly basis. The ARB has also held a number of meetings to discuss the Transformation Program and issued associated Acquisition Decision Memoranda with related action items. In addition, in February 2016, PARM demonstrated that DHS developed a procedure to help ensure acquisition decision memorandum actions, including corrective actions, are tracked until the desired outcomes are achieved. However, as of August 2017, the USCIS Transformation Program was in breach of its previously approved schedule expectations and was taking a strategic pause in developing new software while working to re-baseline cost and schedule expectations. During this strategic pause, the program is working to complete various action items assigned by the Acquisition Review Board, including completing an updated Release Roadmap and submitting it to PARM no later than December 29, 2017; updated Lifecycle Cost Estimate and providing it to the Cost Analysis Division no later than December 29, 2017; updated Test and Evaluation Master Plan and submitting it to the Office of Test and Evaluation no later than January 31, 2018; and an updated Acquisition Program Baseline and providing it to PARM no later than December 29, 2017. We will continue to monitor DHS?s efforts to re-baseline the USCIS Transformation Program and the Acquisition Review Board's efforts to monitor the Transformation Program's performance and progress toward a predefined cost and schedule; ensure that corrective actions are tracked until the desired outcomes are achieved; and rely on complete and accurate program data to review the performance of the Transformation Program against stated expectations until and after a new baseline is established.
    Recommendation: To improve Transformation Program governance, the Secretary of DHS should direct the DHS Under Secretary for Management, in coordination with the Director of US Citizenship and Immigration Services, to ensure that the Executive Steering Committee is effectively monitoring the Transformation Program's performance and progress toward a predefined cost and schedule and relying on complete and accurate program data to review the performance of the Transformation Program against stated expectations.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of August 2017, the Department of Homeland Security (DHS) had demonstrated that it had taken steps to address this recommendation, but additional steps were needed. More specifically, as of July 2016, the U.S. Citizenship and Immigration Services (USCIS) Transformation program office provided evidence that the Executive Steering Committee (ESC) continued to discuss cost, schedule, and operational performance metrics as part of the program's ESC meetings. However, as of August 2017, the USCIS Transformation Program was in breach of its previously approved schedule expectations and was taking a strategic pause in developing new software while working to re-baseline its cost and schedule expectations. During this strategic pause, the program is working to complete various action items assigned by the Acquisition Review Board, including completing an updated Release Roadmap and submitting it to the Office of Program Accountability and Risk Management (PARM) no later than December 29, 2017; updated Lifecycle Cost Estimate and providing it to the Cost Analysis Division no later than December 29, 2017; updated Test and Evaluation Master Plan and submitting it to the Office of Test and Evaluation no later than January 31, 2018; and an updated Acquisition Program Baseline and providing it to PARM no later than December 29, 2017. In addition, according to the program?s August 2017 Acquisition Decision Memorandum, the ESC has been transformed into a component-only body with no headquarters involvement, and the program was to establish a Program Management Integrated Product Team, which was to meet bi-weekly beginning in September 2017. We will continue to monitor DHS's efforts to re-baseline the USCIS Transformation Program, the impact of changes to the ESC, and the ESC?s efforts to effectively monitor the Transformation Program's performance and progress toward a predefined cost and schedule and rely on complete and accurate program data to review the performance of the Transformation Program against stated expectations until and after a new program baseline is established.
    Recommendation: To help ensure that assessments prepared by the Office of the Chief Information Officer in support of the department's updates to the federal IT Dashboard more fully reflect the current status of the Transformation Program, the Secretary of DHS should direct the department's Chief Information Officer to use accurate and reliable information, such as operational assessments of the new architecture and cost and schedule parameters approved by the Under Secretary of Management.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2017, the Department of Homeland Security (DHS) had demonstrated that it had taken steps to address this recommendation, but additional steps were needed. In particular, in February 2016, the DHS Office of the Chief Information Officer (OCIO), in coordination with the Office of Program Accountability and Risk Management (PARM), had consolidated the department's Investment Management System and Next Generation Periodic Reporting System tools into a single enterprise information management and repository system named Investment Evaluation, Submission, and Tracking (INVEST). According to the department, this effort should improve the reliability of the metrics used by OCIO's Enterprise Business Management Office (EBMO), as well as the other line of business and component program offices, and ensure data integrity. The data reported in INVEST include cost, schedule, and operational performance metrics that are to align with the OMB's Information Technology (IT) Dashboard reporting requirements. In addition, as of September 2017, the program was listed as a high-risk program on the federal IT dashboard, in contrast to its April 2015 rating of medium risk. However, as of August 2017, the program was in breach of its previously approved schedule expectations and was taking a strategic pause in developing new software while working to re-baseline its cost and schedule expectations. We will continue to monitor DHS?s efforts to re-baseline the USCIS Transformation Program and the Office of the Chief Information Officer's efforts to use accurate and reliable information to update the federal IT dashboard until and after a new program baseline is established.
    Director: Dalkin, James R
    Phone: (202) 512-3133

    1 open recommendations
    Recommendation: The U.S. Securities and Exchange Commission should direct the COO and CFO to implement controls, such as periodic reviews of asset dispositions, to help reasonably assure that SEC's procedures for the preparation and maintenance of documentation related to the disposition of assets are consistently implemented and that any deviations from established procedures are documented.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: SEC Officials are still working on corrective actions as of the end of fiscal year 2016. We will follow up on this recommendation during our fiscal year 2017 SEC financial statement audit.
    Director: David Powner
    Phone: (202) 512-9286

    5 open recommendations
    Recommendation: To better ensure that the PortfolioStat initiative improves governmental efficiency and achieves cost savings, the Director of OMB should direct the Federal CIO to ensure that its reports to Congress about the results of IT reform efforts accurately reflect savings generated from all PortfolioStat initiatives, including those associated with FDCCI.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In July 2016, we followed up with OMB on its efforts to address this recommendation. As of September 1, 2016, we were still waiting for the agency's response.
    Recommendation: To better ensure that the PortfolioStat initiative improves governmental efficiency and achieves cost savings, the Director of OMB should direct the Federal CIO to track agencies' planned savings and use them as a baseline for measuring reported actual savings.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In July 2016, we followed up with OMB on its efforts to address this recommendation. As of September 1, 2016, we were still waiting for the agency's response.
    Recommendation: To better ensure that the PortfolioStat initiative improves governmental efficiency and achieves cost savings, the Director of OMB should direct the Federal CIO to require agencies to document specifically how the cost savings achieved from PortfolioStat have been reinvested.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In July 2016, we followed up with OMB on its efforts to address this recommendation. As of September 1, 2016, we were still waiting for the agency's response.
    Recommendation: To better ensure that the PortfolioStat initiative improves governmental efficiency and achieves cost savings, the Director of OMB should direct the Federal CIO to establish time frames for completing assigned PortfolioStat action items and hold agencies accountable for meeting those time frames.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In July 2016, we followed up with OMB on its efforts to address this recommendation. As of September 1, 2016, we were still waiting for the agency's response.
    Recommendation: The Secretary of Defense should direct the Chief Information Officer to revisit the 25 cost initiatives GAO reported in GAO-14-65 to identify those that have achieved savings and cost avoidances and report those savings and avoidances to OMB.

    Agency: Department of Defense
    Status: Open

    Comments: In March 2016, during our review of federal agencies' efforts to rationalize their portfolio of software applications, the department reported that it does not collect data specifically on savings and cost avoidance associated with the business and enterprise IT applications that comprise most of the 25 cost initiatives reported in GAO-14-65. We will continue to follow up with the department on this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To improve the effectiveness of OMB streamlining efforts and ensure agency CIOs are better able to carry out their responsibilities in managing IT, including implementing OMB's IT reform initiatives, the Director of OMB should direct the Federal CIO, in collaboration with agency CIOs, to ensure there is a common understanding with agency CIOs on the priority of the current reporting requirements and related IT reform initiatives. This should include addressing underlying reasons cited by CIOs regarding the usefulness of requirements, including when department priorities are reportedly different than OMB's and the burdensome and duplicative nature of requirements.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) neither agreed or disagreed with our recommendation. Subsequently, OMB has taken steps to address some aspects of our recommendation. Specifically, in January 2017, OMB worked with the Chief Information Officer (CIO) Council to issue a report entitled "State of Federal Information Technology (SOFIT)" which outlined current IT trends and their key challenges, and made recommendations to improve implementation efforts. Notably, the report also identified differences in priorities between OMB and agency CIOs on key IT reform initiatives and the need for improved reporting requirements. In addition, in June 2017, OMB staff reported that they met the CIO and head of each agency this past spring regarding their priorities and challenges. While these are positive steps toward ensuring a common understanding of these initiatives and reporting requirements, OMB still needs to take action to address the underlying reasons for these differences in priorities and reduce burdensome and duplicative requirements. Until OMB takes action in these areas, there is a risk that key IT reform initiatives may not fully succeed. We will continue to evaluate OMB's progress in addressing our recommendation.
    Director: Joel Willemssen
    Phone: (202) 512-6253

    2 open recommendations
    Recommendation: To help ensure that the Copyright Office makes improvements to its current IT environment, the Librarian of Congress should direct the Register of Copyrights to, for current and proposed initiatives to improve the IT environment at the Copyright Office, develop plans including investment proposals that identify the business problem, a proposed solution, the expected benefits, how the solution aligns with the Library's strategic plan, an initial 3-year cost estimate, and expected funding sources, and bring those to the Library's IT Steering Committee for review, as required by Library policy.

    Agency: Library of Congress
    Status: Open

    Comments: In commenting on our draft report, the Copyright Office neither agreed nor disagreed with our recommendation. Subsequently, the Copyright Office has begun to take steps to address this recommendation. For example, in November 2015 Copyright submitted to the Library's IT Steering Committee plans for three new fiscal year 2017 IT initiatives aimed at improving current systems, such as technical upgrades to the electronic (eCO) registration system. For each initiative, the office developed plans that identified the business problems, proposed solutions, expected benefits, alignment with the Library's strategic plan, initial 3-year cost estimates, and expected funding sources. In November 2016, the Librarian of Congress directed all top-level IT staff in the Library's various service units, including the Copyright CIO, to be detailed to the Library's OCIO. Subsequently, in April 2017 Library and Copyright Office officials stated that the Copyright Office, in coordination with the Library OCIO, will develop IT investment proposals for fiscal year 2018, including proposals for modernizing the Copyright Office's IT systems. We will continue to evaluate the Copyright Office's efforts to address our recommendation.
    Recommendation: To help ensure that the Copyright Office makes improvements to its current IT environment, the Librarian of Congress should direct the Register of Copyrights to develop an IT strategic plan that includes the office's prioritized IT goals, measures, and timelines, and is aligned with the Library's ongoing strategic planning efforts.

    Agency: Library of Congress
    Status: Open

    Comments: In commenting on our draft report, the Copyright Office neither agreed nor disagreed with our recommendation. In November 2016, the Librarian of Congress directed all top-level IT staff in the Library's various service units, including the Copyright Chief Information Officer (CIO), to be detailed to the Library's Office of the CIO. In light of this organizational realignment, in May 2017 the Library's Office of the CIO and the Copyright Office stated that they will be working in coordination to address our recommendation. We will continue to evaluate the Library and Copyright's efforts to address our recommendation.
    Director: Joel C. Willemssen
    Phone: (202) 512-6253

    24 open recommendations
    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for developing a complete and reliable enterprise architecture that accurately captures the Library's current IT environment, describes its target environment, and outlines a strategy for transitioning from one to the other, and develop the architecture within the established time frame.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to address, this recommendation. Specifically, according to Library officials, they have developed a schedule and processes for developing an architecture that describes the current and target IT environments. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for implementing a Library-wide assessment of IT human capital needs and complete the assessment within the established time frame. This assessment should, at a minimum, analyze any gaps between current skills and future needs, and include a strategy for closing any identified gaps.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in July 2016 the Library engaged the Office of Personnel Management (OPM) to develop and conduct a skills assessment of the Library's IT workforce. According to Library officials, OPM led a focus group with IT specialists to review and revise competency and skill lists for IT positions. In June 2017, OPM administered a gap analysis survey to all IT specialists, supervisors, managers, and leaders within the Library. According to Library officials, the Library is developing a strategy for closing gaps identified in the survey results. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement a process for linking IT strategic planning, enterprise architecture, and IT investment management.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Library developed a template for IT investment proposals that calls for investment managers to provide information on how the investments align with the Library's IT strategic plan and enterprise architecture. Additionally, in February 2017, the Library provided us with IT investment proposals for 19 fiscal year 2017 investments. To the Library's credit, the proposals describe how many of the investments align with the IT strategic plan and enterprise architecture. However, we also identified instances where the alignment with the IT strategic plan and enterprise architecture was not included in the proposals or was not clearly defined. In a written response, the Library stated that the inconsistencies were attributable to manual processes for collecting the information and that it is working to make improvements to these processes for the fiscal year 2018 investments. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for reselecting investments that are already operational.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include reselecting investments that are already operational. Additionally, in October 2016 the Librarian approved the Library's fiscal year 2017 IT investment plan, which describes $145 million in planned IT spending on systems across the Library that are both operational and in development. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for ensuring that investment selection decisions have an impact on decisions to fund investments.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include ensuring that investment selection decisions have an impact on decisions to fund investments. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should ensure that appropriate governance bodies review all investments that meet defined criteria.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include ensuring that appropriate governance bodies review all investments that meet defined criteria. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should require investments in development to submit complete investment data (i.e., cost and schedule variances and risk management data) in quarterly reports submitted to the ITSC.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include requiring investments in development to submit complete investment data in quarterly reports submitted to the Information Technology Steering Committee. Additionally, officials stated that the Library has begun to require IT investments to submit quarterly reports with complete investment data, including cost and schedule variances and risk management data. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies for developing a comprehensive inventory of IT assets.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. The Library is revising its asset management policy to improve its process for developing and maintaining its inventory of IT assets. Additionally, the Office of the CIO engaged a contractor to perform a full inventory of its IT assets in September 2017. Further, the Library is working to reconcile the results of this IT asset inventory with the information in its asset management system. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies and procedures consistent with the key practices on portfolio management, including (1) defining the portfolio criteria, (2) creating the portfolio, and (3) evaluating the portfolio.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include key practices on portfolio management. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should complete and implement an organization-wide policy for risk management that includes key practices as discussed in this report, and within the time frame the Library established for doing so.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives to relating to IT investment management, to include requiring investments to identify and review risks. Additionally, in February 2017, the Library provided us with risk management information for 19 fiscal year 2017 investments. To its credit, the Library generally identified, documented, evaluated, and categorized risks for each of the 19 investments. However, the Library did not always document the context and consequences of occurrence for all risks and did not describe mitigation plans for all risks. In a written response, the Library noted that it will improve the guidance for risk management, providing examples that should ultimately elicit more useful information for the IT Steering Committee to make decisions or take action when necessary. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for requirements development that includes key practices as discussed in this report.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for requirements development. Further, the Project Management Office has finalized detailed guidance for the Library on requirements development. We are reviewing this information to determine the extent to which the guidance includes key practices for requirements development. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for developing cost estimates that includes key practices as discussed in this report.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing and maintaining project schedules. Further, the Project Management Office has finalized detailed guidance for the Library on developing and maintaining project schedules. We are reviewing this information to determine the extent to which the guidance includes key practices for developing and maintaining project schedules. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish a time frame for finalizing and implementing an organization-wide policy for developing and maintaining project schedules that includes key practices as discussed in this report, and finalize and implement the policy within the established time frame.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer (OCIO) and tasked the office with communicating and enforcing Library requirements for project management and systems development. Additionally, according to the Library, it is working to give the OCIO's Project Management Office the authority to establish organization-wide policy for developing and maintaining project schedules. Further, the Project Management Office is drafting detailed guidance for the Library on developing and maintaining project schedules. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should revise information security policy to require system security plans to describe common controls, and implement the policy.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, the Information Technology Security Group reviewed all system security plans to ensure that they are complete. After the completion of this review, in August 2017 the Library provided us with system security plans for nine key systems. To its credit, the plans describe many of the common controls (i.e., where a system relies on controls established for another system) on which the systems relied. However, we also identified instances where the plans included conflicting information about whether certain controls are being implemented by the system, are inherited from another system, or are not being implemented. According to the Library, in August 2017 it hired additional information system security officers in order to improve the Library's management of information security, including information security planning. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that all system security plans are complete, including descriptions of how security controls are implemented and justifications for why controls are not applied.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, the Library?s Information Technology Security Group reviewed all system security plans to ensure that they are complete. After completing this review, in August 2017 the Library provided us with system security plans for nine key systems. Each of the plans generally includes descriptions of how security controls are implemented and justifications for why controls are not applied. However, we also identified instances where the plans included conflicting information about whether certain controls are being implemented. According to the Library, in August 2017 it hired additional information system security officers in order to improve the Library's management of information security, including information security planning. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should conduct comprehensive and effective security testing for all systems within the time frames called for by Library policy, to include assessing security controls that are inherited from the Library's information security program.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, in August 2015 the Library began monthly security testing and vulnerability scans for servers, networks, and workstations. Additionally, in November 2015 the Library finalized guidance for its continuous monitoring program, which includes the establishment of ongoing security controls assessments for each system. The Library began to implement this guidance in fiscal year 2016 and plans to complete the steps necessary to implement this recommendation by June 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that remedial action plans for identified security weaknesses are consistently documented, tracked, and completed in a timely manner.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in August 2017, the Library provided us with remedial action plans for key Library systems. The Library has generally documented and tracked remedial action plans for these key systems and has completed many. However, we also identified instances of remedial actions that, as of August 2017, had yet to be completed and were past their expected completion date. According to the Library, in August 2017 it hired additional information system security officers in order to improve the Library's management of information security, including management of remedial action plans. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should finalize and implement guidance on continuous monitoring to ensure that officials are informed when making authorization decisions about the risks associated with the operations of the Library's systems.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in October 2015 the Library finalized its guidance on security assessment and authorization, which requires authorizing officials to review the security status of information systems on an ongoing basis to determine whether the risk of operating the system remains acceptable. The Library began to implement this guidance in fiscal year 2016 and plans to complete the steps necessary to implement this recommendation by June 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should develop contingency plans for all systems that address key elements.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in December 2016 the Library finalized an IT system contingency planning template that generally addresses key elements of National Institute of Standards and Technology guidance. Additionally, in April 2017 the Library required that contingency plans be established for all systems by September 2017. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should establish and implement a process for comprehensively identifying and tracking whether all personnel with access to Library systems have taken required security and privacy training.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. According to Library officials, the OCIO is developing a process to track user accounts, including contractors and volunteers, on Library systems to ensure completion of required annual IT Security Training. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should establish a time frame for finalizing and implementing the Library's standard contract sections for information security and privacy requirements, and finalize and implement the requirements within that time frame.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. In April and September 2016 the Library provided us with IT contracts that included some, but not all, of the standard contract sections required by Library policy. In February 2017, the Library provided us with newly awarded IT contracts, each of which included the required information security and privacy sections. Further, according to the Library, it plans to incorporate its required information security and privacy provisions into its existing contracts for IT services as the Library exercises options for these contracts. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should finalize and implement a Library-wide policy for developing service-level agreements that (1) includes service-level targets for agreements with individual service units and (2) covers services in a way that best meets the need of both ITS and its customers, including individual service units.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in September 2016 the Library?s Office of the CIO finalized a new service catalog that captures its IT services. The catalog identifies 21 categories of IT services that are available to Office of the CIO customers (e.g., data network management, IT service desk, and website support) and describes applicable service-level targets relating availability, fulfillment, and response. Additionally, between May 2016 and May 2017, the Office of the CIO executed memorandums of understanding with the six main Library units. Each memorandum establishes roles and responsibilities for specialized application and services that the Office of the CIO provides to those units. Further, the Library's Office of the CIO is developing a directive on its memorandums of understanding and plans to brief its customers on that directive in November 2017. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should document and execute a plan for improving customer satisfaction with ITS services that includes prioritized improvement projects and associated resource requirements, schedules, and measurable goals and outcomes.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Office of the Chief Information Officer has begun drafting a customer satisfaction improvement plan. The Library expects this plan to be finalized by December 2017. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: In addition, to help ensure an efficient and effective allocation of the agency's IT resources, the Librarian should conduct a review of the Library's IT portfolio to identify duplicative or overlapping activities and investments, including those identified in our report, and assess the costs and benefits of consolidating identified IT activities and investments.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Library is drafting several policies and directives to relating to IT investment management, to include reviewing the Library's IT portfolio to identify duplicative or overlapping activities and investments. In addition, according to Library officials, the Library has taken a number of steps to reduce duplicative IT activities. For example, in March 2015 we reported that the Office of Security and Emergency Preparedness (OSEP) managed its own network independent of the Library's central IT provider. However, in June 2017 the Library reported that the Office of the CIO is managing the OSEP network. Further, the Library plans to assess the costs and benefits of consolidating potentially duplicative email and network services identified in our March 2015 report. The Library plans to complete the steps necessary to implement this recommendation by March 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Director: Michele Mackin
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: In order to help ensure consistent, effective oversight of DHS's acquisition programs, and to make the CASR more useful, starting with the report reflecting fiscal year 2015 program data, the Secretary of DHS should adjust the CASR to do the following: (1) report an individual rating for each program's cost, schedule, and technical risks; (2) report a best estimate of procurement quantities or indicate why this is not applicable, as appropriate; (3) report all programs' significant changes in acquisition cost, quantity, or schedule from the previous CASR report by determining a means to account for programs that lack acquisition program baselines; (4) report major program events that are included in acquisition program baselines, such as scheduled acquisition decision events; and (5) report the level at which the program's life-cycle cost estimate was approved.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation, and took some actions to address it. The Office of Program Accountability and Risk Management (PARM) updated its template for the Comprehensive Acquisition Status Report (CASR) to reflect the following changes: individual ratings for each program's cost, schedule, and technical risks; significant changes in programs' acquisition cost, quantity, or schedule; and major events included in the acquisition program baselines. In addition, PARM intended to revise the reporting information for the level at which a program's life-cycle cost estimate was approved and its estimate of procurement quantities. However, the 2017 Consolidated Appropriations Act discontinued the requirement to submit the CASR with future budget requests and DHS did not submit one for 2017. Recently introduced legislation would reestablish the CASR requirement and we will revisit this recommendation pending the outcome of that legislation.
    Director: Carol R.Cha
    Phone: (202) 512-4456

    2 open recommendations
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics to require MAIS programs to establish their first acquisition program baseline within 2 years of beginning work on the programs.

    Agency: Department of Defense
    Status: Open

    Comments: The Department developed a draft process document that states that business system (e.g. financial management, logistics management) programs should start development on at least one release within 24 months after programs have identified the needed capabilities and received approval to conduct further analysis into the potential delivery of the capabilities. We will follow-up with the Department for the final process document and guidance, when available.
    Recommendation: The Secretary of Defense should direct the Secretary of the Army to direct the Army (Financial Management and Comptroller) to complete a plan for conducting auditability testing of LMP Increment 2 functionality to ensure that such testing occurs prior to the LMP program management office deploying future functionality.

    Agency: Department of Defense
    Status: Open

    Comments: According to DOD officials, in response to our recommendation, the department developed a plan to conduct system testing on LMP Increment 2 in accordance with the Federal Information System Controls Audit Manual. The officials stated that the department's plan was to conduct this testing both prior to and after the deployment of new functionality to users. We have requested additional information and documentation from DOD regarding these LMP Increment 2 test plans in order to determine whether the testing associated with auditability of the system was to be conducted before deployment to users.
    Director: David Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To improve the reliability and reporting of investment performance information and management of selected major investments, the Commissioner of the IRS should direct the Chief Technology Officer to modify reporting of the Affordable Care Act Administration testing status to senior management to include a comprehensive report on all impacted systems--including an explanation for why impacted systems were not tested at a particular level--and ensure this reporting is aligned with the manner in which testing is being performed.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS disagreed with this recommendation at the time we made it stating that it followed a rigorous risk-based process for planning the tests of ACA-impacted systems, including the types and levels of testing, and that it had comprehensive reporting for the filing season 2015 release, which included ACA impacted systems. However, as noted in our report, our review of ACA Testing Review Checkpoint reports and filing season reports, which officials stated were used to provide comprehensive reports to senior managers, did not identify the status of testing for all systems impacted by ACA Releases 5.0 and 6.0. We therefore concluded that the recommendation was still valid. As of July 2017, IRS had not changed its position. We will be following up with the agency to discuss the recommendation.
    Director: Cary B. Russell
    Phone: (202) 512-5431

    5 open recommendations
    Recommendation: To help improve DOD, State, and USAID's ability to track contracts and contractor personnel in contingency operations and to ensure SPOT-ES cost estimates are accurate and comprehensive, the Under Secretary of Defense for Personnel and Readiness should, in coordination with the Under Secretary of Defense for Acquisition, Technology and Logistics direct the system's program office to regularly update its life-cycle cost estimate to include defining and assessing its plans for SPOT-ES.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve DOD, State, and USAID's ability to track contracts and contractor personnel in contingency operations and to help improve timeliness and reliability of data in SPOT-ES, the Secretary of Defense should direct Defense Procurement and Acquisition Policy officials, through the Under Secretary of Defense for Acquisition, Technology and Logistics, to ensure that contracting officers use available mechanisms to track contractor performance of SPOT data entry, such as its Contractor Performance Assessment Reporting System or other appropriate performance systems or databases.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve DOD, State, and USAID's ability to track contracts and contractor personnel in contingency operations and to enhance the value of SPOT-ES data, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness to fully register SPOT-ES data in the DSE to make data visible and trusted, including taking the necessary steps related to authoritative data sources.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve DOD, State, and USAID's ability to track contracts and contractor personnel in contingency operations and to help ensure that DOD possesses the capability to collect and report statutorily required information and to clarify responsibilities and procedures, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology and Logistics to update SPOT provisions during the process of updating operational contract support guidance.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve DOD, State, and USAID's ability to track contracts and contractor personnel in contingency operations and to provide clarity about expectations for the Joint Asset Movement Management System (JAMMS) that can help improve the timeliness and reliability of data for SPOT-ES from JAMMS uploads, the Secretary of Defense should direct the Chairman of the Joint Chiefs of Staff, in coordination with the combatant commanders, to develop comprehensive guidance regarding the purpose of JAMMS and its role in supporting plans for different types of missions. Such guidance could include direction on the number and location of JAMMS terminals and how frequently JAMMS's data should be uploaded into SPOT-ES to meet DOD's information needs.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Marie A. Mak
    Phone: (202) 512-4841

    6 open recommendations
    Recommendation: To ensure a consistent and more collaborative approach to the protection of critical technologies, the Secretaries of Commerce, Defense, Homeland Security, State, and the Treasury; as well as the Attorney General of the United States, who have lead and stakeholder responsibilities for the eight programs within the critical technologies portfolio, should take steps to promote and strengthen collaboration mechanisms among their respective programs while ongoing initiatives are implemented and assessed. These steps need not be onerous; for example, they could include conducting an annual meeting to discuss their programs, including the technologies they are protecting, their programs' intent, any new developments or changes planned for their programs, as well as defining consistent critical technologies terminology and sharing important updates.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In providing comments on this report, the agency concurred with this recommendation. Relevant efforts by DHS to finalize memoranda of understanding with other agencies and by the Export Enforcement Coordination Center to share information and data across the export control enforcement community are ongoing. As of Sept 2017, DHS did not identify relevant actions to coordinate on critical technologies among other agencies.
    Recommendation: To ensure a consistent and more collaborative approach to the protection of critical technologies, the Secretaries of Commerce, Defense, Homeland Security, State, and the Treasury; as well as the Attorney General of the United States, who have lead and stakeholder responsibilities for the eight programs within the critical technologies portfolio, should take steps to promote and strengthen collaboration mechanisms among their respective programs while ongoing initiatives are implemented and assessed. These steps need not be onerous; for example, they could include conducting an annual meeting to discuss their programs, including the technologies they are protecting, their programs' intent, any new developments or changes planned for their programs, as well as defining consistent critical technologies terminology and sharing important updates.

    Agency: Department of Commerce
    Status: Open

    Comments: Commerce has identified various efforts to collaborate across multiple agencies within individual critical technologies programs, but has not taken steps to promote collaboration on critical technologies through a larger group discussion.
    Recommendation: To ensure a consistent and more collaborative approach to the protection of critical technologies, the Secretaries of Commerce, Defense, Homeland Security, State, and the Treasury; as well as the Attorney General of the United States, who have lead and stakeholder responsibilities for the eight programs within the critical technologies portfolio, should take steps to promote and strengthen collaboration mechanisms among their respective programs while ongoing initiatives are implemented and assessed. These steps need not be onerous; for example, they could include conducting an annual meeting to discuss their programs, including the technologies they are protecting, their programs' intent, any new developments or changes planned for their programs, as well as defining consistent critical technologies terminology and sharing important updates.

    Agency: Department of Defense
    Status: Open

    Comments: DOD has identified numerous activities within DOD to coordinate across the critical technologies portfolio, in particular the Arms Transfer and Technology Release Senior Steering Group. In some cases, these activities include other departments, most commonly State. However, officials have stated that they are not aware of any high-level coordination on critical technologies among the larger group of agencies. On Sept. 5, 2017, DOD provided an update on multiple DOD efforts, including CFIUS, but none are collaborating among all of the agencies cited in the recommendation.
    Recommendation: To ensure a consistent and more collaborative approach to the protection of critical technologies, the Secretaries of Commerce, Defense, Homeland Security, State, and the Treasury; as well as the Attorney General of the United States, who have lead and stakeholder responsibilities for the eight programs within the critical technologies portfolio, should take steps to promote and strengthen collaboration mechanisms among their respective programs while ongoing initiatives are implemented and assessed. These steps need not be onerous; for example, they could include conducting an annual meeting to discuss their programs, including the technologies they are protecting, their programs' intent, any new developments or changes planned for their programs, as well as defining consistent critical technologies terminology and sharing important updates.

    Agency: Department of Justice: Office of the Attorney General
    Status: Open

    Comments: In August 2016, the agency identified coordination actions being taken across the agencies with export control responsibilities--including through the Export Control Enforcement Center--and through the Committee on Foreign Investment in the United States. However, it is not clear how, or if, these coordination efforts are tied to the larger, government-wide portfolio of critical technologies programs. As of Sept. 2017, Justice has no additional updates.
    Recommendation: To ensure a consistent and more collaborative approach to the protection of critical technologies, the Secretaries of Commerce, Defense, Homeland Security, State, and the Treasury; as well as the Attorney General of the United States, who have lead and stakeholder responsibilities for the eight programs within the critical technologies portfolio, should take steps to promote and strengthen collaboration mechanisms among their respective programs while ongoing initiatives are implemented and assessed. These steps need not be onerous; for example, they could include conducting an annual meeting to discuss their programs, including the technologies they are protecting, their programs' intent, any new developments or changes planned for their programs, as well as defining consistent critical technologies terminology and sharing important updates.

    Agency: Department of the Treasury
    Status: Open

    Comments: In September 2016, a Treasury official identified coordination actions being taken across the agencies with export control responsibilities and through the Committee on Foreign Investment in the United States. However, coordination efforts are not tied to larger, government-wide collaboration on critical technologies. In March 2017, Treasury provided an update on actions taken, but did not address the recommendation for coordination among the critical technologies programs.
    Recommendation: To ensure a consistent and more collaborative approach to the protection of critical technologies, the Secretaries of Commerce, Defense, Homeland Security, State, and the Treasury; as well as the Attorney General of the United States, who have lead and stakeholder responsibilities for the eight programs within the critical technologies portfolio, should take steps to promote and strengthen collaboration mechanisms among their respective programs while ongoing initiatives are implemented and assessed. These steps need not be onerous; for example, they could include conducting an annual meeting to discuss their programs, including the technologies they are protecting, their programs' intent, any new developments or changes planned for their programs, as well as defining consistent critical technologies terminology and sharing important updates.

    Agency: Department of State
    Status: Open

    Comments: In providing comments on this report, the agency concurred with this recommendation but has not yet taken any actions necessary to implement it. In Sept. 2017, State provided updates on actions taken within the department, but none across affected agencies.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    2 open recommendations
    including 2 priority recommendations
    Recommendation: To ensure that the Bureau is better positioned to deliver an Internet response option for the 2020 Decennial Census, the Secretary of Commerce should direct the Under Secretary for Economic Affairs to direct the Director of the Census Bureau to ensure that the estimated costs associated with the Internet response option are updated to reflect significant changes in the program and to fully meet the characteristics of a reliable cost estimate.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: The Department of Commerce neither agreed nor disagreed with this recommendation. To fully implement this recommendation, the Census Bureau's updated cost estimate needs to reflect significant changes in the program as they relate to the Internet response option and fully meet the characteristics of a reliable cost estimate. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver an Internet response option for the 2020 Decennial Census, the Secretary of Commerce should direct the Under Secretary for Economic Affairs to direct the Director of the Census Bureau to ensure that the methodologies for answering the Internet response rate and IT infrastructure research questions are determined and documented in existing or future project plans in time to inform key design decisions.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: The Department of Commerce neither agreed nor disagreed with this recommendation. The Census Bureau has developed the methodologies for answering IT infrastructure research questions in its 2020 Census Enterprise Architecture and Infrastructure Transition Plan, which describes the Bureau's multi-year plan for evolving the IT infrastructure to support all 2020 Census operations. However, to fully implement this recommendation the Bureau needs to provide documentation that describes the methodology for determining the Internet response rate for the 2020 Census. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Director: Melvin, Valerie C
    Phone: (202) 512-6304

    1 open recommendations
    Recommendation: To ensure that the federal government's and states' investments in information systems result in outcomes that are effective in supporting efforts to save funds through the prevention and detection of improper payments in the Medicaid program, the Secretary of Health and Human Services should direct the Administrator of CMS to require states to measure quantifiable benefits, such as cost reductions or avoidance, achieved as a result of operating information systems to help prevent and detect improper payments. Such measurement of benefits should reflect a consistent and repeatable approach and should be reported when requesting approval for matching federal funds to support ongoing operation and maintenance of systems that were implemented to support Medicaid program integrity purposes.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In comments on our report, agency officials agreed with this recommendation and provided information on CMS's plans to use a template to track cost savings resulting from state Medicaid offices' use of information systems for program integrity purposes. In April 2017, CMS officials said that they were no longer planning to use the template to gather information from the states, because of the varied approaches that states take to implement systems support for program integrity purposes. The officials stated that they are developing an alternative approach for capturing this information from the states, which will be provided to us when completed. We will continue to monitor CMS's progress toward addressing the recommendation.
    Director: Gerald L. Dillingham, Ph.D.
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: If, in the next authorization for FAA, Congress chooses to mandate that FAA take actions to streamline and reform the agency, Congress may wish to consider requiring FAA to (1) track measures of and (2) report to Congress on the actual results of such efforts.

    Agency: Congress
    Status: Open

    Comments: FAA's authorization expired at the end of Fiscal Year 2015. As of May 2017, Congress has passed several FAA authorization extensions that did not include any actions related to this matter. We will continue to monitor legislation, and when we determine what steps the Congress has taken regarding this matter, we will provide updated information.
    Recommendation: To better enable FAA to track, aggregate, and report on the results of its streamlining and reform initiatives, the Secretary of Transportation should direct FAA to develop a mechanism to capture the results of its efficiency initiatives in its planned database for process improvements. Measures of results might include, for example, cost savings, timeliness, or customer service metrics, which may be common to several types of process improvement efforts and therefore facilitate aggregation across improvements.

    Agency: Department of Transportation
    Status: Open

    Comments: As of May 2017, FAA expanded its existing data repository to include results of the efficiency initiatives, but no realized results or benefits have yet been entered into the data repository. GAO will continue to monitor the status of this recommendation.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    2 open recommendations
    including 1 priority recommendation
    Recommendation: The Secretary of Homeland Security, in consultation with GSA, should develop and implement a strategy to address cyber risk to building and access control systems that, among other things: (1) defines the problem; (2) identifies roles and responsibilities; (3) analyzes the resources needed; and (4) identifies a methodology for assessing this cyber risk.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the Department has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of the General Services Administration should assess the building and access control systems that it owns in FPS-protected facilities in a manner that is fully consistent with FISMA and its implementation guidelines.

    Agency: General Services Administration
    Status: Open
    Priority recommendation

    Comments: As of October 2016, GSA recently provided documentation about its assessments of the control systems that the agency owns in FPS-protected facilities. We are reviewing this information to determine whether GSA has implemented the recommendation.
    Director: Marie A. Mak
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To ensure the management of the required portfolio of contract services and that required reductions are achieved the Secretary of Defense should evaluate fiscal controls used by the military departments to identify effective practices and ensure they are consistently implemented to improve the management of contract services spending.

    Agency: Department of Defense
    Status: Open

    Comments: In commenting on this report DOD concurred with this recommendation but has not yet provided information necessary to demonstrate its implementation.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    5 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and ensure that the executive-level investment review board meets as outlined in its charter, documents criteria for use by the other boards, and distributes its decisions to appropriate stakeholders.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: As of April 2017, HUD had not provided information demonstrating that the department has addressed this recommendation. HUD reported that it established a new executive-level investment review board (i.e. the Executive Operations Committee) that replaced the board discussed in our report. However, as of April 2017, the department had not yet documented criteria the Committee had established for use by other boards or provided evidence of how this new committee would distribute decisions made to appropriate stakeholders.
    Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish and maintain a complete set of governance policies, establish time frames for establishing policies planned but not yet developed, and update key governance documents to reflect changes made to established practices.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: As of April 2017, the department had taken steps to address this recommendation. In 2015, HUD updated its Project Planning and Management policy and confirmed that the remaining policies to be developed were the IT Risk Policy and the IT Performance Management Policy. HUD also reported that the department planned to revise additional existing policies, including the IT Management Framework Policy, IT Capital Management Policy, IT Project Planning & Management Policy, IT Governance Policy, and IT Strategic Planning Policy. As of April 2017, the department had finalized a Risk Policy but reported it was still working on additional policy updates anticipated to be finalized during 2017.
    Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish an IT investment selection process that includes (1) articulating how reviews of project proposals are to be conducted; (2) planning how data (including cost estimates) are to be developed and verified and validated; (3) establishing criteria for how cost, schedule, and project risk are to be analyzed; (4) developing procedures for how proposed projects are to be compared to one another in terms of investment size (cost), project longevity (schedule), technical difficulty, project risk, and cost-benefit analysis; and (5) ensuring that final selection decisions made by senior decision makers and governance boards are supported by analysis, consider predefined quantitative measures, and are consistently documented.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: As of April 2017, HUD had not provided information demonstrating that the department has addressed this recommendation. In 2015, HUD reported that it had begun using a new tool to support its IT selection process. As of April 2017, the department had reported on improvements to its investment process but had not yet provided evidence of specific actions or plans aimed at ensuring the five IT selection processes highlighted in this recommendation would be addressed.
    Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish a well-defined process that incorporates key practices for overseeing investments, including (1) monitoring actual project performance against expected outcomes for project cost, schedule, benefit, and risk; (2) establishing and documenting cost-, schedule-, and performance-based thresholds for triggering remedial actions or elevating project review to higher-level investment boards; and (3) conducting post-implementation reviews to evaluate results of projects after they are completed.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: As of April 2017, the department had taken steps to address this recommendation. Specifically, in April 2016, HUD provided evidence of actions taken toward developing new processes for investment oversight practices. Specifically, the department created processes for conducting project health assessments and weekly project management meetings intended to monitor, among other things, actual performance against expected outcomes, and to establish thresholds for triggering remedial actions or elevating projects for additional review. As of April 2017, the department had not provided evidence that these new processes were fully established and institutionalized.
    Recommendation: To establish an enterprise-wide view of cost savings and operational efficiencies generated by investments and governance processes, the Secretary of Housing and Urban Development should direct the Deputy Secretary and Chief Information Officer to place a higher priority on identifying governance-related cost savings and efficiencies and establish and institutionalize a process for identifying and tracking comprehensive, high-quality data on savings and efficiencies resulting from IT investments and the IT governance process.

    Agency: Department of Housing and Urban Development
    Status: Open
    Priority recommendation

    Comments: As of April 2017, the department had taken steps to address this recommendation. Specifically, in April 2016, HUD provided examples of cost savings that the department had identified by "scrubbing" existing contracts during the fiscal year 2015 budget formulation process, along with copies of a template that it designed and used to help identify such savings. As of April 2017, the department had not yet provided evidence that it had formally established policies and procedures or taken other actions to institutionalize a process for identifying and providing an enterprise-wide view of IT-related cost savings and operational efficiencies.
    Director: Yvonne D. Jones
    Phone: (202) 512-2717

    1 open recommendations
    Recommendation: Any federal agency designated to investigate future USERRA claims against federal executive agencies should undertake efforts to increase the response rate of the customer satisfaction survey if it continues to be administered, so more tenable conclusions can be drawn from its data. Such efforts may include follow-up phone calls to nonrespondents, additional email notifications requesting participation in the survey, or making the survey easier to complete and submit.

    Agency: Department of Labor
    Status: Open

    Comments: In February 2016, Department of Labor Veterans Employment and Training Service (DOL/VETS) reported their office is handling all USERRA complaints, Federal and non-Federal following conclusion of the demonstration project with OSC. DOL/VETS reported the agency deployed its customer satisfaction survey in May 2016 and will be monitoring and collecting responses on a quarterly basis. The agency plans to employ the same follow-up technique used during the demonstration project and will determine if additional follow-up emails are warranted.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To address previously identified security vulnerabilities, the Secretary of Veterans Affairs should scan non-Windows network devices in authenticated mode.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    10 open recommendations
    including 2 priority recommendations
    Recommendation: The Secretaries of HHS, the Interior, Justice, and Labor, and the Administrators of GSA and NASA should complete action plans for addressing their challenges in reporting cost savings, as discussed in this report.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services agreed with, and has taken initial steps to implement, our recommendation. In June 2015, the department reported that it had begun an effort to calculate the tangible cost savings and avoidances derived from closing over 50 data centers as part of its data center consolidation efforts. As of March 2017, the department reported that it had closed a total of 74 data centers and had identified $6.64 million in cost savings and avoidances, which is approximately $2.30 million more than what we reported in September 2014. However, the identified cost savings does not include any savings from fiscal years 2015 or 2016. Accordingly, we conclude the department has not yet completed efforts to address challenges in calculating cost savings and avoidances. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of HHS, the Interior, Justice, and Labor, and the Administrators of GSA and NASA should complete action plans for addressing their challenges in reporting cost savings, as discussed in this report.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of the Interior agreed with, and has taken initial steps to implement, our recommendation. Specifically, in December 2014, the Interior's Deputy Assistant Secretary for Policy, Management and Budget established a series of steps toward addressing our recommendation. The steps include, for example, consolidating and streamlining data center consolidation reporting processes, developing a template that all department bureaus and offices are required to use, and issuing a directive requiring consistent reporting for all data center cost savings and avoidances. In addition, the department submitted a Data Center Optimization Initiative strategic plan to the Office of Management and Budget (OMB) in September 2016. In the plan, the department reported closing 53 data centers and achieving $4.4 million in cost savings and avoidances in fiscal year 2016. However, the plan does not indicate how the department will address identified challenges nor does it indicate whether the department has successfully implemented its directive on consistent monitoring of cost savings and avoidances. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of HHS, the Interior, Justice, and Labor, and the Administrators of GSA and NASA should complete action plans for addressing their challenges in reporting cost savings, as discussed in this report.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor agreed with, and has taken initial steps to implement, our recommendation. In September 2015, the department stated that its Office of the Chief Information Officer was working to develop an enterprise data center inventory as part of the department-wide Data Center Consolidation Initiative Working Group. In September 2016, the department submitted its Data Center Optimization Initiative plan to the Office of Management and Budget. The plan reported that the department had closed 28 non-tiered data centers in fiscal year 2016 and indicated that the department had historical cost savings of $4.85 million to date. However, as of March 2017, the department had not yet reported any resulting cost savings or avoidances in its quarterly report to OMB. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Department of Agriculture agreed with, and has taken initial steps to implement, our recommendation. In September 2014, we found that the department reported fiscal year 2012 through 2015 cost savings and avoidances of $244.17 million to GAO, but had only reported $71.20 million to the Office of Management and Budget (OMB)--a difference of approximately $172.97 million. Moreover, as of March 2017, the department still had not yet fully reported its savings to OMB, as we recommended. Specifically, the department had reported a total of about $25.07 million in cost savings and avoidances to OMB from fiscal years 2012 to 2016--an amount that is approximately $219.1 million short of the total savings and avoidances that the department had reported to GAO as of September 2014. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: DOD concurred with, and has taken initial steps to implement, our priority recommendation. In March 2016, we determined that the department had identified a total of about $1.07 billion in data center consolidation cost savings from fiscal year 2012 through 2016. However, as of March 2017, the department had not yet fully reported its savings to the Office of Management and Budget, as we recommended. Specifically, as of June 2016, the department reported $859 million in savings to the Office of Management and Budget--an amount $211 million less than the $1.07 billion previously reported to us. However, as of March 2017, the department only reported $331 million to the Office of Management and Budget--a decrease of $528 million and $739 million less than what was previously reported to us. In light of the department's considerable planned savings, and the significant decrease in what is being reported, full and accurate reporting by the department is critical toward ensuring that the Office of Management and Budget and Congress have the ability to oversee DOD's progress against key data center consolidation initiative goals.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of the Interior agreed with, and has taken initial steps to implement, our recommendation. In September 2014, we found that the department had reported fiscal year 2012 to 2015 cost savings and avoidances of $84.42 million to GAO, but had only reported $13.59 million to OMB--a difference of approximately $70.83 million. Moreover, as of February 2017, the department had not yet fully reported its savings to OMB, as we recommended. Specifically, the department had reported a total of about $13.61 million in cost savings and avoidances to OMB from fiscal years 2012 to 2016--an amount that is approximately $70.81 million short of the total savings and avoidances that the department had reported to GAO as of September 2014. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with our recommendation, but had not yet taken steps to implement it. In September 2014, we found that the department had reported fiscal year 2012 to 2015 cost savings and avoidances of $140.18 million to GAO, but had only reported $7.36 million to OMB--a difference of approximately $132.82 million. However, in February 2017, the department had still only reported a total of $4.89 million in data center consolidation savings and avoidance to OMB. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Department of the Treasury
    Status: Open
    Priority recommendation

    Comments: Treasury did not comment on this recommendation and has not comprehensively reported cost savings and avoidances, as we recommended. For example, as of March 2017, Treasury had reported about $1.14 billion in data center consolidation-related cost avoidances in its quarterly report to OMB--an increase of about $734 million compared to a previous report. However, the department has not yet reported to OMB other cost avoidances totaling about $210 million that the department had previously reported to us. We will continue to monitor Treasury's progress against this recommendation.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Office of Personnel Management
    Status: Open

    Comments: The Office of Personnel Management agreed with our recommendation, but has not yet taken steps to implement it. In September 2014, we found that the agency had reported fiscal year 2012 to 2015 cost savings and avoidances of $3.40 million to GAO, but had not reported any of its savings and avoidances to the Office of Management and Budget as required. As of March 2017, the agency had not yet reported any data center consolidation cost savings and avoidances to the Office of Management and Budget. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To better ensure that the Federal Data Center Consolidation Initiative (FDCCI) improves governmental efficiency and achieves cost savings, the Director of OMB should direct the Federal chief information officer (CIO) to utilize the existing PortfolioStat review sessions to assist the Department of Health and Human Services (HHS), Interior, Justice, Labor, the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) in identifying data center consolidation cost savings opportunities.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) agreed with, and has taken initial steps to implement, our recommendation. Specifically, in June 2015, OMB issued a memorandum that discussed the fiscal year 2015 PortfolioStat requirements, including that agencies should hold PortfolioStat sessions on a quarterly basis (versus annually, as done previously) with OMB, the agency chief information officer, and other attendees. The memorandum also stated that, during these sessions, agencies are expected to discuss a strategy to reduce duplication and waste within the IT portfolio of the agency, identify projected cost savings resulting from such strategy, and identify ways to increase the efficiency and effectiveness of IT investments, among other things. However, as of March 2017, several agencies were still reporting limited savings from their consolidation efforts. For example, the Department of Transportation reported closing 146 data centers through February 2017, but had reported only $4.9 million in savings. As another example, the Department of Labor reported closing 25 data centers through February 2017, but reported no resulting cost savings. Until OMB assists these agencies with limited or no cost savings reported, they may not be able to identify the full extent of savings from their consolidation efforts. We will continue to evaluate OMB's progress in implementing this recommendation.
    Director: David Powner
    Phone: (202) 512-9286

    8 open recommendations
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to ensure that all IT investments are assessed for suitability for migration to a cloud computing service.

    Agency: Department of Agriculture
    Status: Open

    Comments: We are in the process of reviewing agency documentation and waiting for additional supporting documentation.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to ensure that all IT investments are assessed for suitability for migration to a cloud computing service.

    Agency: Department of the Treasury
    Status: Open

    Comments: We contacted the agency and are awaiting its response on the status of efforts to implement this recommendation.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to ensure that all IT investments are assessed for suitability for migration to a cloud computing service.

    Agency: Department of State
    Status: Open

    Comments: The Department of State established a requirement for completing a cloud computing service alternatives analysis for all new projects, and that existing IT projects be evaluated for the viability to migrate to a cloud computing environment. Further, the department established key factors for consideration when selecting applications for migration to a cloud environment. However, State has not yet evaluated a majority of its IT investments for cloud alternatives. The department said it plans to complete evaluations for some of these investments by the end of FY2017, but has not yet established plans to evaluate over a third of its investments.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to ensure that all IT investments are assessed for suitability for migration to a cloud computing service.

    Agency: Small Business Administration
    Status: Open

    Comments: We are waiting for a response from SBA on the status of efforts to implement this recommendation.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to establish evaluation dates for those investments identified in this report that have not been assessed for migration to the cloud.

    Agency: Department of Agriculture
    Status: Open

    Comments: We are in the process of waiting for additional department documentation.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to establish evaluation dates for those investments identified in this report that have not been assessed for migration to the cloud.

    Agency: Department of the Treasury
    Status: Open

    Comments: We are waiting for a response from the department on the status of efforts to implement this recommendation.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to establish evaluation dates for those investments identified in this report that have not been assessed for migration to the cloud.

    Agency: Department of State
    Status: Open

    Comments: The Department of State established a requirement for completing a cloud computing service alternatives analysis for all new projects, and that existing IT projects be evaluated for viability to migrate to a cloud computing environment. Further, the department established key factors for consideration when selecting applications for migration to a cloud environment. However, the department has not yet established evaluation dates for the vast majority of the investments that have not been assessed for migration to the cloud. Specifically, the department plans to complete evaluations for some of these investments by the end of fiscal year 2017, but does not plan to do so for most of them.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to establish evaluation dates for those investments identified in this report that have not been assessed for migration to the cloud.

    Agency: Small Business Administration
    Status: Open

    Comments: We are waiting for a response from the department on the status of efforts to implement this recommendation.
    Director: Randall B. Williamson
    Phone: (202) 512-7114

    2 open recommendations
    Recommendation: To ensure that the Family Caregiver Program is able to meet caregivers' demand for its services, the Secretary of the Department of Veterans Affairs should expedite the process for identifying and implementing an IT system that fully supports the program and will enable VHA program officials to comprehensively monitor the program's workload, including data on the status of applications, appeals, home visits, and the use of other support services, such as respite care.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and stated that its efforts to develop and implement a new IT system has two key steps. First, VA will enhance and stabilize the existing Caregiver Action Tracker IT system. Second, a replacement IT system with new features and capabilities will be implemented by the end of FY 2017. However, in January 2017, VA reported that the short-term stabilization effort for the current IT system continues to experience multiple challenges resulting in significant schedule delays. Furthermore, the replacement IT system--which is partially dependent on the success of the current stabilization effort--has experienced project barriers of its own, and lacks the funding needed for a contract extension to complete the work. According to VA, the successful implementation of the replacement IT system is at significant risk.
    Recommendation: The Secretary of the Department of Veterans Affairs should direct the Undersecretary for Health to use data from the IT system, once implemented, as well as other relevant data to formally reassess how key aspects of the program are structured and to identify and implement modifications as needed to ensure that the program is functioning as envisioned so that caregivers can receive the services they need in a timely manner.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with this recommendation; however, in January 2017, VA reported that barriers continue to place the replacement IT system at significant risk as stated in Recommendation 1. In advance of the electronic solution, VA has developed manual processes to obtain and monitor key data points, allowing it to reassess policies and procedures for the Program of Comprehensive Assistance for Family Caregivers. In its June 2015 update, VA stated that the Caregiver Support Program had started collaborating with VA's Health Services Research and Development to establish a Partnered Evaluation Center (PEC). The PEC is assessing the impact of all caregiver support services in order to evaluate their effectiveness and impact on the health and well-being of veterans and caregivers. In January 2017, VA reported that the PEC's initial work had concluded and key findings had been identified.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    16 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test plan is developed.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, an independent assessor is selected to assess the system.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned to resolution are maintained.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA concurred with our recommendation. However, EPA has not yet provided evidence that it has implemented the recommendation. We plan to validate the department's actions when EPA informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA concurred with our recommendation. However, EPA has not yet provided evidence that it has implemented the recommendation. We plan to validate the department's actions when EPA informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Director of the Office of Personnel Management should develop, document, and implement oversight procedures for ensuring that a system test is fully executed for each contractor-operated system.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM concurred with our recommendation. However, as of April 2017, OPM had not implemented the recommendation to develop, document and implement oversight procedures to ensure that a system test is fully executed for each contractor-operated system. We will monitor OPM's efforts and validate OPM actions when evidence discloses that the recommendation has been implemented.
    Recommendation: To be able to effectively assist agencies with their contractor oversight programs, the Director of the Office of Management and Budget, in collaboration with the Secretary of Homeland Security, should develop and clarify reporting guidance to agencies for annually reporting the number of contractor-operated systems.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We requested comments on a draft of this report from the Office of Management and Budget, but none were provided. In June 2017, OMB stated that its and DHS's annual reporting requirements now contain an expanded list of criteria for contractor-operated systems, including definitions in related guidance from the National Institute of Standards and Technology. However, although the reporting requirements call for agencies to report on their total number of contractor-operated systems, neither the requirements or related guidance clarify which agency systems that have contractor relationships should be categorized as contractor-operated. The lack of clear instructions may continue to result in incomplete information regarding the number of contractor-operated systems within the government.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal partners to ensure that the maritime risk assessment includes cyber-related threats, vulnerabilities, and potential consequences.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that the National Maritime Strategic Risk Assessment (NMSRA) was still being finalized. The agency stated that they expected this to be completed by July 2017. Once completed, we will analyze the results of the NMSRA in order to validate the extent to which its contents implement our recommendation.
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to use the results of the risk assessment to inform how guidance for area maritime security plans, facility security plans, and other securityrelated planning should address cyber-related risk for the maritime sector.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that it had developed a draft Navigation and Vessel Inspection Circular (NVIC) to provide guidance on assessment methods that assist vessel and facility owners and operators identify and address cybersecurity vulnerabilities. USCG stated that the draft NVIC would be published in the Federal Register for 60 days, to enable maritime stakeholders to review and provide comment. Once USCG provides us a final copy of the NVIC, we will analyze it to determine if it provides guidance for addressing cyber-related risk in the maritime sector.
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal stakeholders to determine if the Maritime Modal Sector Coordinating Council should be reestablished to better facilitate stakeholder coordination and information sharing across the maritime environment at the national level.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, the U.S. Coast Guard (USCG) stated that the tasking for the National Maritime Security Advisory Committee to explore the issue of information sharing mechanisms in regards to cyber information had been completed. However, USCG did not mention any decision related to the reestablishment of the sector coordinating council.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to develop procedures for officials at the field review level (i.e., captains of the port) and national review level (i.e., the National Review Panel and FEMA) to consult cybersecurity subject matter experts from the Coast Guard and other relevant DHS components, if applicable, during the review of cybersecurity grant proposals for funding.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information we receive and update status of implementation efforts.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to use any information on cyberrelated threats, vulnerabilities, and consequences identified in the maritime risk assessment to inform future versions of funding guidance for grant applicants and reviews at the field and national levels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information received and update status of implementation efforts.
    Director: Michele Mackin
    Phone: (202) 512-4841

    2 open recommendations
    Recommendation: To help ensure that it receives accurate information on the full effect of funding decisions on acquisition programs, Congress should consider amending the law that governs the 5-year Capital Investment Plan to require the Coast Guard to submit cost and schedule information that reflects the impact of the annual President's budget request on each acquisition across the portfolio--in addition to the current practice of reporting the cost and schedule estimates in current program baselines.

    Agency: Congress
    Status: Open

    Comments: Thus far no congressional action has been taken on this Matter. We will continue to follow up with relevant congressional committees.
    Recommendation: To help the Coast Guard improve the long-term outlook of its portfolio, the Commandant of the Coast Guard should develop a 20-year fleet modernization plan that identifies all acquisitions needed to maintain the current level of service and the fiscal resources necessary to build the identified assets. The plan should also consider trade-offs if the fiscal resources needed to execute the plan are not consistent with annual budgets.

    Agency: Department of Homeland Security: United States Coast Guard
    Status: Open

    Comments: Based on this recommendation, Congress has requested that the Coast Guard develop a 20-year plan that identifies all acquisitions needed to maintain the Coast Guard's current level of service and the financial commitment necessary to achieve this plan. As a part of a series of testimonies in June and July 2017, we found that Coast Guard officials stated they are developing a 20-year Capital Investment Plan (CIP), but the timeframe for completion is unknown. The Coast Guard does, however, submit a 5-year CIP annually to Congress that projects acquisition funding needs for the upcoming 5 years. GAO found the CIPs do not match budget realities in that tradeoffs are not included. In the 20-year CIP, GAO would expect to see all acquisitions needed to maintain current service levels and the fiscal resources to build the identified assets as well as tradeoffs in light of funding constraints.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    100 open recommendations
    including 2 priority recommendations
    Recommendation: To ensure the effective management of software licenses, the Secretary of Agriculture should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of Agriculture
    Status: Open

    Comments: In written comments to our report, the Department of Agriculture concurred with our recommendation. In July 2017, Agriculture reported on actions taken to address this recommendation, including the development of a draft software license management policy to address Information Technology Asset Management (ITAM) procedures and practices. We will follow-up with the department to monitor its progress in completing an agency-wide comprehensive policy for the management of software licenses.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Agriculture should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Department of Agriculture agreed with our recommendation and, in July 2017 reported that it has established a comprehensive software license inventory. We will request additional information to validate the extent to which Agriculture addressed this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Agriculture should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Department of Agriculture agreed with our recommendation. In July 2017, Agriculture reported on actions taken to address this recommendation. For example, Agriculture reported that it uses the Bigfix network management tool to track software. We will request additional information to validate the extent to which Agriculture regularly tracks and maintains the department's inventory of software licenses; and analyzes software data to inform decision making.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Agriculture should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Department of Agriculture agreed with our recommendation. In July 2017, Agriculture reported on actions taken to address this recommendation. For example, agriculture reported that it continues to analyze existing contracts to show their utilization. We will request additional information to validate the extent to which Agriculture analyzes agency-wide software license data to identify opportunities to reduce costs and better inform investment decision making.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Agriculture should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Agriculture
    Status: Open

    Comments: In July 2017, Agriculture reported on actions taken to address this recommendation. For example, Agriculture reported that members of its Category Management Team have worked with GSA over the past year to better understand the terms and conditions of vendors, such as Oracle and Microsoft. In addition, Agriculture reported that the members maintain a Contracting Officer's Representative certification and attend continuous training on software procurement, contracting laws regulations and negotiations. We will request additional information to validate the extent to which Agriculture provided appropriate agency personnel with sufficient software license management training.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Commerce should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce concurred with our recommendation. In April 2017, the department reported that it has established an integrated project team (IPT) team with representation from the bureau enterprise architecture teams to develop a methodology of managing software licenses across the department. In addition, Commerce reported that the IPT is chartered to refine the department's software licenses policy over time and provide guidance in establishing an enterprise license software management practice. We will continue to monitor the department's progress in implementing a comprehensive software license management policy.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Commerce should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce partially concurred with our recommendation. In April 2017, the department reported that it has established an integrated project team (IPT) with representation from the bureau enterprise architecture teams to develop a methodology of managing licenses across the department. In addition, the department reported that the IPT is chartered to refine the software policy over time and provide guidance in establishing an enterprise license management practice. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Commerce should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: The Department of Commerce partially concurred with our recommendation. In April 2017, Commerce reported that it has conducted an inventory of software licenses through a data call and inventory collection template. Commerce also reported that it is evaluating how to automate the inventory process by leveraging the portfolio of deployed network discovery tools for identifying installed licensed products, collating and ingesting the information into a repository for maintenance and reporting of the data. We will continue to monitor the department's progress in implementing automated discovery and inventory tools in support of its department-wide software license inventory.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Commerce should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce partially concurred with our recommendation. In April 2017, Commerce reported that it has conducted an inventory of software licenses through a data call and inventory collection template. Commerce also reported that it is evaluating how to automate the inventory process by leveraging the portfolio of deployed network discovery tools for identifying installed licensed products, collating and ingesting the information into a repository for maintenance and reporting of the data. We will continue to monitor the department's progress in implementing automated discovery and inventory tools in support of its department-wide software license inventory.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Commerce should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce partially concurred with our recommendation. In April 2017, the department reported that it has established an integrated project team (IPT) with representation from the bureau enterprise architecture teams to develop a methodology of managing licenses across the department. In addition, the department reported that the IPT is chartered to refine the software policy over time and provide guidance in establishing an enterprise license management practice. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Commerce should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce partially concurred with our recommendation. In April 2017, the department reported that it has established an integrated project team (IPT) with representation from the bureau enterprise architecture teams to develop a methodology of managing licenses across the department. In addition, the department reported that the IPT is chartered to refine the software policy over time and provide guidance in establishing an enterprise license management practice. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Defense should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified

    Agency: Department of Defense
    Status: Open

    Comments: In March 2016, the Department of Defense reported that it was in the process of developing policy and guidance for software license management with issuance expected by the end of fiscal year 2017. As of July 2017, the department did not provide additional information. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Defense should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Defense
    Status: Open

    Comments: In March 2016, the Department of Defense (DOD) reported on actions to implement a more centralized software license management approach. For example, the department reported that the DOD CIO is leveraging the DOD Enterprise Software Initiative and joint enterprise license agreement efforts centrally managed by the Defense Information Systems Agency to coordinate centralized acquisitions for licenses that are commonly purchased across DOD. The DOD CIO also issued a memorandum on November 16, 2015 directing department-wide migration to the Microsoft Windows 10 Operating System by January 2017 for all Windows-based desktop and laptop computers, which will support an enterprise approach for centrally coordinating software license management. However, as of July 2017, the department did not provide additional information. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Defense should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense partially concurred to develop comprehensive inventory for the management of software licenses. In March 2016, DOD reported on actions to implement a comprehensive inventory using automated tools. For example, DOD reported that it has completed a software inventory license reporting plan and continues to automate security domains for asset management and plans to implement automated support and processes for software license management processes in Fiscal Year 2020. However, as of July 2017, the department did not provide additional information. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Defense should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense partially concurred with this recommendation to develop a comprehensive inventory for the management of software licenses. In March 2016, DOD reported on actions to implement this recommendation. For example, DOD reported that it has completed a software inventory license reporting plan and continues to automate security domains for asset management and plans to implement automated support and processes for software license management processes in Fiscal Year 2020. However, the department did not provide additional information as of July 2017. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Defense should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: The Department of Defense concurred with this recommendation. DOD made progress in implementing this recommendation by analyzing Fiscal Year 2013 selected software inventory data from 31 of 32 components. However, as of October 2016, DOD had not yet fully implemented this recommendation because it had not established automated discovery and inventory tools to maintain and track a comprehensive inventory of licenses, which are needed to fully and routinely analyze agency-wide software licensing data. Further, the department did not provide additional information as of July 2017. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Defense should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense concurred with this recommendation. In March 2016, DOD reported on actions to implement this recommendation. For example, DOD added a new webinar training session on software license management and developed a two-day in-person training course on "Strategic Vendor Management" that introduces participants to category management best practices for commercial software. DOD also reported that it expects to establish additional training on software license management by the end of fiscal year 2016. However, the department did not provide updated information as of July 2017. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Education should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education concurred with this recommendation. In August 2016, the Department provided evidence that it has developed agency-wide policy that addresses six of the seven elements that a comprehensive software licensing policy should specify. However, as of August 2017, the department did not provide evidence that its policy specifically addresses the analysis of software license data such as usage to inform decision making. We will follow up with the agency to obtain additional information on its software licensing policy and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Education should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education concurred with this recommendation. In August 2016, the department reported that it regularly analyzes agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making. For example, the department said that it manually analyzes software data by comparing data in the software inventory database with requests for software acquisitions. However, as of August 2017, the department did not provide documentation on its analysis of agency-wide software license data or on the extent to which this information was used to inform investment decisions to identify opportunities to reduce costs. We will follow-up with the department to obtain documentation supporting actions to fully implement this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Education should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education concurred with this recommendation. The department has made progress in implementing this recommendation by providing its staff with software license training, including training on its software tracking database. In addition, the department's Software Asset Management and Acquisition Policy (SAMA) require employees to take training on the SAMA policy and computer software piracy. However, as of August 2017, the department did not demonstrate that it offers training in other important areas specific to software license management, such as contract terms and conditions, laws, and regulations. We will continue to monitor the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Energy should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of Energy
    Status: Open

    Comments: In the Department of Energy's written comments the agency neither agreed nor disagreed with our recommendation, but stated it has taken a number of steps to aggregate software licensing. In March 2017, Energy reported that it had developed an agency-wide comprehensive policy for the management of software licenses. In addition, the department reported that the policy encourages the consolidation of software package acquisition, volume purchasing arrangements, enterprise wide agreements and best practices in software implementation. However, the department has not yet provided documentation of its policy. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Energy should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Energy
    Status: Open

    Comments: In the Department of Energy's written comments the agency neither agreed nor disagreed with our recommendation, but stated it had taken a number of steps to aggregate software licensing, and at that time had no plans to centralize software licensing. In March 2017, the department reported that it's Office of the Chief Information Officer's Enterprise Wide Agreement (EWA) program host periodic conference calls with key IT representatives across the department's complex and recommend common software for consideration by the EWA program. In addition, the department reported that its Office of Management, Strategic Programs Division holds meetings throughout the department to facilitate a centralized management approach towards purchasing. However, the department has not provided evidence that it employs a centralized software management approach that is coordinated and integrated with key personnel for the majority of the agency's software licenses spending and/or enterprise-wide licenses. We will continue to monitor the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Energy should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Energy
    Status: Open

    Comments: In the Department of Energy's written comments the agency neither agreed nor disagreed with our recommendation, but stated it had taken a number of steps to aggregate software licensing, and at that time had no plans to centralize software licensing. In March 2017, the department reported that it's Office of the Chief Information Officer's Enterprise Wide Agreement (EWA) program hosts periodic conference calls with key IT representatives across the department's complex and recommend common software for consideration by the EWA program. In addition, the department reported that its Office of Management, Strategic Programs Division holds meetings throughout the department to facilitate a centralized management approach towards purchasing. However, the department has not provided evidence that it employs a centralized software management approach that is coordinated and integrated with key personnel for the majority of the department's software licenses spending and/or enterprise-wide licenses. We will continue to monitor the department's progress in implementing this recommendation
    Recommendation: To ensure the effective management of software licenses, the Secretary of Energy should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Energy
    Status: Open

    Comments: In Energy's written comments the agency neither agreed nor disagreed with our recommendation. In March 2017, DOE reported on actions to implement this recommendation. Consistent with the Act's provisions, Energy is working with GSA on providing usage data and support needed for the establishment of government-wide software contracts. The agency noted that it continues to use Continuous Monitoring and Diagnostic tools to inventory and consolidate software usage and eliminate unnecessary maintenance support costs. We have not yet validated agency actions on this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Energy should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Energy
    Status: Open

    Comments: In the Department of Energy's written comments the agency neither agreed nor disagreed with our recommendation, but stated it has taken a number of steps to aggregate software licensing. In March 2017, Energy stated that it is analyzing agency-wide software data through the CIO's Enterprise Wide Agreement program which hosts periodic conference calls with key IT representatives across Energy. However, Energy has not provided evidence that it is fully analyzing agency-wide software license data to inform investment decisions and identify opportunities to reduce costs. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Energy should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Energy
    Status: Open

    Comments: In Energy's written comments the agency neither agreed nor disagreed with our recommendation. In March 2017, the department noted that training for employees is managed on an office-by-office basis as part of the Individual Development and Training Needs Assessment Process and those individuals needing such training can be self-identified or identified by their supervisor for training. We will follow up with Energy to obtain documentation on its software license management training.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Health and Human Services should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) neither agreed nor disagreed with this recommendation. We have requested documentation regarding implementation of this recommendation, and as of July 2017, are awaiting a response. We will follow up with HHS to obtain supporting documentation and continue monitoring its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Health and Human Services should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) neither agreed nor disagreed with this recommendation. We have requested documentation regarding implementation of this recommendation, and as of July 2017, are awaiting a response. We will follow up with HHS to obtain supporting documentation and continue monitoring its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Health and Human Services should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) neither agreed nor disagreed with this recommendation. We have requested documentation regarding implementation of this recommendation, and as of July 2017, are awaiting a response. We will follow up with HHS to obtain supporting documentation and continue monitoring its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Health and Human Services should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) neither agreed nor disagreed with this recommendation. We have requested documentation regarding implementation of this recommendation, and as of July 2017, are awaiting a response. We will follow up with HHS to obtain supporting documentation and continue monitoring its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Health and Human Services should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) neither agreed nor disagreed with this recommendation. We have requested documentation regarding implementation of this recommendation, and as of July 2017, are awaiting a response. We will follow up with HHS to obtain supporting documentation and continue monitoring its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Health and Human Services should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) neither agreed nor disagreed with this recommendation. We have requested documentation regarding implementation of this recommendation, and as of July 2017, are awaiting a response. We will follow up with HHS to obtain supporting documentation and continue monitoring its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Homeland Security should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, the Department of Homeland Security (DHS) reported that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) tool that enables industry best practices and standards for software license management. DHS also reported that the CDM implementation will facilitate normalization efforts across DHS by defining common software license and maintenance requirements. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Homeland Security should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, the Department of Homeland Security (DHS) reported that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) tool that enables industry best practices and standards for software license management. DHS also reported that the CDM implementation will provide DHS with an automated capability for IT hardware and software asset discovery; IT asset inventory tracking; software inventory normalization; software license optimization; data sharing capabilities, and thus ensure full compliance with the requirement to maintain a continual agency-wide inventory of software licenses. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Homeland Security should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, the Department of Homeland security (DHS) reported that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) tool that enables industry best practices and standards for software license management. DHS also reported that the tracking of software assets and inventory will be implemented as CDM is rolled out to each DHS Component. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Homeland Security should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, the Department of Homeland Security (DHS) reported that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) tool that enables industry best practices and standards for software license management. DHS also reported that CDM tracking of software assets and inventory will be implemented as CDM is rolled out to each DHS Component. The CDM tool will provide DHS with an automated capability for IT hardware and software asset discovery; IT asset inventory tracking; software inventory normalization; software license optimization; data sharing capabilities, and thus ensure full compliance with the requirement to maintain a continual agency-wide inventory of software licenses, including all licenses purchased, deployed, and in use, as well as spending on subscription services. As this data is captured the DHS OCIO, OSDO will analyze the software license data to track cost, usage, benefits to establish spending data that allows to the Department to perform trend analysis. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Housing and Urban Development should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In written comments to our report, HUD agreed to take executive actions to address our recommendation and noted steps the agency plans to take. In its May 2017 update, HUD stated that the department developed a draft policy that will implement policies and responsibilities for managing software licenses and a software license consolidation plan to enable maintenance and enforcement of the software license management policy. In addition, the department reported that it appointed a software license manager who is the single point of contact for software license management. According to HUD, the targeted completion for implementing this recommendation is the first quarter of 2018. We will follow-up with the Department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Housing and Urban Development should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In May 2017, HUD reported that its Office of the Chief information Officer (CIO) has achieved full operational capability for the agency's Federal Asset Management Enterprise System (FAMES) and began to populate the FAMES with information on the agency's software assets in January 2017. However, HUD noted that it still needs to implement and test the PRISM interface with the FAMES which the agency expects to be completed by the end of fiscal year 2017. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Housing and Urban Development should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In written comments to our report, HUD agreed to take executive actions to address our recommendation. In its May 2017 update, HUD reported on actions taken to implement this recommendation including the development of a GAP analysis to support acquisition and deployment of an automated software license management capability. According to HUD, this capability will provide the CIO with the data necessary to identify opportunities to reduce cost, implement IT commodity-consolidated acquisitions and buy licenses in bulk. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Housing and Urban Development should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In written comments to our report, HUD agreed to take executive actions to address our recommendation and noted steps the agency plans to take. In May 2017, HUD reported that the agency has worked with the Department of Defense (DOD) to offer DOD Enterprise Software Initiative (ESI) sponsored software license management training to staff and continues to work with peer agencies to identify opportunities to access required software management skills and other required training. HUD reported that its target completion for addressing this recommendation is the first quarter of 2018. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Interior should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of Interior (DOI) agreed with this recommendation. In March 2017, DOI reported that the department has drafted a comprehensive policy that is comprised of the core elements of software management. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Interior should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of the Interior
    Status: Open

    Comments: In March 2017, DOI reported that the department is working on a comprehensive management approach for accounting for and managing IT Software Assets, and that this approach includes roles and responsibilities. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Interior should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of the Interior
    Status: Open

    Comments: In written comments to our report, the Department of Interior (DOI) concurred with our recommendation. In March 2017, DOI reported that the department was working on a comprehensive management approach for accounting for and managing IT Software Assets. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Interior should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of the Interior
    Status: Open

    Comments: In written comments to our report, the Department of Interior concurred with our recommendation. In March 2017, DOI reported that the department was working on a comprehensive management approach for accounting for and managing IT Software Assets. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Interior should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making

    Agency: Department of the Interior
    Status: Open

    Comments: In written comments to our report, the Department of Interior concurred with our recommendation. In March 2017, DOI reported that the department is working on a comprehensive management approach for accounting for and managing IT Software Assets. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Interior should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of the Interior
    Status: Open

    Comments: In written comments to our report, the Department of Interior partially concurred with our recommendation to provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management. In March 2017, DOI reported that the department DOI does and will continue to provide software license management training to agency personnel on contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management as appropriate. We will follow-up with the department to obtain supporting documentation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Justice should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of Justice
    Status: Open

    Comments: In its June 2015 statement of actions to address our recommendations, the Department of Justice reported that it was pursuing a number of initiatives focused on improving Software License management. We contacted the department in July 2017 and are awaiting a response on the current status of efforts to implement this recommendation. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Justice should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Justice
    Status: Open

    Comments: The Department reported in June 2015 that it has taken initial steps to address our recommendations. For example, it reported using technology tools to pull software data being used within the infrastructure and to identify what software is not being used. We contacted the department in July 2017 and are awaiting a response on the current status of efforts to implement this recommendation. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Justice should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Justice
    Status: Open

    Comments: The Department in June 2015 reported that it has initiated steps to establish a comprehensive inventory of software licenses by using automated tools. We contacted the department in July 2017 and are awaiting a response on the current status of efforts to implement this recommendation. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Justice should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Justice
    Status: Open

    Comments: The Department has taken initial steps to regularly track and maintain a comprehensive inventory of software licenses. For example, the Department reported in June 2015, that it is managing a comprehensive inventory for major suppliers and exploring enterprise agreements with key suppliers to ensure compliance. We contacted the department in July 2017 and are awaiting a response on the current status of efforts to implement this recommendation. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Justice should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Justice
    Status: Open

    Comments: The Department reported in June 2015 that it has taken initial steps to analyze agency-wide software license data by providing better governance of software utilization to derive cost savings and by developing Enterprise License Agreements to achieve savings from processes across the components. We contacted the department in July 2017 and are awaiting a response on the current status of efforts to implement this recommendation. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Justice should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Justice
    Status: Open

    Comments: The Department reported in June 2015 that it has taken initial steps to provide training to appropriate agency personnel. For example, in the department's Vendor Management Calls they provide training on processes and the use of tools, including contract terms, negotiations, laws and regulations, acquisition, security planning and configuration management. We contacted the department in July 2017 and are awaiting a response on the current status of efforts to implement this recommendation. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Labor should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Labor
    Status: Open

    Comments: In June 2017, the Department of Labor (DOL) reported that it plans to continue researching for an automated tool to identify, track and maintain the agency's software license inventory. We will continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Labor should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Labor
    Status: Open

    Comments: In June 2017, the Department of Labor (DOL) reported that it plans to continue researching for an automated tool to identify, track and maintain the agency's software license inventory. We will continue to monitor its progress in implementing this recommendation
    Recommendation: To ensure the effective management of software licenses, the Secretary of Labor should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Labor
    Status: Open

    Comments: In June 2017, the Department of Labor (DOL) reported that it was planning to assemble a cross-functional team before the end of fiscal year 2017 to evaluate solutions and tools for automated software management and to identify opportunities for enterprise-wide software agreements. We will continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Labor should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Labor
    Status: Open

    Comments: In June 2016, the Department of Labor reported that it now has one individual certified in software management and intends to provide training to additional staff over the next year. In June 2017, Labor reported on progress in implementing this recommendation. Specifically, Labor noted that it has two additional personnel with configuration management and software library certifications to help ensure effective management of software licenses. We will continue to monitor its progress in providing appropriate agency personnel with sufficient training on managing software licenses.
    Recommendation: To ensure the effective management of software licenses, the Secretary of State should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation. In July 2017, the department reported that its existing department policy identifies a single office within the department for managing the enterprise software licensing agreements. However, the department did not provide evidence that it addressed the weaknesses identified in our report including policies establishing a comprehensive inventory, analyses of software license data, training on management of software licenses, goals and objectives, and consideration of the software license life-cycle phases. We will follow-up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of State should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation. In July 2017, the department reported that existing policy identifies roles and responsibilities for key stakeholders in the acquisition of software including the CIO and systems owners. However, the department did not provided evidence that it addressed the weaknesses identified in our report including employing a centralized management approach to the software licenses that had been managed on a bureau by bureau basis. We will follow-up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of State should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with, and has taken steps to implement our recommendation. In July 2017, the department reported that it currently has insight into procurement information as well as a broad range of software inventory information available via the department's current network monitoring toolset and purchasing system. In addition, the department stated that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) initiative spearheaded by the Department of Homeland Security. According to the department, the CDM is expected to provide an improved, more consolidated, user-friendly, and actionable view into software license data on its network. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of State should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with, and has taken steps to implement our recommendation. In July 2017, the department reported that it currently has insight into procurement information as well as a broad range of software inventory information available via the department's current network monitoring toolset and purchasing system. In addition, the department stated that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) which is expected to become the department's automated tool to track its software inventory. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of State should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with, and has taken steps to implement our recommendation. In July 2017, the department reported that it currently conducts software licenses analysis on a contract-by-contract basis, with a focus on the highest-dollar contracts. In addition, the department stated that the implementation of Continuous Diagnostics and Mitigation (CDM) automated tool is expected to provide a baseline of inventory, usage, and trending data that combined with our acquisition insight will permit decision makers to identify opportunities for future centralized, enterprise agreements. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of State should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with, and has taken steps to implement our recommendation. In July 2017, the department reported that it has provided software license management training to the agency's Information Resource Management and acquisition personnel and that the agency plans to provide more relevant software license training in the future. We will follow-up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Transportation should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of Transportation
    Status: Open

    Comments: In February 2017, DOT stated that it has developed a policy addressing components of centralized management and management of software licenses through the entire life cycle. In addition, DOT updated its policy to address regularly tracking licenses using automated tools, analyzing license data to inform investment decision making, providing license management training to personnel, and establishing goals and objectives of the program. However, while DOT's Order 1351.21 states that each Enterprise License Agreement will be accompanied by a licensed management portal to provide department-wide transparency on how many licenses are available and when licenses need to be renewed, the policy did not include details on procedures for establishing a comprehensive inventory by identifying and collecting information about software license agreements using automated discovery and inventory tools. We will follow up with the department to obtain evidence of the department-wide implementation of this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Transportation should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Transportation
    Status: Open

    Comments: In February 2017, DOT reported that the Federal Information Technology Acquisition Reform Act (FITARA) guidance requires the department to maintain a continual agency-wide inventory of software licenses. However, DOT did not provide evidence that it had established a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses. We will follow-up with the department to obtain evidence of the implementation of this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Transportation should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Transportation
    Status: Open

    Comments: In February 2017, the Department of Transportation (DOT) noted that it was following guidance under the Federal Information Technology Acquisition Reform Act (FITARA). However, DOT did not provide evidence that it is regularly tracing and maintaining a comprehensive inventory of software licenses. We will follow up with the department to obtain evidence of the department-wide implementation of this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Transportation should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Transportation
    Status: Open

    Comments: In February 2017, the Department of Transportation (DOT) noted that it was following guidance under the Federal Information Technology Acquisition Reform Act (FITARA). However, DOT did not provide evidence that it analyzes agency-wide software license data to identify opportunities to reduce cost and inform decisions. We will follow up with the department to obtain evidence of the department-wide implementation of this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Transportation should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Transportation
    Status: Open

    Comments: In February 2017, the Department of Transportation (DOT) reported that its Office of the Chief Information Officer (OCIO) is piloting the Staff Training Education and Professional Development Program (STEP) for all OCIO employees. The courses cover areas such as contracting and negotiations, laws and regulations and security training. However, DOT reported that the training is not specific to software licensing, although elements of software management are covered in full through the offerings within the STEP program. We will follow up with the department to obtain evidence of the department-wide implementation of this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Treasury should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of the Treasury
    Status: Open

    Comments: In its July 2016 statement on corrective actions to address our recommendations, Treasury reported that it continues to be dependent on the rollout of the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program. According to Treasury, once implemented the CDM capabilities will enhance the department's security posture and provide the department with capabilities for automatically collecting software and hardware inventories. Treasury stated that it will then work with its bureaus to develop common procedures, policies and capabilities for auditing and tracking software inventories. In March and September of 2017, we contacted the department and are awaiting a response on the status of efforts to implement this recommendation. We will follow-up with Treasury to monitor its progress in implementing this recommendation and obtain supporting documentation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Treasury should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of the Treasury
    Status: Open

    Comments: In its July 2016 statement on corrective actions to address our recommendations, Treasury reported that it continues to be dependent on the rollout of the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program. According to Treasury, once implemented the CDM capabilities will enhance the department's security posture and provide the department with capabilities for automatically collecting software and hardware inventories. Treasury stated that it will then work with its bureaus to develop common procedures, policies and capabilities for auditing and tracking software inventories. In March and September of 2017, we contacted the department and are awaiting a response on the status of efforts to implement this recommendation. We will follow-up with Treasury to monitor its progress in implementing this recommendation and obtain supporting documentation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Treasury should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of the Treasury
    Status: Open

    Comments: In its July 2016 statement on corrective actions to address our recommendations, Treasury reported that it continues to be dependent on the rollout of the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program. According to Treasury, once implemented the CDM capabilities will enhance the department's security posture and provide the department with capabilities for automatically collecting software and hardware inventories. Treasury stated that it will then work with its bureaus to develop common procedures, policies and capabilities for auditing and tracking software inventories. In March and September of 2017, we contacted the department and are awaiting a response on the status of efforts to implement this recommendation. We will follow-up with Treasury to monitor its progress in implementing this recommendation and obtain supporting documentation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Treasury should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of the Treasury
    Status: Open

    Comments: In its July 2016 statement on corrective actions to address our recommendations, Treasury reported that it continues to be dependent on the rollout of the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program. According to Treasury, once implemented the CDM capabilities will enhance the department's security posture and provide the department with capabilities for automatically collecting software and hardware inventories. Treasury stated that it will then work with its bureaus to develop common procedures, policies and capabilities for auditing and tracking software inventories. In March and September of 2017, we contacted the department and are awaiting a response on the status of efforts to implement this recommendation. We will follow-up with Treasury to monitor its progress in implementing this recommendation and obtain supporting documentation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Treasury should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of the Treasury
    Status: Open

    Comments: In its July 2016 statement on corrective actions to address our recommendations, Treasury reported that it continues to be dependent on the rollout of the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program. According to Treasury, once implemented the CDM capabilities will enhance the department's security posture and provide the department with capabilities for automatically collecting software and hardware inventories. Treasury stated that it will then work with its bureaus to develop common procedures, policies and capabilities for auditing and tracking software inventories. Treasury also stated that these tools, policies and procedures will allow the department to study usage and better inform future procurement needs to minimize cost and duplication. In March and September of 2017, we contacted the department and are awaiting a response on the status of efforts to implement this recommendation. We will follow-up with Treasury to monitor its progress in implementing this recommendation and obtain supporting documentation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Treasury should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of the Treasury
    Status: Open

    Comments: In its July 2016 statement on corrective actions to address our recommendations, Treasury reported that it continues to be dependent on the rollout of the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program. In March and September of 2017, we contacted the department and are awaiting a response on the status of efforts to implement this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Veterans Affairs should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In written comments to our report, the Department of Veterans Affairs (VA) agreed with our recommendation. In September 2017, VA provided information on actions taken to address our recommendation. However, we have not yet validated agency actions on this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Veterans Affairs should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In written comments to our report, the Department of Veteran Affairs (VA) agreed with our recommendation. In September 2017, VA provided information on actions taken to address our recommendation. However, we have not yet validated agency actions on this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Veterans Affairs should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In written comments to our report, the Department of Veterans Affairs (VA) agreed with our recommendation. In September 2017, VA provided information on actions taken to address our recommendation. However, we have not yet validated agency actions on this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Veterans Affairs should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In written comments to our report, the Department of Veterans Affairs (VA) agreed with our recommendation and reported that it made progress in providing software asset management (SAM) training to all personnel responsible for overseeing software enterprise license agreement (ELA) management. In September 2017, VA provided information on actions taken to address our recommendation. However, we have not yet validated agency actions on this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In June 2017, Environment Protection Agency (EPA) reported that it is currently taking steps to develop a comprehensive policy that will address a centralized management program of licenses, an analysis to inform decision making, education and training goals and overall management throughout the lifecycle. In addition, EPA stated that it is still leveraging the efforts of the Continuous Diagnostics and Mitigation project as well as its Office of Acquisition Management's consolidation of its Microsoft suite. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In June 2017, the Environment Protection Agency (EPA) reported that it is currently taking steps to develop a comprehensive policy that will address a centralized management program of licenses. In addition, EPA stated that it is still leveraging the efforts of the Continuous Diagnostics and Mitigation project as well as leveraging its Office of Acquisition Management's consolidation of enterprise licenses. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In June 2017, EPA reported that it is currently leveraging its Continuous Diagnostics and Mitigation program for a comprehensive software license inventory. EPA also reported that this comprehensive inventory will be provided via an automated dashboard. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In June 2017, the Environment Protection Agency (EPA) reported that it is currently leveraging its Continuous Diagnostics and Mitigation program for an automated tool that will establish a comprehensive software license inventory. EPA We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In June 2017, the Environment Protection Agency reported that it is currently leveraging its Continuous Diagnostics and Mitigation program for a comprehensive software license inventory. that will be available by the second quarter of fiscal year 2017. EPA also stated that it has consolidated six of the agency's eight major software license contracts. In addition, EPA reported that it is currently conducting an analysis of licenses and maintenance with regards to category management to determine the current spend environment and visibility within the agency to develop strategies for addressing each platform. We will follow up with the agency to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In June 2017, the Environment Protection Agency (EPA) reported that it is working to develop a robust training curriculum that addresses all software license requirements including but not limited to negotiations, laws and regulations, and contract terms and conditions department wide. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the National Aeronautics and Space Administration should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) has taken steps to implement our recommendation. In July 2017, NASA reported that the agency currently owns an enterprise software license management tool for the Office of the Chief Engineer and that the Office of the Chief Information Office will be coordinating with stakeholders to pursue expanding the use of this system NASA-wide. NASA anticipates completing this effort by the end of the fiscal year 2017.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the National Aeronautics and Space Administration should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) has taken steps to implement our recommendation. In July 2017, NASA reported that the agency currently owns an enterprise software license management tool for the Office of the Chief Engineer and that the Office of the Chief Information Office will be coordinating with stakeholders to pursue expanding the use of this system NASA-wide. NASA anticipates completing this effort by the end of the fiscal year 2017. We will continue to monitor NASA's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the National Science Foundation should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: National Science Foundation
    Status: Open

    Comments: In March 2017, NSF reported on actions taken to implement this recommendation. For example, the agency reported that in July 2015 NSF issued a new acquisition policy that provides the Chief Information Officer central oversight authority for IT acquisitions including software agreements. However, the guidance does not specify policies on managing software licenses for regularly tracking and maintaining software licenses to assist the agency in implementing decisions throughout the software license management life cycle, analyzing software usage and other data to make cost-effective decisions and providing training relevant to software license management. We will continue to monitor the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the National Science Foundation should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: National Science Foundation
    Status: Open

    Comments: In March 2017, NSF reported that it continues to regularly track and maintain a comprehensive inventory of software licenses. For example, NSF reported that in 2015 the agency implemented an automated tool to capture, track and report on software licenses. In addition, NSF reported that it is implementing a Continuous Diagnostic and Mitigation (CDM) capabilities to further consolidate and centralize management of the agency's software asset inventory in an automated way. However, NSF did not provide documentation showing that it regularly tracks and maintains its inventory using automated tools and metrics. We will follow-up with the agency to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the National Science Foundation should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: National Science Foundation
    Status: Open

    Comments: In March 2017, NSF reported on its progress in analyzing agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making. However, NSF did not provide documentation demonstrating that it analyzed agency-wide software license data to inform investment decisions and identify opportunities to reduce costs. We will follow-up with the agency to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the National Science Foundation should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: National Science Foundation
    Status: Open

    Comments: In March 2017, NFS reported that the agency is committed to providing software license training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management. However, NFS did not provide documentation showing that this training include aspects of sufficient software license management training such as contract terms and conditions or negotiations. We will follow-up with the agency to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Chairman of the Nuclear Regulatory Commission should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: The Nuclear Regulatory Commission (NRC) has taken steps to implement this recommendation. For example, in March 2017, NRC reported that the agency's Software Manager is in the process of developing the NRC Software Management Centralization Plan to meet NRC's business needs and to ensure compliance with applicable Federal mandates and guidelines, including those from the Office of Management and Budget, the Federal Information Technology Acquisition Reform Act, the Federal Information Security Management Act, and from the National Institute of Standards and Technology. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Chairman of the Nuclear Regulatory Commission should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: In March 2017, the Nuclear Regulatory Commission (NRC) stated that a manual effort is underway to gather and verify data associated with the software on the list to complete a comprehensive inventory of software licenses. NRC also reported that it has developed requirements for an information technology asset management tool to support the establishment of a comprehensive inventory of software licenses using automated tools. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Chairman of the Nuclear Regulatory Commission should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: In March 2017, the Nuclear Regulatory Commission (NRC) stated that a manual effort is underway to gather and verify data associated with the software on the list to complete a comprehensive inventory of software licenses. NRC also reported that it has developed requirements for an information technology asset management tool to support the establishment of a comprehensive inventory of software licenses using automated tools. Upon deployment of an automated tool, NRC reported that it will be able to regularly track and maintain a comprehensive inventory of all software licenses. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Chairman of the Nuclear Regulatory Commission should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: In March 2017, the Nuclear Regulatory Commission (NRC) reported that the agency will analyze agency-wide software license data after it deploys an automated tool. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Chairman of the Nuclear Regulatory Commission should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: In March 2017, the Nuclear Regulatory Commission (NRC) reported that the agency plans to provide software license management training to all key personnel. NRC also reported that its software training is currently being developed by the Office of Management and Budget, the Federal Acquisition Institute and the Defense Acquisition University. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with this recommendation and in September 2015, reported that it had developed a guide to capture enterprise architecture (EA) lifecycle activities including software licensing management, acquisition, and requirements during several points of the project lifecycle. We contacted the agency and, as of September 2017, are awaiting a response on the current status of efforts to implement this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with this recommendation and in September 2015 reported that it is finalizing a revised Life Cycle Management draft policy which will use stage gate reviews to evaluate the progress of projects including software licenses throughout the agency. According to OPM, once the new policy is approved, OPM subject matter experts will review project documentation during stage gates reviews to make written recommendations on whether projects should continue. OPM's Investment Review Board will then review that recommendation and other procurement documentation to make a final recommendation to the OPM Director. We contacted the agency and, as of September 2017, are awaiting a response on the current status of efforts to implement this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with this recommendation and in September 2015 OPM reported that it acquired an enterprise architecture repository tool and is collecting information on its software applications. OPM also reported that it is assembling and performing quality reviews on hardware and software lists currently maintained in spreadsheets, in its EA Systems database, and Remedy database in order to consolidate the entire hardware and software asset inventory. We contacted the department and, as of September 2017, are awaiting a response on the current status of efforts to implement this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with this recommendation and in September 2015 OPM reported that it acquired an enterprise architecture repository tool and is collecting information on its software applications. We contacted the department and, as of September 2017, are awaiting a response on the current status of efforts to implement this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Office of Personnel Management
    Status: Open

    Comments: In written comments to our report, OPM concurred with our recommendations and noted actions the agency plans to take. We contacted the department and, as of September 2017, are awaiting a response on the current status of efforts to implement this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Office of Personnel Management
    Status: Open

    Comments: In written comments to our report, OPM concurred with our recommendations and noted actions the agency plans to take. We contacted the department and, as of September 2017, are awaiting a response on the current status of efforts to implement this recommendation.
    Director: Robert Goldenkoff
    Phone: (202) 512-2757

    4 open recommendations
    including 2 priority recommendations
    Recommendation: To create a more effective human capital system that is more responsive to managing priorities and future workforce needs, the Director of OPM, in conjunction with the CHCO Council, should strengthen OPM's coordination and leadership of government-wide human capital issues to ensure government-wide initiatives are coordinated, decision makers have all relevant information, and there is greater continuity in the human capital community for key reforms. Such actions could include: (1) developing a government-wide human capital strategic plan that, among other things, would establish strategic priorities, time frames, responsibilities, and metrics to better align the efforts of members of the federal human capital community with government-wide human capital goals and issues; and (2) coordinating communication on government-wide human capital issues with other members of the human capital community so that there is greater consistency, transparency, and completeness in exchanging and using information by stakeholders and decision makers.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: In April 2017, OPM issued a final regulation requiring OPM and agencies take significant steps in identifying, prioritizing, and coordinating efforts to address critical human capital issues. The regulation will require OPM to complete the Federal Workforce Priorities Report (FWPR). According to OPM, the FWSPR will serve as tool for all stakeholders and agencies to: (1) be informed about current and emerging workforce challenges, (2) develop strategies to address the impending risks, and (3) monitor progress. The FWSPR will also serve as a tool for the Administration to develop their Human Capital President's Management Agenda, as well as Cross Agency Priority Goals. the regulation also requires agencies to develop a Human Capital Operating Plan, which will reflect the priorities identified in the FWSPR. We believe this final regulation represents an important step forward in addressing the current fragmentation of the federal human capital community and will continue to monitor its status.
    Recommendation: To create a more effective human capital system that is more responsive to managing priorities and future workforce needs, the Director of OPM, in conjunction with the CHCO Council, should explore the feasibility of expanded use of enterprise solutions to more efficiently and effectively address shared or government-wide human capital challenges. Such actions could include: (1) seeking cost savings and improved functionality through coordinated government-wide Human Resources Information Technology planning and acquisition, (2) seeking agency input to ensure OPM's workforce planning tools provide effective guidance for agencies, and (3) sharing workforce planning lessons learned and successful models across the government.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: In April 2017, OPM officials said it had developed some enterprise solutions to address shared or government-wide human capital challenges. For example, OPM officials said it created a multi-factor model workforce planning tool to assess the risk of agency-specific mission critical occupations. Officials said this tool is the foundation for any good workforce planning process to better understand which MCOs require the greatest attention. Officials said the model was drafted from input from an intra-agency workgroup, was beta tested with a workforce planning workgroup consisting of the majority of CFO Act agencies and finally approved by the full Chief Human capital Officer's Council. This tool was then used by agencies to identify their agency-specific high risk MCOs. OPM officials said they plan to use this model to develop other tools. We believe this tool represents an important step forward in identifying enterprise tools and will continue to monitor OPM's continued efforts.
    Recommendation: To create a more effective human capital system that is more responsive to managing priorities and future workforce needs, the Director of OPM, in conjunction with the CHCO Council, should review the extent to which new capabilities are needed to promote agile talent management. Such actions could include developing or sharing: (1) tools, resources, and methods to help identify skills gaps and surpluses that can inform agency recruitment, retention, and training needs; and (2) mechanisms for increasing staff mobility within an agency and government-wide to assist agencies in aligning their workforces with evolving needs.

    Agency: Office of Personnel Management
    Status: Open

    Comments: As of October 2016, OPM has been exploring the use of agile talent management approaches. OPM established the pilot project, Gov Connect, that tests how employees can move within and across agencies to work on self-initiated and/or manager-initiated projects. Currently, OPM is working to design Phase II of the effort, which is to develop a model for the government wide implementation of the initiative. Over 10 agencies were involved with Phase I for the single agency pilot process and more contact OPM each day as they learn about Gov Connect. OPM briefed the CHCOC and the President's Management Council (PMC) two years ago about the initiative and since then, Gov Connect has become a part of the President's Management Agenda (PMA). To further the familiarity of Gov Connect, OPM established a Starter Kit, which was designed to communicate a suggested approach for how to implement one or several of the Gov Connect models within a respective agency. The Starter Kit is a reflection of agency lessons learned through their experience with Phase I, and OPM continues to refresh the content as additional information is learned. With regards to skill identification, OPM has begun working to address this through the work with the government wide skills gap initiative. A key aspect of the initiative includes the identification of a root cause. Through this process, it is expected that needed skills will become evident. Subsequently, strategies will be established to address the root cause. In addition, OPM is revising its data collection process. OPM, because of statute and regulation, has the ability to require a set of workforce metrics, such as agency projections. We are currently exploring how to establish the capability to capture information regarding the current workforce. Work will continue through FY 17 until a solution has been identified. In June 2015, OPM reported that its Center for Strategic Workforce Planning (SWP) is developing tools to better visualize results of the CHCO manager satisfaction survey and the CHCO applicant satisfaction survey for distribution to agencies. OPM is also developing a model to assist agencies in selecting mission critical occupations for government-wide skills gap closure based on multiple factors, including separation rates, retention percentages, and applicant to job ratios. SWP is currently co-leading the GovConnect initiative, which explores models for workforce agility that include micro-detailing, cloud-based skill deployment across organizational components, and employee-initiated innovation initiatives. OPM is collaborating with the Chief Learning Officers Council to develop standards for agency use of data to prioritize investment in workforce development. Through these standards, agencies will apply data including skills gap analysis (e.g., retirement projections, competency gaps, etc.) to prioritize needs. We will continue to monitor OPM's efforts.
    Recommendation: To create a more effective human capital system that is more responsive to managing priorities and future workforce needs, the Director of OPM, in conjunction with the CHCO Council, should ensure agencies are getting the guidance and tools that they need by evaluating the communication strategy for and effectiveness of relevant tools, guidance, or leading practices created by OPM or the agencies to address crosscutting human capital management challenges.

    Agency: Office of Personnel Management
    Status: Open

    Comments: As of August 2016, OPM reported that its office of Employee Services is developing for deployment a comprehensive Strategic Human Capital Management (SHCM) needs survey that will be distributed to the CHCO Council. The survey is designed to directly solicit information about relevant tools, guidance and resources from agency human capital professionals that they feel will benefit their SHCM processes. This annual survey and the information OPM gathers from the survey results will assist OPM with developing/providing suggested tools through the HCF. We will continue to monitor OPM's efforts.
    Director: Malenich, J Lawrence
    Phone: (202) 512-3406

    2 open recommendations
    Recommendation: The CFPB should direct the Chief Financial Officer to design and implement control procedures that require coordination between the Office of Procurement and other program offices at the time of capitalization to ensure that property and equipment costs, including costs associated with internal-use software, are properly capitalized or expensed as appropriate.

    Agency: Consumer Financial Protection Bureau
    Status: Open

    Comments: Although CFPB took actions to attempt to address this recommendation, as of September 30, 2016, it was still in the process of implementing additional corrective actions. In addition, our fiscal year 2016 audit continued to identify deficiencies over the recording of property, equipment, and software costs. We will continue to evaluate CFPB's actions to address this recommendation during our fiscal year 2017 financial statement audit.
    Recommendation: The CFPB should direct the Chief Financial Officer to strengthen the design and implementation of control procedures to require, as part of the Office of the Chief Financial Officer's quarterly review procedures, review of underlying supporting documents, including tracking schedules, invoices, and obligating documents, to ensure that property and equipment transactions are properly identified and capitalized or expensed as appropriate.

    Agency: Consumer Financial Protection Bureau
    Status: Open

    Comments: As of September 30, 2016, we continued to find that the Office of the Chief Financial Officer's review was not always effective in timely detecting and correcting classification errors between costs that should be capitalized and costs that should be expensed. We will continue to evaluate CFPB's actions to address this recommendation during our fiscal year 2017 financial statement audit.
    Director: David A. Powner
    Phone: (202) 512-9286

    3 open recommendations
    Recommendation: The Director of the Office of Management and Budget should direct the Federal Chief Information Officer to update, and clearly and explicitly issue incremental development guidance that addresses the following three components: (1) requires projects associated with major IT investments to deliver incremental functionality at least every 12 months, with the exception of the three types of investments identified in this report; (2) specifies how agencies are to define the project functionality that is to be delivered; and (3) requires agencies to define a process for enforcing compliance with incremental functionality delivery, such as the use of TechStat sessions.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) agreed with our recommendation to update and issue incremental guidance, but disagreed that the time frame for incremental delivery should be changed to every 12 months. Subsequently, OMB began to take steps to address aspects of our recommendation. Specifically, in June 2014, OMB updated its information technology (IT) budget guidance to, among other things, define project functionality as any changes to an IT system that primarily provides new or improved capability to the end user. Additionally, in June 2015, OMB issued its guidance on how agencies are to implement December 2014 federal IT acquisition reform legislation. As part of that guidance, OMB required CIOs to ensure that all acquisition strategies and acquisition plans that include IT apply adequate incremental development principles. However, as of June 2017, OMB's annually updated IT budget capital planning guidance still requires that projects associated with major IT investments deliver functionality every 6 months, rather than every 12 months, as we recommended. In the absence of our recommended delivery time frame change, OMB is at risk of continuing to require functionality to be delivered in a time frame that we found to be unrealistic for many IT investments based on their current levels of performance. We will continue to evaluate OMB's progress in implementing the recently issued guidance and in considering a change in how often projects are to deliver functionality.
    Recommendation: The Secretaries of Defense, Health and Human Services, Homeland Security, and Transportation should modify, finalize, and implement their agencies' policies governing incremental development to ensure that those policies comply with OMB's guidance, once that guidance is made available.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) has begun to take steps to address this recommendation. Specifically, in January 2015, HHS established a working group on incremental development in order to define a methodology for more rapid development. Further, HHS officials reported in April 2017 that the department was working to finalize its new guidance on incremental development and CIO certification as required by OMB guidance but could not provide a time frame for when the policy would be finalized. Until HHS finalizes and implements its incremental development policy, its information technology expenditures are more likely to produce sub-optimal results. We will continue to evaluate HHS's progress in implementing this recommendation.
    Recommendation: When updating their policies, the Secretaries of Defense, Health and Human Services, Homeland Security, and Transportation should consider the factors identified in this report as enabling and inhibiting incremental development.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) has begun to take steps to address this recommendation. Specifically, in January 2015, HHS established a working group on incremental development in order to define a methodology for incremental development that would address the factors identified in the report. Further, HHS officials reported in April 2017 that the department was working to finalize its new guidance on incremental development and CIO certification as required by OMB guidance but could not provide a time frame for when the policy would be finalized. Until HHS updates and implements its incremental development policy, its information technology expenditures are more likely to produce sub-optimal results. We will continue to evaluate HHS's progress in implementing this recommendation.
    Director: Mak, Marie A
    Phone: (202) 512-2527

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure consistent implementation of NASA's export control program, the NASA Administrator should establish guidance defining the appropriate level and organizational placement of the CEA function.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with the recommendation. To fully implement this recommendation, NASA needs to complete a planned update to its NASA Procedural Requirement (NPR) 2190.1B concerning NASA's export control program to further codify this structure and provide us with the documentation for review.
    Director: David A. Powner
    Phone: (202) 512-9286

    3 open recommendations
    Recommendation: To improve the reliability of reported cost and schedule variance information for major investments, the Commissioner of IRS should direct the Chief Technology Officer to report cumulative investment and investment segment cost and schedule information in the quarterly reports to Congress, consistent with the Office of Management and Budget (OMB) requirements for measuring progress towards meeting goals.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In its fiscal year 2016 second quarter report to Congress, IRS included cumulative cost and schedule information for one of the five investments highlighted in the report. IRS stated that it was awaiting findings of our report issued in June 2016 to determine the future direction of the quarterly reporting to Congress. We will continue to monitor IRS's quarterly reporting to Congress to determine the extent to which this recommendation has been addressed.
    Recommendation: To improve the reliability of reported cost and schedule variance information for major investments, the Commissioner of IRS should direct the Chief Technology Officer to ensure that projected cost and schedule variances for in-process activities are updated monthly, for the six investments for which we reviewed monthly updates, consistent with OMB and Treasury reporting requirements, by ensuring investment staff have a consistent understanding of the information to be included in monthly reports.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: To address this recommendation, IRS provided training in October 2014, which focused on, among other things, the monthly update of investment performance information. As of July 2016, we are reviewing cost and schedule reporting for the six selected investments to determine the extent to which the training provided has improved the timeliness of cost and schedule performance reporting.
    Recommendation: To improve the reliability of reported cost and schedule variance information for major investments, until a quantitative measure of scope is developed, the Commissioner of IRS should direct the Chief Technology Officer to qualitatively report on how delivered scope compares to what was planned in its quarterly reports to Congress, for the seven investments for which we reviewed scope reporting.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In its fiscal year 2016 second quarter report to Congress, IRS proposed a quantitative measure of scope solution for one investment; specifically, it listed specific scope elements for the Return Review Program investment and identified the elements it had implemented to date. In addition, in our June 2016, report summarizing our review of IRS's major IT investments, we noted that IRS had developed a quantitative measure of scope for two investments, although we noted that the measure could be improved by accounting for the work performed by IRS staff in accordance with best practices (see GAO-16-545). The measure used in the quarterly report to Congress and the one we noted during our recent review are positive steps. We will continue to monitor IRS's actions to address our recommendation.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    1 open recommendations
    Recommendation: To better ensure that the Defense Agencies Initiative (DAI) implements effective risk management and information technology (IT) acquisition best practices, the Secretary of Defense should direct the Director of the Defense Logistics Agency to direct the DAI program office to establish a comprehensive risk log that includes all up-to-date risks with evaluations and categorizations that comply with DLA's defined parameters; and associated mitigation plans.

    Agency: Department of Defense
    Status: Open

    Comments: The Defense Logistics Agency established a risk log for DAI that includes risk evaluations and categorizations, and associated mitigation plans. We will continue monitoring the program's implementation of this recommendation to ensure that the agency is periodically reviewing the status of each risk and updating DAI's risk log and mitigation plans, as intended by the recommendation.
    Director: Linda T. Kohn
    Phone: (202) 512-7114

    2 open recommendations
    Recommendation: To address challenges that affect the ability of providers to electronically exchange health information, the Secretary of Health and Human Services should direct CMS and ONC to develop and prioritize specific actions that HHS will take consistent with the principles in HHS's strategy to advance health information exchange.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: As of August 28, 2014, HHS provided some information indicating that it had begun the process of developing milestones with time frames for its actions toward advancing exchange, and that it plans to make them publicly available. Because HHS has only just begun the process and has not provided documentation, these actions are in progress and therefore not complete. We will follow up in fiscal year 2015 to gather additional information to determine if the actions fully address the recommendation.
    Recommendation: To address challenges that affect the ability of providers to electronically exchange health information, the Secretary of Health and Human Services should direct CMS and ONC to develop milestones with time frames for the actions to better gauge progress toward advancing exchange, with appropriate adjustments over time.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: As of August 28, 2014, HHS provided some information indicating that it had begun the process of developing milestones with time frames for its actions toward advancing exchange, and that it plans to make them publicly available. Because HHS has only just begun the process and has not provided documentation, these actions are in progress and therefore not complete. We will follow up in fiscal year 2015 to gather additional information to determine if the actions fully address the recommendation.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    2 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure effective management and modernization of HUD's IT environment, the Secretary of Housing and Urban Development should direct the department's Chief Information Officer to establish a means for evaluating progress toward institutionalizing management controls and commit to time lines for activities and next steps.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: As of April 2017, HUD had not yet established a means for evaluating progress toward institutionalizing IT management controls. According to HUD officials, the department expects to evaluate the controls through an update to its IT Management Framework scheduled to be completed during fiscal year 2017.
    Recommendation: To ensure effective management and modernization of HUD's IT environment, the Secretary of Housing and Urban Development should direct the department's Chief Information Officer to define the scope, implementation strategy, and schedule of its overall modernization approach, with related goals and measures for effectively overseeing the effort.

    Agency: Department of Housing and Urban Development
    Status: Open
    Priority recommendation

    Comments: In August 2016, HUD officials reported that the department was taking actions intended to establish a new, stronger enterprise approach for IT development and operations. As of April 2017, the department reported that it was in phase 2 of a 4-phase application assessment initiative expected to address this recommendation. However, HUD has not yet provided evidence of how the new approach is expected to define the scope, implementation strategy, and schedule for modernizing the department's IT.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    17 open recommendations
    Recommendation: To make government-wide computer matching program planning efforts more consistent, the Director of OMB should revise guidance on computer matching to clarify whether front-end verification queries are covered by the Computer Matching Act.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To make government-wide computer matching program planning efforts more consistent, the Director of OMB should direct agencies to address all key elements when preparing cost-benefit analyses.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To make government-wide computer matching program planning efforts more consistent, the Director of OMB should ensure that agencies receive assistance in implementing computer matching programs as envisioned by the act.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Agriculture should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Agriculture
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Agriculture should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Agriculture
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Agriculture should ensure the DIB performs annual reviews and submits annual reports on the agency's computer matching activities, as required by the act.

    Agency: Department of Agriculture
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Education should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Education
    Status: Open

    Comments: We have not yet received sufficient information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Health and Human Services should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Health and Human Services should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet received information needed to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Labor should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Labor
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Labor should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Labor
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Labor should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Labor
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Veterans Affairs should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Administrator of Social Security should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Social Security Administration
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Director: Kohn, Linda T
    Phone: (202) 512-7114

    5 open recommendations
    Recommendation: To help ensure that qualified CDRs promote improved quality and efficiency of physician care for Medicare beneficiaries, the Secretary of Health and Human Services should direct Centers for Medicare & Medicaid Services (CMS) to establish key requirements for qualified CDRs that focus on improving quality and efficiency. These requirements could include, for example, having CDRs (1) identify key areas of opportunity to improve quality and efficiency for their target populations and collect additional measures designed to address them, (2) collect a core set of measures established by CMS, and (3) demonstrate that their processes for auditing the accuracy and completeness of the data they collect are systematic and rigorous.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: As it has since initiation of the qualified CDR program, CMS continues to allow qualified CDRs to choose what quality measures they will track within very broad parameters. While it has developed a PQRS cross-cutting measure set requirement for physicians using other reporting mechanisms, this requirement does not apply to qualified CDRs. CMS officials report that they have addressed data accuracy and completeness by sharing with qualified CDRs issues and discrepancies that have been found in the data submitted so far.
    Recommendation: To help ensure that qualified CDRs promote improved quality and efficiency of physician care for Medicare beneficiaries, the Secretary of Health and Human Services should direct CMS to establish a requirement for qualified CDRs to demonstrate improvement on key measures of quality and efficiency for their target populations.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: CMS officials report that they are working to implement this recommendation, but they have not yet put forward any specific proposals to address it.
    Recommendation: To help ensure that qualified CDRs promote improved quality and efficiency of physician care for Medicare beneficiaries, the Secretary of Health and Human Services should direct CMS to establish a process for monitoring compliance with requirements for qualified CDRs that draws on relevant expert judgment. This process should assess CDR performance on each requirement in a way that takes into account the varying circumstances of CDRs and their available opportunities to promote quality and efficiency improvement for their target populations.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The limited changes for qualified clinical data registries that CMS outlined in its CY2016 proposed rule in July 2015 do not address this recommendation. CMS officials report that they are working to implement this recommendation, but the approach they describe focuses on assessing changes in the data submitted by qualified CDRs over several years.
    Recommendation: To help ensure that qualified CDRs promote improved quality and efficiency of physician care for Medicare beneficiaries, the Secretary of Health and Human Services should determine and implement actions to reduce barriers to the development of qualified CDRs, such as (1) developing guidance that clarifies Health Insurance Portability and Accountability Act requirements to promote participation in qualified CDRs; (2) working with private sector entities to make relevant multipayer cost data available to qualified CDRs; (3) testing one or more models of shared savings between Medicare and qualified CDRs that achieve reduced Medicare expenditures with improved quality of care, and (4) providing technical assistance to qualified CDRs.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The limited changes for qualified clinical data registries that CMS outlined in its CY2016 proposed rule in July 2015 do not address the specific barriers to the development of qualified CDRs that we identified in our report. However, CMS officials report that they have provided technical assistance to qualified CDRs through monthly support calls and an annual kick-off meeting held in spring 2015.
    Recommendation: To help ensure that qualified CDRs promote improved quality and efficiency of physician care for Medicare beneficiaries, the Secretary of Health and Human Services should determine key data elements needed by qualified CDRs--such as those relevant for a required core set of measures--and direct Office of the National Coordinator for Health Information Technology and CMS to include these data elements, if feasible, in the requirements for certification of EHRs under the EHR incentive programs.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The limited changes for qualified clinical data registries that CMS outlined in its CY2016 proposed rule in July 2015 do not address this recommendation.
    Director: Powner, David A
    Phone: (202) 512-9286

    3 open recommendations
    Recommendation: To better ensure that the Dashboard provides meaningful ratings and reliable investment data, the Director of OMB should direct the Federal CIO to make accessible regularly updated portions of the public version of the Dashboard (such as CIO ratings) independent of the annual budget process.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: Although the Federal CIO did not agree or disagree with our recommendation, OMB has taken initial steps to implement it. Specifically, OMB recently updated the Dashboard with a number of changes, and OMB officials stated in 2015 that they intended for the Dashboard to be able to show updates throughout the year. That said, OMB has yet to implement this recommendation. Specifically, OMB did not publish updates to the public version of the Dashboard during the fiscal year 2018 budget formulation process, starting at the end of August 2016. We will continue to monitor the Dashboard to determine if portions of the public version of the Dashboard (such as CIO ratings) are available throughout the year. Maintaining the availability of these data is important for increasing the utility of the Dashboard as a tool for greater IT investment oversight and transparency.
    Recommendation: To better ensure that the Dashboard provides accurate ratings, the Secretary of Commerce should direct the department CIO to ensure that the department's investments are appropriately categorized in accordance with existing statutes and that major IT investments are included on the Dashboard.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce disagreed with this recommendation. In written correspondence, the Department noted that, although it is no longer reporting three of the 10 investments reviewed for this engagement on the IT Dashboard, it is maintaining oversight through monthly Dashboard-like assessments. As of July 28, 2016, the Department stated that it did not have plans to re-categorize these three particular investments as IT and report the data on the IT Dashboard. We continue to believe that this recommendation has merit and will monitor the Department's efforts to maintain oversight for these investments.
    Recommendation: To better ensure that the Dashboard provides accurate ratings, the Secretary of Energy should direct the department CIO to ensure that the department's investments are appropriately categorized in accordance with existing statutes and that major IT investments are included on the Dashboard.

    Agency: Department of Energy
    Status: Open

    Comments: While the Department of Energy had agreed with this recommendation, in subsequent written correspondence, it explained that five of the eight investments noted by GAO as being IT were no longer being reported in the IT Portfolio on the Dashboard. Instead, the Department was reporting these data to OMB via an alternative reporting mechanism specific to high performance computing. In addition, the Department noted that the remaining three investments were deconsolidated or downgraded into non-major investments, or eliminated by funding and, as such, these investments will not be included on the Dashboard. However, we continue to believe that this recommendation has merit and that the remaining investments are more properly classified as IT. We will continue to monitor the Department's efforts to maintain oversight for these investments.
    Director: Mackin, Michele
    Phone: (202) 512-4841

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To help mitigate confusion about the use of reverse auctions in federal acquisitions, the Director of the Office of Management and Budget should take steps to amend the FAR to address agencies' use of reverse auctions.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open
    Priority recommendation

    Comments: In providing comments on this report, OMB generally concurred with this recommendation but, as of July 2017, had not yet publicly released a draft of any related proposed FAR rule(s). In July 2017, OMB staff stated that a FAR team had drafted proposed regulatory changes to address the use of reverse auctions in response to GAO's recommendation. OMB staff said that the draft changes were undergoing review and they expected they would be published for public comment before the end of the calendar year.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    8 open recommendations
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require documentation of the reasoning behind risk determinations for breaches involving PII.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to document the number of affected individuals associated with each incident involving PII.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should document the number of affected individuals associated with each incident involving PII.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Director: Cha, Carol R
    Phone: (202) 512-4456

    2 open recommendations
    Recommendation: To improve planning and execution of the next telecommunications transition, the Administrator of General Services, in coordination with the Office of Personnel Management, should examine potential government-wide telecommunications expertise shortfalls and use the study to shape the NS2020 strategic approach.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration (GSA) has not addressed this recommendation. In June 2014, the agency reported that it had coordinated with OPM to incorporate key objectives in its NS2020 strategy to address and mitigate challenges with regards to government-wide expertise needed to execute the NS2020 program. However, as of May 2017, GSA had not demonstrated that it had studied potential government-wide telecommunications expertise shortfalls or used the study to shape the NS2020 strategic approach.
    Recommendation: To improve planning and execution of the next telecommunications transition, the Administrator of General Services should ensure that the lessons are applied, based on priority and available resources, to the next transition strategy.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration has not implemented this recommendation but has taken steps to address it. In April 2014, the agency developed a strategy for transitioning to the next telecommunications contract vehicle. The strategy described the lessons learned that contributed to the delay in the prior transition and identified approaches the agency planned to take to apply the lessons learned. For example, it identified high level plans for addressing the need for improved management of the complex acquisition process and the need for technical and contracting telecommunications expertise across the government. As of August 2016, GSA had prioritized the lessons learned and considered the resources needed to apply them. However, as of May 2017, the agency had not demonstrated that it had ensured that the lessons were applied, based on priority and available resources, to the next transition strategy. We will continue to monitor GSA's efforts to implement the recommendation.
    Director: Powner, David A
    Phone: (202)512-9286

    48 open recommendations
    including 1 priority recommendation
    Recommendation: To help ensure the success of PortfolioStat, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to disclose the limitations of any data reported (or disclose the parameters and assumptions of these data) on the agencies' consolidation efforts and associated savings and cost avoidance.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In its comments on GAO's November 2013 report, OMB disagreed with this recommended action, stating that it had disclosed limitations on data reported and cited three instances of these efforts. However, GAO maintained that, while OMB reported limitations of data regarding commodity information technology (IT) consolidation efforts in these cases, the information reported did not provide stakeholders and the public with a complete understanding of the data presented. For example, OMB did not disclose that information from the Departments of Defense (DOD) and Justice was not included in the consolidation estimates reported, which, considering the scope of DOD's efforts in this area (at least $3.2 billion), was a major gap. As of March 2017, OMB still had not addressed this recommendation. During that month, the agency told GAO that improving the quality of the data agencies submit through the integrated data collections (which include data on agencies' consolidation efforts and associated savings and cost avoidance) is a priority and that Office of the Federal Chief Information Officer staff follow up with agencies when they detect anomalies in the data reported. OMB, however, did not address actions to disclose the limitations of data reported or disclose the parameters and assumptions of these data. Such disclosure would provide the public and other stakeholders with crucial information needed to understand the status of PortfolioStat and agency progress in meeting the goals of the initiative.
    Recommendation: To help ensure the success of PortfolioStat, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to require that agencies report on efforts to address action plan items as part of future PortfolioStat reporting.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: OMB's June 2015 memorandum on the management and oversight of federal information technology (M-15-14) established quarterly PortfolioStat sessions between OMB and agency Chief Information Officers. This represented a change from the previously required annual action item memos. In November 2016, OMB stated that it informally tracks action items resulting from PortfolioStat but no formal documentation is kept. We will continue to follow up on how OMB ensures that agencies report on efforts to address action items as part of future PortfolioStat reporting.
    Recommendation: To help ensure the success of PortfolioStat, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to improve transparency of and accountability for PortfolioStat by publicly disclosing planned and actual data consolidation efforts and related cost savings by agency.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In October 2015, OMB started displaying actual data consolidation savings data on the federal information technology (IT) dashboard, consistent with provisions of the IT reform legislation commonly referred to as the Federal Information Technology Acquisition Reform Act. However, in November 2016, and again in March 2017, OMB stated that it does not track planned cost savings and cost avoidance figures and did not provide any plans to do so. Improving the transparency and accountability for PortfolioStat by publicly disclosing both planned and actual data consolidation efforts and related cost savings by agency would provide stakeholders, including Congress and the public, a means to monitor agencies' progress and hold them accountable for reducing duplication and achieving cost savings.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Agriculture should direct the CIO to develop a complete commodity IT baseline.

    Agency: Department of Agriculture
    Status: Open

    Comments: In its March 2014 statement of actions to address our recommendations, the Department of Agriculture (USDA) provided information on its efforts to ensure the quality of its commodity IT baseline data. Specifically, USDA reported having (1) developed a central repository for agencies and staff offices to populate commodity IT data and (2) provided training on the use of the repository, and (3)established an addtional level of oversight to monitor data quality. We are reviewing supporting documentation obtained from the department to determine whether the recommendation has been fully addressed.
    Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Secretary of Agriculture should direct the CIO to fully describe the following PortfolioStat Action plan elements: (1) consolidate commodity IT spending under the agency CIO and (2) establish criteria for wasteful, low-value, or duplicative investments.

    Agency: Department of Agriculture
    Status: Open

    Comments: In its March 2014 statement of actions to address our recommendations, the Department of Agriculture provided information on the elements identified in the recommendation. We are reviewing additional supporting documentation obtained from the department to determine whether the recommendation has been fully addressed.
    Recommendation: To improve the department's implementation of PortfolioStat, as the department finalizes and matures its valuation methodology, the Secretary of Agriculture should direct the CIO to utilize this process to identify whether there are additional opportunities to reduce duplicative, low-value, or wasteful investments.

    Agency: Department of Agriculture
    Status: Open

    Comments: In its March 2014 statement of actions to address our recommendations, the Department of Agriculture stated that its Chief Information Officer will formalize and implement a value-based measurement model to help determine which IT investments should be included in the USDA IT portfolio. We are reviewing supporting documentation obtained from the department to determine whether this recommendation has been fully addressed.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Agriculture should direct the CIO to develop support for the estimated savings for fiscal years 2013 through 2015 for the Cellular Phone Contract Consolidation, IT Infrastructure Consolidation/Enterprise Data Center Consolidation, and Geospatial Consolidation initiatives.

    Agency: Department of Agriculture
    Status: Open

    Comments: In its March 2014 statement of actions to address our recommendations, the Department of Agriculture stated that its CIO has developed supporting documentation for the cost savings/avoidance associated with the efforts identified in the recommendation. We are reviewing supporting documentation obtained from the department to determine whether this recommendation has been fully addressed.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Commerce should direct the CIO to reflect 100 percent of information technology investments in the department's enterprise architecture.

    Agency: Department of Commerce
    Status: Open

    Comments: In its January 2014 statement of actions to address our recommendations, the Department of Commerce stated that the majority of its IT investments were made at the operating unit level and it was therefore planning on issuing policy to require consistency between the operating units' enterprise architecture and the totality of IT investments as reflected in the annual capital asset plan and business case summary submission. The department noted it would also require that consistency between the department's enterprise architecture and the IT investment portfolio is confirmed before submission of either of these artifacts. We are following up with the department to determine the status of these planned actions.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Commerce should direct the CIO to develop a complete commodity IT baseline.

    Agency: Department of Commerce
    Status: Open

    Comments: In its January 2014 statement of actions to address our recommendations, the Department of Commerce stated it had submitted two iterations of its commodity IT baseline to OMB since we made our recommendation. The department noted the PortfolioStat process and requirement to submit the baseline through the integrated data collection tool helped ensure the baseline was complete. We plan to follow up with Commerce officials.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Defense should direct the CIO to develop a complete commodity IT baseline.

    Agency: Department of Defense
    Status: Open

    Comments: In its December 2013 statement of actions to address our recommendations, the Department of Defense stated that it had efforts underway, including an initiative known as the Joint Information Environment, to further refine the Department's commodity IT baseline. As of August 2016, we found that the department's DOD IT Portfolio Repository included business and enterprise IT systems--two of three commodity IT areas defined by OMB--as part of an ongoing engagement. We are following up with the department to find out about actions to develop an inventory of assets associated with IT infrastructure--the third category of commodity IT defined by OMB.
    Recommendation: To improve the department's implementation of PortfolioStat, in the future reporting to OMB, the Secretary of Defense should direct the CIO to fully describe the following PortfolioStat action plan element: consolidate commodity IT spending under the agency CIO.

    Agency: Department of Defense
    Status: Open

    Comments: As of December 2013, the department did not concur with this recommendation stating that the commodity IT construct implemented in the PortfolioStat initiative did not work well within the department's federated processes. The department agreed, however, that a strategy, consistent with the intent of achieving better buying power and control of commodity IT items, should be developed and implemented within the department using existing authorities, and noted that it was in the process of implementing such a strategy. In August 2016, we followed up with the department to obtain an update on the status of this strategy and determine the associated reporting to OMB. As of the end of October, we were still waiting for a response.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Defense should direct the CIO to obtain support from the relevant component agencies for the estimated savings for fiscal years 2013 to 2015 for the data center consolidation, enterprise software purchasing, and General Fund Enterprise Business System initiatives.

    Agency: Department of Defense
    Status: Open

    Comments: In its statement of actions to address our recommendations, the Department of Defense stated that it already reports data center consolidation savings to both OMB and Congress and will continue to realize savings from the Enterprise Software Initiative, other strategic sourcing efforts, and the continuing implementation of General Fund Enterprise Business System initiatives. As of August 2016, we had collected support for data center consolidation as part of our ongoing data center consolidation work, and were waiting to receive support for the Enterprise Software Initiative savings for fiscal years 2013 to 2015 through recommendation follow-up for a prior software licensing review (GAO-14-413). We are following up with the department to obtain support for savings for the General Fund Enterprise Business System.
    Recommendation: To improve the U.S. Army Corps of Engineers' implementation of PortfolioStat, in future reporting to OMB, the Secretary of Defense should direct the Secretary of the Army to the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) target duplicative systems or contracts that support common business functions for consolidation; (3) establish criteria for identifying wasteful, low-value, or duplicative investments; and (4) establish a process to identify these potential investments and a schedule for eliminating them from the portfolio.

    Agency: Department of Defense
    Status: Open

    Comments: In its statement of actions to address our recommendations, the Department of Defense stated that the U.S. Army Corps of Engineers would fully describe the four action plan elements identified in this recommendation in future OMB reporting. We are following up with the department to determine the status of these efforts and obtain the associated supporting documentation.
    Recommendation: To improve the U.S. Army Corps of Engineers' implementation of PortfolioStat, the Secretary of Defense should direct the Secretary of the Army to report on the agency's progress in consolidating eCPIC to a shared service as part of the OMB integrated data collection quarterly reporting until completed.

    Agency: Department of Defense
    Status: Open

    Comments: In October 2016, the Department of Defense provided a report stating it had completed the consolidation of eCPIC to a shared service in August 2014. We are following up with the department to obtain supporting documentation.
    Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Secretary of Energy should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO and (2) establish criteria for identifying wasteful, low-value, or duplicative investments.

    Agency: Department of Energy
    Status: Open

    Comments: In its March 2014 statement of actions to address our recommendations, the Department of Energy stated that it will update its policy orders as necessary to implement the OMB policy for consolidating commodity IT under the Chief Information Officer and include a description in future OMB reporting. The department also noted that it will work to establish additional value criteria to idenitfy low-value or duplicative federal commodity IT investments, and these criteria will be described in future OMB reporting. We are reviewing the department's reporting to OMB to determine the extent to which this recommendation has been addressed.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the Environmental Protection Agency should direct the CIO to develop a complete commodity IT baseline.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In August 2014, the Environmental Protection Agency reported that it uses OMB's quarterly integrated data collection submission process to continually update the information in its baseline. We are following up with the agency to determine whether it has any process to ensure the completeness of the information that is submitted.
    Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Administrator of the Environmental Protection Agency should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) establish targets for commodity IT spending reductions and deadlines for meeting those targets; and (3) establish criteria for identifying wasteful, low-value, or duplicative investments.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In August 2014, the Environmental Protection Agency stated that, in its August 2014 PortfolioStat update, it had reported to OMB on the status of actions to consolidate commodity IT spending under the agency CIO and to establish targets for commodity IT spending reductions. The agency also stated that it was working to develop criteria for identifying wasteful, low-value, and duplicative investments. We are reviewing the August 2014 PortfolioStat update to verify the agency's claims. We plan to also follow up on efforts to develop the aforementioned criteria and any associated reporting to OMB.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the Environmental Protection Agency should direct the CIO to report on the agency's progress in consolidating the managed print services and strategic sourcing of end user computing to shared services as part of the OMB integrated data collection quarterly reporting until completed.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In its March 2014 statement of actions to address our recommendations, the Environmental Protection Agency stated that it expected its print services to take on additional devices and locations beginning in April 2014 and that a contract vehicle for the purchasing and leasing of end user computing equipment was expected to be awarded by the end of the month. We are reviewing the agency's quarterly reporting to OMB to determine whether progress on the two initiatives was reported to OMB as we recommended.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of the Interior should direct the CIO to develop a complete commodity IT baseline.

    Agency: Department of the Interior
    Status: Open

    Comments: In August 2014, the Department reported that it was planning to undertake a series of activities spanning a 15-month timeframe to create a complete commodity IT baseline, including embarking upon a statistical analysis and cost projection initiative that is intended to identify the degree of confidence in the commodity IT baseline, and develop mechanisms that will enable validation and verification in the future. We will follow up with the department on the results of its activities.
    Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Secretary of the Interior should direct the CIO to fully describe the following PortfolioStat action plan element: establish criteria for identifying wasteful, low-value, or duplicative investments.

    Agency: Department of the Interior
    Status: Open

    Comments: In its January 2014 comments on our report, the Department of the Interior stated that it was undertaking a business-driven approach that will involve working wtih its governance boards to establish criteria for identifying wasteful, low-value, or duplicative investments. The department stated it would establish the criteria by December 2014. However, the department did not address whether it would be reporting its plans to OMB, which was the focus of our recomnendation. We will follow up with officials on this.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of the Interior should direct the CIO to report on the department's progress in consolidating the Electronic Forms System component of the eMail Enterprise Records & Document Management System deployment 8 to a shared service as part of the OMB integrated data collection quarterly reporting until completed.

    Agency: Department of the Interior
    Status: Open

    Comments: In its January 2014 comments on our report, the Department of the Interior provided information on the status of its efforts to consolidate the Enterprise Forms System to a shared service and established a December 2014 target date for completion. In addition, the department stated that it would report on the status of the initiative quarterly until completion. We will follow up with the department to monitor its progress in completing the initiative and reporting on it to OMB.
    Recommendation: To improve the department's implementation of PortfolioStat, the Attorney General should direct the CIO to reflect 100 percent of information technology investments in the department's enterprise architecture.

    Agency: Department of Justice
    Status: Open

    Comments: In its December 2013 response to this recommendation, the Department of Justice stated that it had updated its enterprise architecture to include 100 percent of the information technology investments. However, it did not provide evidence of this action.We will follow up with the department to obtain supporting documentation.
    Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Attorney General should direct the CIO to fully describe the following PortfolioStat action plan element: establish targets for commodity IT spending reductions and deadlines for meeting those targets.

    Agency: Department of Justice
    Status: Open

    Comments: In its December 2013 response to this recommendation, the Department of Justice (DOJ) stated that its Email and Collaboration Working Group established consolidation targets, and began Phase One of its email consolidation effort. In addition, DOJ provided information on the status of its efforts to establish additional targets. We are reviewing the information provided, as well as DOJ's reporting to OMB, to determine the extent to which this recommendation has been addressed.
    Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Secretary of Labor should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO and (2) establish targets for commodity IT spending reductions and deadlines for meeting those targets.

    Agency: Department of Labor
    Status: Open

    Comments: In its December 2013 response to this recommendation, the Department of Labor stated that the Chief Information Officer participates in discussions to identify and eliminate duplication and facilitate the use of commodity IT and shared services through the IT governance committees. We are reviewing documentation we recently obtained from the department to determine the current status of action to address this recommendation.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Labor should direct the CIO to report on the department's progress in consolidating the cloud e-mail services to a shared service as part of the OMB integrated data collection quarterly reporting until completed.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor completed the consolidation of DOL agency e-mail systems into a shared cloud-based e-mail service in September 2014. In July 2015, the department provided evidence of a status report on the Office of Management and Budget IT dashboard showing completion of the initiative.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the National Aeronautics and Space Administration should direct the CIO to reflect 100 percent of information technology investments in the agency's enterprise architecture.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: in July 2015, NASA reported that it had initiated an effort referred to as Business Service Assessment (BSA) for IT to establish a more efficient IT operating model that maintains a minimum set of capabilities and meets current and future mission needs. The agency stated that one objective of the BSA is to guide technical, services, and investment decisions, create enterprise architecture and enterprise services methodologies for each IT domain that feeds into the overarching enterprise architecture for the full IT portfolio. In March 2016, the agency reported that final recommendations regarding the BSA were expected to be submitted to the Agency Mission Support Council at the end of the month. We are following up with NASA on the status of this recommendation.
    Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Administrator of the National Aeronautics and Space Administration should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) target duplicative systems or contracts that support common business functions for consolidation; (3) establish criteria for identifying wasteful, low-value, or duplicative investments; and (4) establish a process to identify these potential investments and a schedule for eliminating them from the portfolio.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: In May 2015, NASA reported that OMB published new action items that resulted in a shift in tracking of the previous action items identified in our recommendation. In July 2015, the agency provided evidence of a July 2015 report updating OMB of the status of these items.
    Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Archivist of the United States should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) target duplicative systems or contracts that support common business functions for consolidation; (3) establish criteria for identifying wasteful, low-value, or duplicative investments; and (4) establish a process to identify these potential investments and a schedule for eliminating them from the portfolio.

    Agency: National Archives and Records Administration
    Status: Open

    Comments: In its February 2014 statement of actions to address our recommendations, the National Archives and Records Administration reported that the four action plan elements identified in the recommendation had been included in the latest information resources management strategic plan submitted to OMB. We will review the plan to confirm whether the elements were included.
    Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Director of the National Science Foundation should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO and (2) establish criteria for identifying wasteful, low-value, or duplicative investments.

    Agency: National Science Foundation
    Status: Open

    Comments: The National Science Foundation (NSF) reported that while OMB had not requested that the agency provide updates to the 2012 PortfolioStat action plan, NSF had provided different, OMB-requested documentation in support of annual PortfolioStat activities. We plan to follow up with the agency to determine the extent to which the documentation provided to OMB addresses our recommendation.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Director of the Office of Personnel Management should direct the CIO to develop a complete commodity IT baseline.

    Agency: Office of Personnel Management
    Status: Open

    Comments: In August 2014, the Office of Personnel Management stated that it would be generating a policy requiring the baselines to be updated quarterly and established a target of May 2015 for fully implementing this recommendation. In March 2015, the agency stated that it was continuing to make progress toward the completion of its commodity IT baseline.
    Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Director of the Office of Personnel Management should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) move at least two commodity IT areas to shared services and (2) target duplicative systems or contracts that support common business functions for consolidation.

    Agency: Office of Personnel Management
    Status: Open

    Comments: In August 2014, the Office of Personnel Management stated that the initial program office responses to our recommendation represented the vision of the former Chief Information Officer (CIO). The agency stated that the new CIO's strategic plan would address duplicative systems and contracts as part of the CIO re-organization project that was underway, with the intent of bringing the different job functions under one group in order to utilize resources and common business functions more effectively. The agency established May 2015 as a target for fully implementing the recommendation. However, we have not yet received evidence of this action. We plan to follow up on the status of actions taken.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Director of the Office of Personnel Management should direct the CIO to report on the agency's progress in consolidating the help desk consolidation and IT asset inventory to shared services as part of the OMB integrated data collection quarterly reporting until completed.

    Agency: Office of Personnel Management
    Status: Open

    Comments: In August 2014, the Office of Personal Management (OPM) stated that a project initiated under the former Chief Information Officer's guidance deals specifically with help desk consolidation. OPM also stated it had leveraged the Remedy tool to integrate the IT asset inventory function as part of the help desk and that many of the IT asset inventory functions were now automated as part of this effort. The agency established May 2015 as a target for fully implementing the recommendation. We plan to follow up with OPM to find out about the status of actions taken to address this recommendation.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the Small Business Administration should direct the CIO to develop a complete commodity IT baseline.

    Agency: Small Business Administration
    Status: Open
    Priority recommendation

    Comments: In a recent GAO review examining whether agencies have complete inventories of business and enterprise IT systems (which represent 2 of the 3 categories of assets called for in the commodity IT baseline), SBA provided an inventory which it acknowledged did not include all systems or represent all offices. (Note: the review was summarized in GAO-16-511 issued in September 2016.) The agency noted that it was working with its offices to complete the inventory and hoped to finalize it and establish processes for updating the inventory, including possibly automating its data gathering abilities. In May 2017, SBA provided an update on the status of actions to address the recommendation. We are currently reviewing the documentation provided to determine whether SBA has fully addressed the recommendation.
    Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Administrator of the Small Business Administration should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) establish targets for commodity IT spending reductions and deadlines for meeting those targets; (3) target duplicative systems or contracts that support common business functions for consolidation; and (4) establish a process to identify those potential investments and a schedule for eliminating them from the portfolio.

    Agency: Small Business Administration
    Status: Open

    Comments: In June 2015, SBA stated it believed the action items would be addressed as part of its actions to implement the provisions of the Federal Information Technology Acquisition Reform Act. We reviewed the agency's December 2015 plan for implementing the law and an April 2016 update but did not find evidence of actions to address the items in the recommendation. In May 2017, SBA provided an update on the status of actions to address the recommendation. We are currently reviewing the documentation provided to determine whether SBA has fully addressed the recommendation.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Commissioner of the Social Security Administration should direct the CIO to develop a complete commodity IT baseline.

    Agency: Social Security Administration
    Status: Open

    Comments: In September 2014, the Social Security Administration (SSA) reported that the instruction set for its Special Expense Item process through which all non-labor IT dollars go now includes the definition of commodity IT baseline, and the requirement to identify all commodity IT baseline funds requested. SSA also stated it will report the commodity IT baseline results for fiscal year 2015 in its November integrated data collection report. We are reviewing the instruction set for the Special Expense Item process and SSA's November integrated data collection report to verify SSA's reported actions.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Commissioner of the Social Security Administration should direct the CIO to report on the agency's progress in consolidating the geospatial architecture to a shared service as part of the OMB integrated data collection quarterly reporting until completed.

    Agency: Social Security Administration
    Status: Open

    Comments: In August 2015, the Social Security Administration (SSA) reported that it had migrated its geospatial architecture to a shared service in September 2014 and was complying with OMB reporting requi