Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Public and private partnerships"

    9 publications with a total of 34 open recommendations
    Director: Thomas Melito
    Phone: (202) 512-9601

    3 open recommendations
    Recommendation: The Assistant Secretary of State for Educational and Cultural Affairs should work with other U.S. federal entities participating in the CHCC to develop goals for the CHCC and its working groups. (Recommendation 1)

    Agency: Department of State
    Status: Open

    Comments: In its written comments on our report, State concurred with this recommendation. State noted its agreement with the need for outcomes and accountability and stated that the Cultural Heritage Coordinating Committee (CHCC) working groups aim to draft mission statements and objectives.
    Recommendation: The Assistant Secretary of State for Educational and Cultural Affairs should work with other U.S. federal entities participating in the CHCC to clarify participants' roles and responsibilities in the CHCC and its working groups. (Recommendation 2)

    Agency: Department of State
    Status: Open

    Comments: In its written comments on our report, State concurred with this recommendation. State noted that following the adoption of the Cultural Heritage Coordinating Committee (CHCC) working groups' mission statements and objectives, State foresees clarifying roles and responsibilities of CHCC participants.
    Recommendation: The Assistant Secretary of State for Educational and Cultural Affairs should work with other U.S. federal entities participating in the CHCC to document agreement about how the CHCC and its working groups will collaborate, such as their goals and participants' roles and responsibilities. (Recommendation 3)

    Agency: Department of State
    Status: Open

    Comments: In its written comments on our report, State concurred with this recommendation. State noted that once participants reach accord on the goals of the Cultural Heritage Coordinating Committee (CHCC) and its working groups, State could foresee documenting such goals through memoranda of understanding.
    Director: John Neumann
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To enhance interagency collaboration in the Manufacturing USA program, the Secretary of Commerce should direct the Director of the National Institute of Standards and Technology to work with all non-sponsoring agencies whose missions contribute to or are affected by advanced manufacturing to revise the Manufacturing USA governance system to ensure the roles and responsibilities for how these agencies could contribute to the Manufacturing USA program are fully identified.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce responded to the recommendation with three actions. (1) Labor, DHS, and HHS were invited to participate in the Manufacturing USA program resulting in Labor, Biomedical Advanced Research and Development Authority, and FDA agreeing to participate and naming representatives to the Manufacturing USA Interagency Working Team.(2) Labor was invited to present at and participate in the Spring 2017 Manufacturing USA Network meeting resulting in Labor participating in the meeting, presenting its apprenticeship programs, and continuing participation in the Manufacturing Education and Workforce Development team regular meetings. (3) The Manufacturing USA Interagency Working Team has begun discussions on expanding the Manufacturing USA network governance document to include activities, roles, and responsibilities of non-institute sponsoring agencies. Final program policy decisions will be made once the new Administration's agency leadership is in place. Completion is expected by Fall 2017.
    Director: Andrew Sherrill
    Phone: (202) 512-7215

    1 open recommendations
    Recommendation: To enhance the ability of the Executive Office of the President to implement the Revitalize American Manufacturing and Innovation Act of 2014 requirements related to reporting on advanced manufacturing, the Director of the Office of Science and Technology Policy, working through the National Science and Technology Council and agency leadership, as appropriate, should identify the information they will collect from federal agencies to determine the extent to which the objectives outlined in the National Strategic Plan for Advanced Manufacturing are being achieved.

    Agency: Executive Office of the President: Office of Science and Technology Policy
    Status: Open

    Comments: OSTP did not state whether it agreed or disagreed with this recommendation. They provided some comments on the draft recommendation. For example, OSTP commented that the recommendation could focus on the extent to which the objectives of the Advanced Manufacturing Partnership (AMP) recommendations are being achieved in periodic updates to the implementation of the National Strategic Plan for Advanced Manufacturing. However, these recommendations were not covered in the scope of our report: we focused on reporting on the progress in achieving the objectives of the strategic plan.
    Director: Jennifer Grover
    Phone: (202) 512-7141

    2 open recommendations
    Recommendation: To ensure that C-TPAT program managers are provided consistent data from the C-TPAT field offices on security validations, the Commissioner of U.S. Customs and Border Protection should develop standardized guidance for the C-TPAT field offices to use in tracking and reporting information on the number of required and completed security validations.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: On April 28, 2017, CBP officials provided documentation--a common worksheet, instructions, and related standard operating procedures for C-TPAT field offices to use in tracking and reporting information to headquarters staff on security validations required and completed. We reviewed the information and interviewed C-TPAT officials in two field offices and C-TPAT's Plans and Operations Branch, which is responsible for overseeing these efforts, about the new procedures. In early August 2017, we asked for additional evidence that C-TPAT is ensuring one standard approach across its field offices for capturing and reporting security validations required and completed. The BBP liaison informed us that C-TPAT officials are to provide the additional evidence by the end of September 2017.
    Recommendation: To ensure the availability of complete and accurate data for managing the C-TPAT program and establishing and maintaining reliable indicators on the extent to which C-TPAT members receive benefits, the Commissioner of U.S. Customs and Border Protection should determine the specific problems that have led to questionable data contained in the Dashboard and develop an action plan, with milestones and completion dates, for correcting the data so that the C-TPAT program can produce accurate and reliable data for measuring C-TPAT member benefits.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: On July 28, 2017, CBP provided us with documentation, to include: a schedule of completed and planned activities related to refining data reporting system requirements, testing of preliminary results from new data runs, developing a reporting system for tracking security examination rates, and a copy of the results of a preliminary data run identifying shipment examination rates by mode of transportation and C-TPAT member Tier level. CBP staff informed us that the steps being taken to address this recommendation are to continue through the end of the 2017. In the interim, we are reviewing the documents CBP provided to determine what, if any, additional information we may need to assess progress in addressing this recommendation.
    Director: Chris P. Currie
    Phone: (404) 679-1875

    2 open recommendations
    Recommendation: To enhance its ability to fulfill its role as the facilitator of cross-sector collaboration and best-practices sharing, the Secretary of Homeland Security should direct the Assistant Secretary of Infrastructure Protection, Office of Infrastructure Protection, to explore with key critical infrastructure partners, whether and what opportunities exist to harmonize federally-administered screening and credentialing access control efforts across critical infrastructure sectors.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure that SCO uses its time and resources to pursue the most efficient and effective screening and credentialing harmonization goals on behalf of the department, the Secretary of Homeland Security should direct the Deputy Assistant Secretary for Screening Coordination, Office of Policy, to establish goals and objectives to support its broader strategic framework for harmonization.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    9 open recommendations
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the extent to which the statutorily required implementing principles apply to NCCIC's cybersecurity functions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NCCIC is currently conducting an analysis of all mission functions to include the following goals: simplify the descriptions of NCCIC's mission functions, document all NCCIC functional capabilities, document the applicability of implementing principles to NCCIC mission functions, and map as appropriate. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that they were still in the process completing mission functional analysis described in DHS's response to Recommendation 1, which would serve as the basis of developing metrics. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NCCIC is updating existing policies and procedures for program management reviews (PMR) to include the metrics developed in recommendation two. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should integrate information related to security incidents to provide management with more complete information about NCCIC operations.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the NCCIC updated guidelines for incident reporting would be completed in May 2017. In addition, according to DHS, incident management system requirements were updated to support the new guidelines and are scheduled to be implemented in June 2017. DHS stated that these steps will enable the successful implementation of the new National Cyber Incident Scoring Schema (NCISS), which the NCCIC Watch Operations uses to help facilitate the timely, actionable, and relevant dissemination of information to leadership. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. As of August 2017, DHS has not provided evidence that the new guidelines have been implemented. However, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NCCIC had completed initial mapping of information flows, as well as the roles and responsibilities for the incident management function. A plan to integrate or consolidate disparate incident reporting systems is scheduled to be completed in December 2017. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop and implement procedures to perform regular reviews of customer information to ensure that it is current and reliable.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NPPD is gathering the requirements for a customer relationship management (CRM) tool that will support regular reviews and updates to customer information. Additionally, DHS stated that NCCIC will establish and implement a standing operating procedure for capturing and regularly updating prioritized customer information including contact information in the event of an incident. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should take steps to ensure the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the Office of Cybersecurity and Communications is establishing integrated customer engagement activities that support cyber risk mitigation and incident response planning. In addition, NCCIC will develop standing operating procedures that leverage existing information sharing programs, activities and relationships to tailor engagements that support owners and operators of the most critical cyber-dependent infrastructure assets including designated lifeline sectors. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the Assistant Secretary of Office of Cybersecurity and Communications (CS&C) had consolidated the Enterprise Architecture role within the Office of the Chief Technology Officer (CTO). Working across CS&C, the CTO will establish a technology roadmap, to include consolidation of networks. In addition, NCCIC is working to determine the potential impact of network consolidation on mission functions, including mapping current data sources. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should identify alternative methods to collaborate with international partners, while ensuring the security requirements of high-impact systems.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the potential reduction in sharing cybersecurity products that may result from migrating the NCCIC Portal to HSIN should be minimal. Contingency information sharing plans will be developed to mitigate potential issues through alternate information sharing practices, particularly involving an actual incident during migration transition. Foreign partnerships will continued to be maintained by exercises, analytic exchanges with our closest partners, and continued participation in multilateral and bilateral engagements. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Director: Brian J. Lepore
    Phone: (202) 512-4523

    3 open recommendations
    Recommendation: In order to help ensure that DOD and the military departments are providing timely and consistent information on privately financed construction projects to Congress under DOD Instruction 7700.18, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness--in collaboration with any other relevant DOD stakeholders--to identify the categories of privately financed construction projects, including gifts of major construction, that should be reported through the process outlined in DOD Instruction 7700.18; revise DOD Instruction 7700.18 and any other related policies, as appropriate, to clarify which project types are to be included in and excluded from this reporting process; and require that the military departments update their relevant policies to incorporate the revised policy.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with this recommendation, and stated that it will make clarifications in the next revision of DOD Instruction 7700.18 to clarify the types of privately financed major construction projects that should be reported through the process outlined in the instruction. In October 2017 an official from the Office of the Deputy Assistant Secretary of Defense (Military Community and Family Policy) said that DOD has continued to make progress drafting the policy revision, but there is no estimated date for completion yet.
    Recommendation: In order to ensure that Congress receives all desired information on all gifts of major construction in a timely manner, the Secretary of Defense--in collaboration with any other relevant DOD stakeholders--should identify the lead organization(s) within DOD that will be responsible for developing DOD-wide policy for reporting gifts of major construction that are not reported through the process outlined in DOD Instruction 7700.18, as appropriate.

    Agency: Department of Defense
    Status: Open

    Comments: DOD did not concur with this recommendation, stating that there is already an official, the Under Secretary of Defense for Acquisition, Technology, and Logistics, responsible for developing policies related to gifts of real property, including major construction. However, DOD has not assigned responsibility for developing DOD-wide policy on reporting gifts of major construction not covered by the process outlined in DOD Instruction 7700.18, as we recommended. As of February 2017, the department had not taken action to address this recommendation.
    Recommendation: In order to ensure that Congress receives all desired information on all gifts of major construction in a timely manner, the Secretary of Defense--in collaboration with any other relevant DOD stakeholders--should establish DOD-wide policy, as appropriate, on congressional notification of gifts of major construction to cover all such gifts that are not to be reported to Congress through the process outlined in DOD Instruction 7700.18, and require that the military departments update their gift acceptance policies--and any other relevant policies--to incorporate procedures to support DOD's notification requirements.

    Agency: Department of Defense
    Status: Open

    Comments: DOD did not concur with this recommendation, stating that Congress has provided a statutory framework for the department to accept gifts, including gifts of construction, without stipulating any reporting requirements. As of February 2017, DOD had not taken any action to implement this recommendation.
    Director: John Neumann
    Phone: (202) 512-3841

    6 open recommendations
    Recommendation: To fulfill the role assigned to it under the 1980 Act, the Secretary of Commerce should engage with industry stakeholders and continually identify and assess critical materials needs across a broad range of industrial sectors.

    Agency: Department of Commerce
    Status: Open

    Comments: In December 2016, Commerce provided information on its implementation of the recommendation from GAO-16-699. Commerce stated that it had developed an action plan consisting of the following steps: (1)consulting with relevant offices and agencies, including: OSTP, DOD, the U.S. Geological Survey, DOE, the U.S. International Trade Commission, the Bureau of Industry and Security, the National Institute of Standards and Technology, and the National Oceanic and Atmospheric Administration; (2) determining criteria to be used when it is necessary to collect information to identify and assess critical materials needs; (3) determining appropriate steps, which might include: (a) developing a summary of information that federal agencies currently collect on the domestic and international supply of critical raw materials; (b)soliciting input from a broad range of industries through a Federal Register notice; (c)assessing aggregate information, as allowable under law, that is submitted through the Miscellaneous Tariff Bill process over the course of Q1-2 of fiscal year 2017; and (d)consulting with federal advisory groups for advice; (4) determining the audience for collected information and methodology for information dissemination; (5) determining the process for identifying further information collection needs and methodology for disseminating collected information; and (6) determining the timeline and responsibilities for information collection and distribution. In an April 2017 update, Commerce stated that it had identified points of contacts in 7 of the 8 agencies listed in its action plan and is in the process of contacting them for input. Commerce stated that it hoped to identify an appropriate contact in the 8th agency in the near future. Commerce stated that it had also drafted questions to ask the agencies in order to implement the action plan. Commerce did not provide a timeframe for when it expected to complete implementation of the action plan.
    Recommendation: To enhance the ability of the Executive Office of the President to coordinate federal agencies to carry out the national materials policy outlined in the 1980 Act, and to strengthen the federal approach to addressing critical materials supply issues through enhanced interagency collaboration, the Director of the Office of Science and Technology Policy, working with the National Science and Technology Council's Subcommittee on Critical and Strategic Mineral Supply Chains and agency leadership, as appropriate, should agree on and clearly define the roles and responsibilities of member agencies and take steps to actively engage all relevant federal agencies in the Subcommittee's efforts.

    Agency: Executive Office of the President: Office of Science and Technology Policy
    Status: Open

    Comments: In February 2017, OSTP provided information on its efforts to implement recommendations from GAO-16-699. OSTP stated that an increasing number of agencies participate in Subcommittee discussions and activities, with the last several meetings having had strong engagement from agencies that had not previously been involved, including the Department of Homeland Security and the U.S. Department of Agriculture's Forest Service. OSTP indicated that when the Subcommittee's charter is considered for renewal in spring 2017, it will reach out to all federal agencies with relevant responsibilities to discuss their roles in the Subcommittee's efforts and encourage them to name a lead representative and regularly participate. However, OSTP did not provide information about any plans to more clearly define the roles and responsibilities of the Subcommittee's member agencies. OSTP stated that it prefers flexibility, as this facilitates cooperation on topics of mutual interest and better accommodates changing circumstances and areas of focus.
    Recommendation: To enhance the ability of the Executive Office of the President to coordinate federal agencies to carry out the national materials policy outlined in the 1980 Act, and to strengthen the federal approach to addressing critical materials supply issues through enhanced interagency collaboration, the Director of the Office of Science and Technology Policy, working with the National Science and Technology Council's Subcommittee on Critical and Strategic Mineral Supply Chains and agency leadership, as appropriate, should develop joint strategies that articulate common outcomes and identify contributing agencies' efforts.

    Agency: Executive Office of the President: Office of Science and Technology Policy
    Status: Open

    Comments: In February 2017, OSTP provided information on its efforts to implement recommendations from GAO-16-699. However, the information OSTP provided did not include any details related to developing joint strategies that articulate common outcomes and identifying contributing agencies' efforts.
    Recommendation: To enhance the ability of the Executive Office of the President to coordinate federal agencies to carry out the national materials policy outlined in the 1980 Act, and to strengthen the federal approach to addressing critical materials supply issues through enhanced interagency collaboration, the Director of the Office of Science and Technology Policy, working with the National Science and Technology Council's Subcommittee on Critical and Strategic Mineral Supply Chains and agency leadership, as appropriate, should develop a mechanism to monitor, evaluate, and periodically report on the progress of member agencies' efforts.

    Agency: Executive Office of the President: Office of Science and Technology Policy
    Status: Open

    Comments: In February 2017, OSTP provided information on its efforts to implement recommendations from GAO-16-699. However, the information OSTP provided did not include any details related to developing a mechanism to monitor, evaluate, and periodically report on the progress of member agencies' efforts.
    Recommendation: To enhance the ability of the Executive Office of the President to coordinate federal agencies to carry out the national materials policy outlined in the 1980 Act, and to broaden future applications of the early warning screening methodology, the Subcommittee should take the steps necessary to include potentially critical materials beyond minerals, such as developing a plan or strategy for prioritizing additional materials for which actions are needed to address data limitations.

    Agency: Executive Office of the President: Office of Science and Technology Policy
    Status: Open

    Comments: In February 2017, OSTP provided information on its efforts to implement recommendations from GAO-16-699. OSTP stated that current efforts to update the early warning screening methodology have refined, and in some cases augmented, the materials being screened based on available, regularly collected data. The Subcommittee will continue to consider incorporation of additional materials. OSTP further stated that, with respect to data availability limitations, the report's suggestion that the Subcommittee "better work with member agencies to address existing data limitations" is sometimes not actionable because private entities and foreign governments may be unwilling or unable to provide (or even collect) such data. OSTP stated that the Subcommittee will, however, continue to explore approaches to improve data availability and granularity, such as through proposals for revisions to the Harmonized Tariff Schedule or to the North American Industry Classification System or other such systems.
    Recommendation: To enhance the ability of the Executive Office of the President to coordinate federal agencies to carry out the national materials policy outlined in the 1980 Act, and to enhance the federal government's ability to facilitate domestic production of critical materials, the Subcommittee should examine approaches other countries or regions are taking to see if there are any lessons learned that can be applied to the United States.

    Agency: Executive Office of the President: Office of Science and Technology Policy
    Status: Open

    Comments: In February 2017, OSTP provided information on its efforts to implement recommendations from GAO-16-699. OSTP stated that it concurs with the recommendation that the Subcommittee should examine approaches other countries or regions are taking to see if there are any lessons learned that can be applied to the United States. OSTP stated that the Subcommittee is sharing and discussing information on production in other regions, including a U.S.-led project (and other projects with U.S. involvement or support) under the Mining Task Force of the Asia-Pacific Economic Cooperation. OSTP stated that in the future, the Subcommittee expects to review experiences in other countries/regions to glean lessons learned. OSTP did not provide a time frame in reach it would review experiences in other countries/regions.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    7 open recommendations
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of Homeland Security should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear sectors' cybersecurity progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS has released updated sector-specific plans for the chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear reactors sectors. The plans include a section on measuring effectiveness based on the plan development guidance. The plans provide expected metrics to track the progress of sector activities and state that the outcomes will be reported through the National Annual Reporting process as well as through the quadrennial plan update. Because the metrics are new and annual reporting has not yet occurred, DHS has not provided evidence of metrics data collected and reported to address the challenges. We will continue to follow-up to determine how performance measures have been implemented and what reporting is available based on those measures.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of the Treasury should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the financial services sector's cybersecurity progress.

    Agency: Department of the Treasury
    Status: Open

    Comments: The 2015 sector-specific plan for the financial services sector includes a section on measuring the effectiveness of sector activities; however, the plan does not include specific metrics. The plan refers to working groups and meetings of sector stakeholders as mechanisms to track sector progress. No specific metrics and associated reports of outcomes have been provided to address overcoming the challenges of monitoring the sector's cybersecurity progress. We will continue to monitor financial services sector activities and determine any specific metrics and related reports developed and implemented to track and report on the sector's cybersecurity progress.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Departments of Agriculture and Health and Human Services released an update to the food and agriculture sector-specific plan for 2015. The plan states the sector's lack of an overarching mechanism to measure and evaluate risk mitigation activities and the challenge of obtaining performance measurement data from non-federal partners. However, the plan notes a goal of evaluating the progress of individual protective programs and strategies. No metrics or reports of outcomes have been provided to address the challenge of monitoring the sector's cybersecurity progress. We will continue to follow up to determine whether USDA and HHS have developed and implemented mechanisms to measure the outcomes of their sector cybersecurity-related activities.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Departments of Agriculture and Health and Human Services released an update to the food and agriculture sector-specific plan for 2015. The plan states the sector's lack of an overarching mechanism to measure and evaluate risk mitigation activities and the challenge of obtaining performance measurement data from non-federal partners. However, the plan notes a goal of evaluating the progress of individual protective programs and strategies. No metrics or reports of outcomes have been provided to address the challenge of monitoring the sector's cybersecurity progress. We will continue to follow up to determine whether HHS has developed and implemented mechanisms to measure the outcomes of its sector cybersecurity-related activities.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Homeland Security and Transportation (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the transportation systems sector's cybersecurity progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The co-Sector-Specific Agencies (SSAs) for the Transportation Systems Sector, DHS (TSA and Coast Guard) and the Department of Transportation, provided an update on efforts to develop sector cybersecurity metrics. The update described measures under consideration such as tracking the number of sector stakeholders receiving cybersecurity products, monitoring the usefulness of products through satisfaction surveys, and tracking attendance at sector events and seminars encompassing cybersecurity. The co-SSAs plan to report sector cyber activities, progress, and relevant metrics annually through the Critical Infrastructure National Annual Report and through quadrennial updates to the sector-specific plan. The latest sector-specific plan was released in 2015. The proposed metrics have not been formalized in a strategy or plan. We will continue to monitor and evaluate efforts to formalize and implement the proposed metrics to determine whether they address the intent of the recommendation.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Homeland Security and Transportation (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the transportation systems sector's cybersecurity progress.

    Agency: Department of Transportation
    Status: Open

    Comments: The co-Sector-Specific Agencies (SSAs) for the Transportation Systems Sector, DHS (TSA and Coast Guard) and the Department of Transportation, provided an update on efforts to develop sector cybersecurity metrics. The update described measures under consideration such as tracking the number of sector stakeholders receiving cybersecurity products, monitoring the usefulness of products through satisfaction surveys, and tracking attendance at sector events and seminars encompassing cybersecurity. The co-SSAs plan to report sector cyber activities, progress, and relevant metrics annually through the Critical Infrastructure National Annual Report and through quadrennial updates to the sector-specific plan. The latest sector-specific plan was released in 2015. The proposed metrics have not been formalized in a strategy or plan. We will continue to monitor and evaluate efforts to formalize and implement the proposed metrics to determine whether they address the intent of the recommendation.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Administrator of the Environmental Protection Agency should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the water and wastewater systems sector's cybersecurity progress.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The 2015 water and wastewater sector-specific plan includes a segment on measuring the effectiveness of sector activities that describes the overall principles for collecting data and using the National Annual Report data calls as a tool for assessing performance and reporting on progress within the sector. However, the plan does not state specific measures and the agency acknowledged in its response to our report that it does not collect performance metrics on the effectiveness of its cybersecurity programs for the sector. According to agency officials, the development of performance metrics in collaboration with sector partners is underway. We will continue to follow up to identify any specific metrics developed and implemented and resulting outcome-based reports.