Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Risk assessment"

    138 publications with a total of 439 open recommendations including 59 priority recommendations
    Director: Seto J. Bagdoyan
    Phone: (202) 512-6722

    4 open recommendations
    Recommendation: The NIST Director should incorporate elements of key practices into the implementation of the Security Sprint action plans, by establishing a comprehensive communication strategy for employees; interim milestone dates; and measures to assess effectiveness. (Recommendation 1)

    Agency: Department of Commerce: National Institute of Standards and Technology
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the Office of Security (OSY), in coordination with the NIST Director, should conduct an evaluation of the effectiveness of the current security management structure as compared to a consolidated security structure, centrally managed by OSY, to identify the most effective and feasible approach to physical security at NIST. (Recommendation 2)

    Agency: Department of Commerce: Office of Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of OSY should ensure that the draft Commerce risk management policy is finalized and implemented in accordance with the ISC's RMP Standard, by requiring the following: (1) Use and documentation of a sound risk assessment methodology that assesses the threats, vulnerabilities, and consequences for each of the undesirable events required by the RMP Standard, and use of these three factors to measure risk. (2) Documentation of key risk management decisions, such as justification and tenants' approval for facility security level (FSL) determinations, justification for deviation from baseline levels of risk or protection, as well as risk acceptance and consideration of alternative countermeasures. (3) Establishment of a facility security committee (FSC) at multitenant facilities and campuses, including locations such as the NIST Boulder campus. (4) ISC training for all OSY assessors and the individuals responsible for deciding to implement countermeasures and accepting risk. (Recommendation 3)

    Agency: Department of Commerce: Office of Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The NIST Director should finalize and implement risk management policies and procedures, ensuring that they contain a formal coordination mechanism between OSY and NIST and are aligned with Commerce's revised risk management policy, particularly with regard to establishing FSCs. (Recommendation 4)

    Agency: Department of Commerce: National Institute of Standards and Technology
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Marie A. Mak
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To help increase efficiency when defining FMS requirements to be placed on contract, the Secretary of Defense should issue department-wide guidance for the military departments and DOD components to expand the use of requirements checklists to develop more comprehensive letters of request for FMS cases.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Susan Fleming
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To assess and validate the effectiveness of PHMSA's Risk Ranking Index Model (RRIM) in prioritizing pipelines for inspection, the Secretary of Transportation should direct the Administrator of PHMSA to document the decisions and underlying assumptions for the design of RRIM, including what data and information were analyzed as part of determining each component of the model, such as the threat factors, weights, risk tiers, and inspection frequency.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To assess and validate the effectiveness of PHMSA's RRIM in prioritizing pipelines for inspection, the Secretary of Transportation should direct the Administrator of PHMSA to establish and implement a process that uses data to periodically review and assess the effectiveness of the model in prioritizing pipelines for inspection and document the results of these analyses.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Kirschbaum, Joseph W
    Phone: (202) 512-9971

    2 open recommendations
    Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

    Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

    Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Lori Rectanus
    Phone: (202) 512-2834

    7 open recommendations
    Recommendation: The Secretary of the Interior should direct the Director of the National Park Service to direct the U.S. Park Police to ensure that performance measures linked to program goals are included as part of its updated strategic plan and direct it to develop a timeline for completion of this plan.

    Agency: Department of the Interior
    Status: Open

    Comments: Interior concurred with this recommendation and said it would take steps to implement it. When we confirm what actions Interior has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of the Interior should direct the Director of the National Park Service to direct the U.S. Park Police to seek additional input from federal entities with expertise regarding ways to enhance testing of its physical security program.

    Agency: Department of the Interior
    Status: Open

    Comments: Interior concurred with this recommendation and said it would take steps to implement it. When we confirm what actions Interior has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of the Smithsonian Institution should direct the Office of Protection Services to develop program goals and ensure that performance measures linked to those goals are included as part of the strategic plan for security and develop a timeline for completion of this plan.

    Agency: Smithsonian Institution
    Status: Open

    Comments: The Smithsonian concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the Smithsonian has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of the Smithsonian Institution should direct the Office of Protection Services to seek additional input from federal entities with expertise regarding ways to enhance testing of the physical security program.

    Agency: Smithsonian Institution
    Status: Open

    Comments: The Smithsonian concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the Smithsonian has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to develop a process for documenting risk management decisions.

    Agency: National Gallery of Art
    Status: Open

    Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the National Gallery has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to ensure that program goals and performance measures linked to those goals are included as part of the master security plan and develop a timeline for completion of this plan.

    Agency: National Gallery of Art
    Status: Open

    Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the National Gallery has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to seek additional input from federal entities with expertise regarding ways to enhance testing of the physical security program.

    Agency: National Gallery of Art
    Status: Open

    Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the National Gallery has taken in response to this recommendation, we will provide updated information.
    Director: Kimberly M. Gianopoulos
    Phone: (202) 512-8612

    3 open recommendations
    Recommendation: To strengthen CBP's ability to assess and respond to compliance risks across the FTZ program, the Commissioner of CBP should centrally compile information from FTZ compliance reviews and associated enforcement actions so that standardized data are available for assessing compliance and internal control risks across the FTZ program.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: CBP concurred with this recommendation and identified steps it intends to take in response to the recommendation. Specifically, CBP stated that it intends to prepare and disseminate a summary template for compiling FTZ compliance reviews and internal control risks across the FZ program. When we confirm the steps CBP has taken to address this recommendation, we will provide updated information.
    Recommendation: To strengthen CBP's ability to assess and respond to compliance risks across the FTZ program, the Commissioner of CBP should conduct a risk analysis of the FTZ program using data across FTZs, including an analysis of the likelihood and significance of compliance violations and enforcement actions.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: CBP concurred with this recommendation and identified steps it intends to take in response to the recommendation. Specifically, CBP stated that it will conduct a risk analysis across the FTZ program. When we confirm the steps CBP has taken to address this recommendation, we will provide updated information.
    Recommendation: To strengthen CBP's ability to assess and respond to compliance risks across the FTZ program, the Commissioner of CBP should utilize the results of the program-wide risk analysis to respond to identified risks, such as updating risk assessment tools and developing best practices for CBP's FTZ compliance review and risk categorization system.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: CBP concurred with this recommendation and identified steps it intends to take in response to the recommendation. Specifically, CBP responded that it will finalize a compliance review handbook that incorporates risk assessment tools and best practices for FTZ compliance reviews and risk categorization. When we confirm the steps CBP has taken to address this recommendation, we will provide updated information.
    Director: Zina Merritt
    Phone: (202) 512-5257

    4 open recommendations
    Recommendation: To enhance the department's transfer of its excess controlled property, and to strengthen LESO program internal controls for the application and enrollment of federal agencies, the Under Secretary of Defense for Acquisition, Technology and Logistics should direct the Director of DLA to review and revise policy or procedures for verifying and approving federal agency applications and enrollment. For example, such steps could include LESO supervisory approval for all federal agency applications; confirmation of the application with designated points of contact at the headquarters of participating federal agencies; or visiting the location of the applying federal law enforcement agency.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enhance the department's transfer of its excess controlled property, and to help ensure controlled property is picked up by authorized individuals, the Under Secretary of Defense for Acquisition, Technology and Logistics should direct the Director of DLA to ensure compliance that on-site officials responsible for the transfer of items at Disposition Services' sites request and verify valid identification of the individual(s) authorized to pick up allocated property from the LESO program.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enhance the department's transfer of its excess controlled property, and to help ensure the accurate quantity of approved items is transferred, the Under Secretary of Defense for Acquisition, Technology and Logistics should direct the Director of DLA to issue guidance that requires DLA Disposition Services on-site officials to verify the type and quantity of approved items against the actual items being transferred prior to removal from the sites.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enhance the department's transfer of its excess controlled property, and to strengthen LESO program internal controls, the Undersecretary of Defense for Acquisition, Technology, and Logistics should direct the Director of DLA to conduct a fraud risk assessment to design and implement a strategy with specific internal control activities to mitigate assessed fraud risks for all stages relating to LESO's transfer of excess controlled property to law enforcement agencies, consistent with leading practices provided in GAO's Fraud Risk Framework.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Michael J. Sullivan
    Phone: (202) 512-4841

    4 open recommendations
    Recommendation: To help ensure DOD takes a strategic approach for its prototyping and innovation initiatives and overcomes funding and cultural barriers, the Secretary of Defense should direct the Assistant Secretary of Defense for Research and Engineering to develop a high-level DOD-wide strategy, in collaboration with the military services and other appropriate DOD components, to communicate strategic goals and priorities and delineate roles and responsibilities among DOD's prototyping and innovation initiatives.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure DOD takes a strategic approach for its prototyping and innovation initiatives and overcomes funding and cultural barriers, the Secretary of Defense should direct the Assistant Secretary of Defense for Research and Engineering to take steps, such as adopting a "strategic buckets" approach, to help ensure adequate investments in innovation that align with DOD-wide strategy.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure DOD takes a strategic approach for its prototyping and innovation initiatives and overcomes funding and cultural barriers, the Secretary of Defense should direct the Assistant Secretary of Defense for Research and Engineering to expand the Community of Interest working groups to include budget activity 6.4-funded prototyping and innovation initiatives in their science and technology planning and coordination processes or employ a similar coordination mechanism for budget activity 6.4-funded prototyping and innovation initiatives.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure DOD takes a strategic approach for its prototyping and innovation initiatives and overcomes funding and cultural barriers, the Secretary of Defense should direct the Assistant Secretary of Defense for Research and Engineering to review budget activity 6.4 funding requests to help maintain a level of investment for budget activity 6.4-funded prototyping and innovation efforts that is consistent with DOD-wide strategy.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Malenich, J Lawrence
    Phone: (202) 512-3406

    9 open recommendations
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to develop a mechanism that captures all of the key factors to be considered, such as materiality and risk, when designing the evaluation of internal control over financial reporting and collaborate, as appropriate, with the Inspector General to develop a similar mechanism for use by FHFA-OIG.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. FHFA is in the process of developing a mechanism that captures key factors, including risk and materiality, when designing the evaluation of internal control over financial reporting. This mechanism will be documented for the FY 2017 evaluation of internal control over financial reporting. FHFA and FHFA OIG are collaborating in these efforts.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to coordinate with the Inspector General, as appropriate, when calculating materiality thresholds to reasonably assure that materiality determinations are appropriate for the agency as a whole and rationale is adequately documented.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. During the FY 2017 evaluation of internal control over financial reporting, FHFA will coordinate with the FHFA OIG when calculating materiality thresholds to reasonably assure that materiality determinations are appropriate for the Agency as a whole and the rationale is adequately documented.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to coordinate with the Inspector General, as appropriate, to assess and document the aggregate effect of all deficiencies identified at the agency-wide level during the evaluation of internal control over financial reporting.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. FHFA will coordinate with the FHFA OIG during the FY 2017 evaluation of internal control over financial reporting to assess and document the aggregate effect of all deficiencies identified at the Agency-wide level.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to (1) summarize in sufficient detail by internal control principle those activities from the program offices that have an effect on internal control over financial reporting to reasonably assure the consideration of all internal control components and related principles; (2) collaborate, as appropriate, with the Inspector General to implement corresponding actions at FHFA-OIG; and (3) document how that information is used to conclude on the internal control components and related principles for financial reporting.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. During the FY 2017 evaluation of internal control over financial reporting, FHFA will summarize by internal control principle those activities from the program offices that have an effect on internal control over financial reporting to reasonably assure the consideration of all internal control components and related principles. FHFA will also document how information is used to conclude on the internal control components and related principles for financial reporting activities that are evaluated. FHFA will collaborate with FHFA OIG in these efforts.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to enhance the evaluation of internal control over financial reporting by identifying and testing all key control activities, including those related to the preparation of the financial statements.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. FHFA will enhance the FY 2017 evaluation of internal control over financial reporting by identifying and testing all key control activities, including those related to the preparation of the financial statements.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to (1) thoroughly document FHFA's review of SSAE No. 16 reports issued for the period under evaluation by reasonably assuring that all applicable control objectives and related control activities are clearly identified and described and the evaluation of user entity controls is adequately explained and (2) collaborate, as appropriate, with the Inspector General to implement corresponding actions at FHFA-OIG.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. During the FY 2017 evaluation of internal control over financial reporting, FHFA will thoroughly document FHFA's review of SSAE No. 16 reports issued for the period under evaluation by reasonably assuring that all applicable control objectives and related control activities are clearly identified and described and the evaluation of user entity controls is adequately explained. FHFA will collaborate with the FHFA OIG during these efforts.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to (1) clearly define and document an approach that identifies the information systems that are key to financial reporting, the process areas these information systems support, the key control activities for each information system, and how the key control activities are evaluated and (2) collaborate, as appropriate, with the Inspector General to implement corresponding actions at FHFA-OIG.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. During the FY 2017 evaluation of internal control over financial reporting, FHFA will clearly define and document an approach that identifies the information systems that are key to financial reporting, the process areas these information systems support, the key control activities for each information system, and how the key control activities are evaluated. FHFA will collaborate with the FHFA OIG in these efforts.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to collaborate, as appropriate, with the Inspector General to (1) develop a complete list of the specific provisions of laws and regulations that may have an effect on material amounts and related disclosures in the financial statements that are applicable to FHFA-OIG and (2) prepare documentation that clearly links each applicable provision of law or regulation to the key control activities tested.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. FHFA will collaborate with the FHFA OIG to develop a complete list of the specific provisions of laws and regulations that may have an effect on material amounts and related disclosures in the financial statements that are applicable to the FHFA OIG and prepare documentation that clearly links each applicable provision of law or regulation to the key control activities tested.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to design an evaluation process that reasonably assures assignment of independent roles between the implementation and monitoring of control activities that are significant to the evaluation of internal control over financial reporting.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. FHFA is designing an evaluation process that reasonably assures assignment of independent roles between implementation and monitoring of control activities that are significant to the evaluation of internal control over financial reporting. To this end, FHFA has hired an independent contractor to aid in the evaluation process for FY 2017, and has involved staff from FHFA's Office of Quality Assurance in the FY 2017 evaluation process to reasonably assure independent roles between monitoring and implementation going forward.
    Director: Nick Marinos
    Phone: (202) 512-9342

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer to update the procedure for granting access to the key financial application, to include responsibilities and steps for ensuring that the access privileges granted have been approved by the users' supervisor.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Beryl H. Davis
    Phone: (202) 512-2623

    2 open recommendations
    Recommendation: To help ensure that government-wide compliance under IPERA is consistently determined and reported, the Director of OMB should coordinate with CIGIE to develop and issue guidance, either jointly or independently, to specify what procedures should be conducted as part of the IGs' IPERA compliance determinations.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: OMB had no comments on the report or the recommendation to coordinate with CIGIE to develop guidance. Although this recommendation was not directed to CIGIE, the CIGIE Chairperson stated that CIGIE would coordinate with OMB as needed and provide feedback on any draft OMB guidance.
    Recommendation: To help fulfill USDA's requirements under IPERA and OMB guidance--that agencies submit proposals to Congress when a program reaches 3 or more consecutive years of noncompliance with IPERA criteria--the Secretary of Agriculture should submit a letter to Congress detailing proposals for reauthorization or statutory changes in response to 3 consecutive years of noncompliance as of fiscal year 2015 for its Farm Security and Rural Investment Act Program. To the extent that reauthorization or statutory changes are not considered necessary to bring a program into compliance, the Secretary or designee should state so in the letter.

    Agency: Department of Agriculture
    Status: Open

    Comments: USDA's Acting Deputy Secretary concurred with this recommendation.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    6 open recommendations
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to update the department's IT Acquisition Review governance process to increase the number of contracts and agreements (associated with both major and non-major investments) that are reviewed by the CIO and appropriate delegates.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the specific staff or positions currently within the department's IT acquisition cadre; and (2) assessing whether these staff and positions address all of the specialized skills and knowledge needed, as outlined in OMB's Office of Federal Procurement Policy's guidance for developing an IT acquisition cadre.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Director: Anne-Marie Fennell
    Phone: (202) 512-3841

    2 open recommendations
    Recommendation: To help determine the extent to which the goals of the Cohesive Strategy are being met, the Secretaries of Agriculture and the Interior should direct the Chief of the Forest Service and the Director of the Office of Wildland Fire, respectively, to work with WFLC to develop measures to assess national progress toward achieving the strategy's goals.

    Agency: Department of Agriculture
    Status: Open

    Comments: In its April 2017 agency comments and a May 2017 follow up discussion, the Forest Service generally agreed with our recommendation. In August 2017, the Forest Service stated that it is working with partners to develop a framework for reporting progress toward the goals of the Cohesive Strategy, based on its own and other potential measures. The agency stated that the framework will be shared with the Wildland Fire Leadership Coalition for input and feedback and that initial meetings with partners were to occur in July 2017, with a proposal to be shared with WFLC in early fall 2017. The final framework is planned for spring of 2018.
    Recommendation: To help determine the extent to which the goals of the Cohesive Strategy are being met, the Secretaries of Agriculture and the Interior should direct the Chief of the Forest Service and the Director of the Office of Wildland Fire, respectively, to work with WFLC to develop measures to assess national progress toward achieving the strategy's goals.

    Agency: Department of the Interior
    Status: Open

    Comments: In its April 2017 agency comments, the Department of the Interior stated that it did not concur with our recommendation. In a letter dated August 2, 2017, Interior stated that it nevertheless will work with its federal and nonfederal partners, with input from the Wildland Fire Leadership Council, to propose a framework using existing measures to assess national progress toward achieving the goals of the Cohesive Strategy. Interior expects initial meetings with partners to occur in the summer of 2017 with a proposal to be shared with WFLC by the fall of 2017 and final framework to be completed in the spring of 2018.
    Director: Cristina Chaplain
    Phone: (202) 512-4841

    1 open recommendations
    including 1 priority recommendation
    Recommendation: In order to ensure that the Congress is able to make informed resource decisions regarding a viable EM-1 launch readiness date, the NASA Administrator or Acting Administrator should direct the Human Exploration and Operations Mission Directorate to propose a new, more realistic EM-1 date if warranted and report to Congress on the results of its EM-1 schedule analysis.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA agreed with this recommendation and stated that it is reassessing the launch readiness schedule.
    Director: Seto Bagdoyan
    Phone: (202) 512-6722

    4 open recommendations
    Recommendation: The Commissioner (or Acting Commissioner) of SSA should direct the OAFP to lead a comprehensive fraud risk assessment that is consistent with leading practices, and develop a plan for regularly updating the assessment.

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner (or Acting Commissioner) of SSA should direct the OAFP to develop, document, and implement an antifraud strategy that is aligned to its assessed fraud risks.

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner (or Acting Commissioner) of SSA should direct the OAFP to work with components responsible for implementing antifraud initiatives to develop outcome-oriented metrics, including baselines and goals, where appropriate for antifraud activities.

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner (or Acting Commissioner) of SSA should direct the OAFP to review progress toward meeting goals on a regular basis, and recommend that the NAFC make changes to control activities or take other corrective actions on any initiatives that are not meeting goals.

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Mark Goldstein
    Phone: (202) 512-2834

    5 open recommendations
    Recommendation: To improve RUS's management of the Infrastructure Program, Broadband Program, and Community Connect by more closely following leading practices for broadband loan- and grant-program management, the Secretary of Agriculture should direct RUS to develop and document clear goals and performance measures linked to those goals, for each program.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve RUS's management of the Infrastructure Program, Broadband Program, and Community Connect by more closely following leading practices for broadband loan- and grant-program management, the Secretary of Agriculture should direct RUS to establish and implement procedures to conduct a risk assessment of each program, including an examination of risk at both the programmatic and portfolio level for each program.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve RUS's management of the Infrastructure Program, Broadband Program, and Community Connect by more closely following leading practices for broadband loan- and grant-program management, the Secretary of Agriculture should direct RUS to establish and implement procedures to conduct periodic evaluations of completed grant projects to determine the outcomes associated with these projects, and analyze the information gained to assess if any programmatic changes are needed to improve the Community Connect program.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve RUS's management of the Infrastructure Program, Broadband Program, and Community Connect by more closely following leading practices for broadband loan- and grant-program management, the Secretary of Agriculture should direct RUS to establish a timeline for implementing a centralized internal system for staff to obtain relevant and timely program data for use in managing and monitoring loans and grant awards.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve RUS's management of the Infrastructure Program, Broadband Program, and Community Connect by more closely following leading practices for broadband loan- and grant-program management, the Secretary of Agriculture should direct RUS to develop, update, and maintain complete written policies and procedures for RUS's programs as a way to retain and communicate organizational knowledge internally among agency staff. RUS should determine the critical documentation that should be created or updated, including considering documentation such as loan-application review guidance and employee manuals for each of the three programs.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David C. Trimble
    Phone: (202) 512-3841

    6 open recommendations
    Recommendation: To allow DOE management to effectively monitor invoice reviews and have assurance that this control activity is operating as intended, the Secretary of Energy should establish a DOE-wide invoice review policy that includes requirements for sites to establish well-documented invoice review operating procedures.

    Agency: Department of Energy
    Status: Open

    Comments: DOE stated that it already has an established, detailed DOE-wide invoice review policy provided in DOE's Financial Management Handbook and in the DOE Acquisition Guide, and that they are updating the Financial Management Handbook to include additional procedures to address intra-governmental payment and collection transactions that they believe will allow the recommendation to be closed by September 30, 2017. However, DOE officials with the office of the CFO at DOE headquarters previously told us that they do not have department-wide invoice review policies and procedures, and that CFOs and contracting officials in DOE field offices are responsible to develop their own invoice review policies and procedures. In addition, we reviewed the Financial Management Handbook and the Acquisition Guide and found that these documents do not contain the detail necessary to serve as an invoice review policy. We will continue to review DOE's implementation of this recommendation to determine whether its actions meet the intent of the recommendation.
    Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including creating a structure with a dedicated entity within DOE to design and oversee fraud risk management activities.

    Agency: Department of Energy
    Status: Open

    Comments: DOE considers this recommendation to be closed without corrective action. Instead of establishing a dedicated entity within DOE to design and oversee fraud risk management activities, DOE will rely on the existing Office of Financial Policy and Internal Controls and on the DOE Office of Inspector General (OIG)to design and oversee financial fraud risk management activities. We disagree that reliance on these offices meets best practices because neither office is solely dedicated to designing or overseeing fraud risk management activities. Furthermore, according the best practices in GAO's Fraud Risk Framework, the dedicated entity should not be the OIG.
    Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including conducting fraud risk assessments that are tailored to each program and use the assessments to develop a fraud risk profile

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the substance of the recommendation; however they consider the recommendation to be closed without corrective action because its risk assessments meet the requirements of the Improper Payments Elimination and Recovery Improvement Act of 2012, as reported by the Office of Inspector General (OIG), and because it has implemented updates to OMB Circular A-123 that added requirements related to managing fraud risk and adherence to GAO's Fraud Risk Framework. However, we found that DOE has not conducted fraud risk assessments that are tailored to its programs and therefore do not allow the department to create a fraud risk profile. We also found that, although DOE updated its internal control assessment tools with a list of fraud risks as required by OMB Circular A-123, the list of risks were the same for all DOE sites and were not tailored to the sites' different programs.
    Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including developing and documenting an antifraud strategy that describes the programs' approaches for addressing the prioritized fraud risks identified during the fraud risk assessment.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with this recommendation but considers the recommendation closed without corrective action because DOE has implemented the updated OMB Circular A-123 and because DOE's anti-fraud strategy is imbedded in the DOE internal control program. However, DOE officials told us that they have not developed or documented a DOE-wide antifraud strategy or directed individual programs to develop program-specific strategies. Furthermore, DOE's implementation of OMB Circular A-123 included adding a list of potential risks to their internal control assessment tool that were the same for all DOE sites and were not tailored to the sites' different programs.
    Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including designing and implementing specific control activities, including fraud awareness training and data analytics, to prevent and detect fraud and other improper payments.

    Agency: Department of Energy
    Status: Open

    Comments: DOE believes that they are either implementing or have already implemented this recommendation and considers the recommendation closed without additional action. Specifically, DOE stated that the Office of Inspector General (OIG) already provides fraud awareness training and that the OIG provided expanded fraud risk training on June 12, 2017 through a CFO-hosted webinar. However, of the 10 field offices responsible for overseeing contractor costs, none required employees responsible for overseeing contractor costs to attend fraud awareness training.
    Recommendation: To help ensure that necessary data are available to employ data analytics as a tool to perform contractor cost-surveillance activities, the Secretary of Energy should require contractors to maintain sufficiently detailed transaction-level cost data that are reconcilable with amounts charged to the government, including (1) cost data that, at a minimum, represent a full data population and (2) the details necessary to determine the nature of each cost transaction, with such identifiers as transaction date, dollar amount, item or service description, and transaction codes to indicate the type of cost represented (e.g., construction materials, property lease, and office supplies).

    Agency: Department of Energy
    Status: Open

    Comments: DOE did not agree to implement this recommendation because they believe that the recommendation establishes agency-specific requirements for DOE contractors that are more prescriptive than current federal requirements. DOE states that they plan to evaluate the merits of government-wide guidance for applying data-analytics to contract costs only if an OMB working group--established as a requirement of the Fraud Reduction and Data Analytics Act of 2015 to promote interagency coordination on fraud reduction and data analytics--requires them to do so. However, the purpose of the working group is to share fraud management best practices. It is not an implementing body and agencies do not need its permission before proceeding with fraud risk reduction efforts.
    Director: Alicia Puente Cackley
    Phone: (202) 512-8678

    1 open recommendations
    Recommendation: To help ensure that the government is not exposed to more liability risk than intended, the Secretary of Transportation should ensure that the FAA Administrator prioritizes the development of a plan to address the identified weakness in the cost-of-casualty amount, including setting time frames for action, and update the amount based on current information.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with the recommendation. As of May 2017, the Federal Aviation Administration (FAA) plans to seek feedback from the commercial space and insurance industries to obtain views on an appropriate cost-of-casualty amount and implications of any changes. After receiving this input, FAA will determine whether to modify the cost-of-casualty amount and initiate action. We will continue to monitor FAA's actions in response to this recommendation.
    Director: Frank Rusco
    Phone: (202) 512-3841

    4 open recommendations
    including 1 priority recommendation
    Recommendation: The Secretary of the Interior should direct the Assistant Secretary for Land and Minerals Management, who oversees BSEE, to establish a mechanism for BSEE management to obtain and incorporate input from bureau personnel and any external parties, such as Argonne, that can affect the bureau's ability to achieve its objectives.

    Agency: Department of the Interior
    Status: Open
    Priority recommendation

    Comments: In its June 9, 2017 response to our report, Interior indicated that BSEE is developing new strategies to improve trust and foster greater collaboration for consideration by the new Director. Interior anticipates BSEE taking action by April 30, 2018.
    Recommendation: The Secretary of the Interior should direct the Assistant Secretary for Land and Minerals Management, who oversees BSEE, to address leadership commitment deficiencies within BSEE, including by implementing internal management initiatives and ongoing strategic initiatives (e.g., Enterprise Risk Management and performance measure initiatives) in a timely manner.

    Agency: Department of the Interior
    Status: Open

    Comments: In its June 9, 2017 response to our report, Interior indicated that BSEE will incorporate lessons learned from its first ERM cycle in future cycles and that BSEE will incorporate a performance management dashboard in fiscal year 2018. Specific completion dates were not provided.
    Recommendation: The Secretary of the Interior should direct the BSEE Director to address trust concerns that exist between headquarters and the field, BSEE should expand the scope of its employee engagement strategy to incorporate the need to communicate quality information throughout the bureau.

    Agency: Department of the Interior
    Status: Open

    Comments: In its June 9, 2017 response to our report, Interior indicated that BSEE's response to this recommendation would be incorporated into its corrective actions for recommendation 1. The target completion date is April 30, 2018.
    Recommendation: The Secretary of the Interior should direct the BSEE Director to increase organizational trust in Integrity and Professional Responsibility Advisor (IPRA) activities, BSEE should assess and amend IPRA guidance to clarify (1) severity threshold criteria for referring allegations of misconduct to the IG and (2) its reporting chain.

    Agency: Department of the Interior
    Status: Open

    Comments: In its June 9, 2017, response to our report, Interior indicated that the BSEE Director will evaluate options for clarifying the roles, responsibilities, and processes for the IPRA. The target date for completion is December 31, 2017.
    Director: Allison Bawden
    Phone: (202) 512-7215

    6 open recommendations
    Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should ensure that CNCS completes its efforts to benchmark its assessment criteria and scoring process to further develop a risk-based approach to grant monitoring and that information from this effort is used to (a) score the indicators so that the riskiest grants get the highest scores; (b) revise the assessment indicators to meaningfully cover all identifiable risks, including fraud and improper payments; and (c) document decisions on how indicators are selected and weighted.

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: CNCS stated that it would continue to periodically benchmark its assessment criteria to ensure risk assessment. The agency recognizes the need to move from compliance- to risk-based monitoring and will refine its existing approach as part of reviewing and revising risk criteria and scoring. The agency's risk-based approach will begin with FY18 grant awards. To close this recommendation, CNCS will need to show documentation for how it selected and weighted revised indicators to cover identifiable risks, and how the revised scoring system identifies the riskiest grants.
    Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should establish and implement a policy to ensure that all grants expected to be active in a fiscal year, including those awarded after the annual assessment, are assessed for potential risk.

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: CNCS agrees with this recommendation and plans to revise its current assessment policy to ensure that all grants are included in the assessment process.
    Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should review monitoring protocols, including the level of information collected for oversight of subrecipients' activities such as criminal history checks, and enhance protocols, as appropriate.

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: Although CNCS said that by regulation, grantees are primarily responsible for subgrantee monitoring, the agency acknowledged that more needs to be done to address risk at the sub-recipient level, particularly regarding criminal history check compliance, and noted that it is taking several actions to improve criminal history check compliance. However, the agency's comments did not specifically address reviewing monitoring protocols. We continue to believe that it is important to determine whether monitoring protocols are designed to gather sufficient and appropriate information on subrecipient oversight, to help ensure that grantees are monitoring subgrantees as required.
    Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should establish activities to systematically evaluate grant monitoring results.

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: CNCS said that its Office of the Chief Risk Officer has been building on the agency's current risk assessment framework and capturing the information and data necessary to enhance its approach to risk-based monitoring. However, CNCS's comments did not specifically address any planned activities to systematically evaluate grant monitoring results. We continue to believe that reviewing the outcomes and findings from its monitoring activities would help the agency analyze how well its CNCS's current efforts assess risk, and help guide improvements.
    Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should develop and document a strategic workforce planning process.

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: CNCS reported that its senior level executive committee reviews all staffing requests and ensures that appropriate staffing justifications are provided, and ensures that all functions in the agency are provided appropriate resources. The agency also noted that, in accordance with direction received from OMB following the release of OMB Memorandum M-17-22 ("Memorandum for Heads of Executive Departments and Agencies"), it is launching an enterprise-wide re-examination of its mission, strategy and structure in order to develop a plan to ensure employee performance is maximized and the agency is operating effectively. To help close this recommendation, CNCS will need to document and develop a strategic workforce planning process that addresses key principles for effective strategic workforce planning, such as to develop strategies tailored to address gaps in number, deployment, and alignment of human capital approaches for enabling and sustaining the contributions of all critical skills and competencies, and to monitor and evaluate process toward human capital goals and programmatic results.
    Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should, as part of CNCS's efforts to develop an employee development program, update critical competencies for grant monitoring, and establish a training planning process linked with agency goals and these competencies.

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: CNCS cited its training efforts, such as providing training to grants management staff in FY15 and FY16 related to grants monitoring. The agency is in the process of developing a broader agency-wide employee development program that will link competencies to development needs in various mission-critical roles. To close this recommendation, CNCS will need to determine which competencies are critical for grant monitoring, and show how the competencies are linked with the agency's training planning processes and agency goals.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    1 open recommendations
    Recommendation: To better ensure the effectiveness of CBP's predeparture programs, the Commissioner of U.S. Customs and Border Protection should develop and implement a system of performance measures and baselines to evaluate the effectiveness of CBP's predeparture programs and assess whether the programs are achieving their stated goals.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: U.S. Customs and Border Protection's (CBP) Office of Field Operations (OFO) reported that it established a working group comprised of designated program officials from CBP's Admissibility and Passenger Programs; National Targeting Center; Planning, Program Analysis, and Evaluation; and, Preclearance offices to develop and implement a system of performance measures and baselines to evaluate the effectiveness of CBP's predeparture programs. As of July 2017, CBP reported that the working group had developed three performance measures for its predeparture programs. According to OFO officials, fiscal year 2018 will be the first complete year that each of these measures is calculated using a standardized and repeatable methodology and will thus be used as a baseline year. The baselines developed during fiscal year 2018 will then be used in future assessments of program effectiveness. To fully address this recommendation to develop and implement performance measures and baselines for evaluating its predeparture programs, GAO will review documentation from CBP, when available, on the fiscal year 2018 baselines and CBP's planned evaluation of fiscal year 2019 data against those baselines.
    Director: Allison B. Bawden
    Phone: (202) 512-6806

    3 open recommendations
    Recommendation: To improve transparency in the grant merit-review process, the Secretary of the Department of the Interior should direct the Fish and Wildlife Service to issue written guidance to require all competitive grant programs to clarify in the public notice of funding opportunity all review criteria, including cost sharing factors as relevant, and their related scores to be used to make final award decisions.

    Agency: Department of the Interior
    Status: Open

    Comments: As of August 2017, Interior had updated its notice of funding opportunity template for competitive grant programs to clarify that the review process must ensure that applications are scored and selected based on announced criteria. In addition, competitive grant programs must establish a written merit review plan that details the merit review factors and sub-factors and the rating system and evaluation standards which explain the scoring basis. Furthermore, the Fish and Wildlife Service is developing new guidance to ensure discretionary grant programs include all required elements to be completed in December of 2017.
    Recommendation: To reduce the risk of duplicative and overlapping funding at the grant award level, the Secretary of the Department of the Interior should direct the National Park Service and the Fish and Wildlife Service to issue written guidance that ensures their grant management staff review grant applications for potential duplication and overlap before awarding their competitive grants and cooperative agreements.

    Agency: Department of the Interior
    Status: Open

    Comments: The Fish and Wildlife Service issued guidance to ensure grant applications are reviewed for potential overlap and duplication, as GAO recommended in January 2017, but as of August 2017 the National Park Service had yet to issue such guidance. In August 2017, the Department of Interior (Interior) provided documentation showing that the Fish and Wildlife Service now requires discretionary grant applicants to provide a statement that addresses whether there is any overlap or duplication of proposed projects or activities to be funded by the grant. Fish and Wildlife also updated its guidance to grant awarding offices instructing them to perform a potential overlap and duplication review of all selected applicants prior to award. Interior said the National Park Service had yet to issue guidance on duplication and overlap review, but it would provide the guidance to GAO when it is finalized and implemented. Completing these improvements will help the Fish and Wildlife Service and the National Park Service reduce the risk of unnecessary or inadvertent overlap or duplication in grant funding.
    Recommendation: To reduce the risk of duplicative and overlapping funding at the grant award level, the Secretary of Agriculture should direct the Food and Nutrition Service to issue written guidance that ensures its grant management staff review grant applications for potential duplication and overlap before awarding competitive grants and cooperative agreements.

    Agency: Department of Agriculture
    Status: Open

    Comments: In August 2017, the Department of Agriculture (Agriculture) said the Food and Nutrition Service was developing written guidance that will ensure its grants management staff identify grant programs for potential duplication and overlap with other federal agencies before awarding competitive grants and cooperative agreements, as GAO recommended in January 2017. Agriculture officials said the guidance would be based on input from grants management staff, relevant Food and Nutrition program officials, and reviews of similar guidance already in place at other Agriculture sub-agencies. The Food and Nutrition Service plans to issue this guidance by the end of federal fiscal year 2017 for use beginning in fiscal year 2018. Issuing and implementing this guidance will reduce the risk of unnecessary or inadvertent overlap or duplication in grant funding.
    Director: David Wise
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Administrator of the General Services Administration should determine whether the beneficial owner of high-security space that GSA leases is a foreign entity and, if so, share that information with the tenant agencies so they can adequately assess and mitigate any security risks.

    Agency: General Services Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Elizabeth H. Curda
    Phone: (202) 512-7114

    3 open recommendations
    Recommendation: In order to ensure that the agency is adequately protecting the White Oak campus as a designated high-risk facility and strategically planning for the White Oak campus's future, as FDA moves forward with its proposed planning efforts, the Commissioner of FDA, in consultation with the Administrator of GSA, should implement vehicular access control measures on the White Oak campus to meet the requirements of the high-risk facility level designation assigned in the 2014 risk assessment report, or fully document the rationale for any deviations from these requirements.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: In order to ensure that the agency is adequately protecting the White Oak campus as a designated high-risk facility and strategically planning for the White Oak campus's future, as FDA moves forward with its proposed planning efforts, the Commissioner of FDA, in consultation with the Administrator of GSA, should further incorporate leading strategic facilities planning practices into FDA's proposed planning efforts by ensuring that FDA establish strategic linkage between its strategic priorities and its facilities plans.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: In order to ensure that the agency is adequately protecting the White Oak campus as a designated high-risk facility and strategically planning for the White Oak campus's future, as FDA moves forward with its proposed planning efforts, the Commissioner of FDA, in consultation with the Administrator of GSA, should document the key information related to daily operational activities and ongoing benefits and challenges that are needed to inform FDA's proposed planning efforts in the areas of needs assessment, gap identification, and alternatives analysis, and incorporate into proposed planning efforts a detailed strategy for collecting and analyzing this information.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Michael J. Sullivan
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To enhance program oversight and provide more robust input to budget deliberations, Congress should consider requiring DOD to report on each major acquisition program's systems engineering status in the department's annual budget request, beginning with the budget requesting funds to start development. The information could be presented on a simple timeline--as done for the case studies in this report--and at a minimum should reflect the status of a program's functional and allocated baselines as contained in the most current version of the program's systems engineering plan.

    Agency: Congress
    Status: Open

    Comments: Congress has not yet taken action on the matter for consideration. GAO will continue to monitor.
    Director: Lawrance L. Evans, Jr.
    Phone: (202) 512-8678

    17 open recommendations
    Recommendation: To help improve the consistency of federal banking regulators' stress test requirements and help ensure that institutions overseen by different regulators receive consistent regulatory treatment, the heads of the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency should harmonize their agencies' approach to granting extensions and exemptions from stress test requirements.

    Agency: Department of the Treasury: Office of the Comptroller of the Currency
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the consistency of federal banking regulators' stress test requirements and help ensure that institutions overseen by different regulators receive consistent regulatory treatment, the heads of the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency should harmonize their agencies' approach to granting extensions and exemptions from stress test requirements.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the consistency of federal banking regulators' stress test requirements and help ensure that institutions overseen by different regulators receive consistent regulatory treatment, the heads of the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency should harmonize their agencies' approach to granting extensions and exemptions from stress test requirements.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help provide stronger incentives for companies to perform company-run stress tests in a manner consistent with Federal Reserve goals, the Federal Reserve should remove company-run stress tests from the CCAR quantitative assessment.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should publicly disclose additional information that would allow for a better understanding of the methodology for completing qualitative assessments, such as the role of ratings and rankings and the extent to which they affect final determination decisions.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should, for future determinations to object or conditionally not object to a company's capital plan on qualitative grounds, disclose additional information about the reasons for the determinations.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should publicly disclose, on a periodic basis, information on capital planning practices observed during CCAR qualitative assessments, including practices the Federal Reserve considers stronger or leading practices.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should improve policies for official responses to CCAR companies by establishing procedures for notifying companies about time frames relating to Federal Reserve responses to company inquiries.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To strengthen the scenario design process, the Federal Reserve should assess--and adjust as necessary--the overall level of severity of its severely adverse scenario by establishing a process to facilitate proactive consideration of levels of severity that may fall outside U.S. postwar historical experience.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To strengthen the scenario design process, the Federal Reserve should assess--and adjust as necessary--the overall level of severity of its severely adverse scenario by expanding consideration of the trade-offs associated with different degrees of severity.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve understanding of the range of potential crises against which the banking system would be resilient and the outcomes that might result from different scenarios, the Federal Reserve should assess whether a single severe supervisory scenario is sufficient to inform CCAR decisions and promote the resilience of the banking system. Such an assessment could include conducting sensitivity analysis involving multiple severe supervisory scenarios--potentially using CCAR data for a cycle that is already complete, to avoid concerns about tailoring the scenario to achieve a particular outcome.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure that Federal Reserve stress tests do not amplify future economic cycles, the Federal Reserve should develop a process to test its proposed severely adverse scenario for procyclicality annually before finalizing and publicly releasing the supervisory scenarios.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should apply its model development principles to the combined system of models used in the supervisory stress tests.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should create an appropriate set of system-level model documentation, including an overview of how component models interact and key assumptions made in the design of model interactions.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process to test and document the sensitivity and uncertainty of the model system's output--the post-stress capital ratios used to make CCAR quantitative assessment determinations--including, at a minimum, the cumulative uncertainty surrounding the capital ratios and their sensitivity to key model parameters, specifications, and assumptions from across the system of models.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process to communicate information about the range and sources of uncertainty surrounding the post-stress capital ratio estimates to the Board during CCAR deliberations.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process for the Board and senior staff to articulate tolerance levels for key risks identified through sensitivity testing and for the degree of uncertainty in the projected capital ratios.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David C. Trimble
    Phone: (202) 512-3841

    4 open recommendations
    Recommendation: To help ensure compliance with the United States' nuclear cooperation agreements, the Under Secretary for Nuclear Security, as the Administrator of the National Nuclear Security Administration, and the Nuclear Regulatory Commission, should clarify in guidance the conditions under which facilities may carry negative obligation balances.

    Agency: Department of Energy: National Nuclear Security Administration
    Status: Open

    Comments: As of March 2017, NNSA has several initiatives underway to implement this recommendation. Later in 2017, we will know what changes NNSA and NRC made.
    Recommendation: To help ensure compliance with the United States' nuclear cooperation agreements, the Under Secretary for Nuclear Security, as the Administrator of the National Nuclear Security Administration, and the Nuclear Regulatory Commission, should clarify in guidance the conditions under which facilities may carry negative obligation balances.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: As of March 2017, NNSA has several initiatives underway to implement this recommendation. Later in 2017, we will know what changes NNSA and NRC made.
    Recommendation: To help ensure compliance with the United States' nuclear cooperation agreements, the Under Secretary for Nuclear Security, as the Administrator of the National Nuclear Security Administration, and the Nuclear Regulatory Commission, should develop an early-warning monitoring capability in NMMSS to alert senior DOE officials when the inventory of unobligated LEU is particularly low.

    Agency: Department of Energy: National Nuclear Security Administration
    Status: Open

    Comments: As of March 2017, NNSA has several initiatives underway to implement this recommendation. Later in 2017, we will know what changes NNSA and NRC made to NMMSS.
    Recommendation: To help ensure compliance with the United States' nuclear cooperation agreements, the Under Secretary for Nuclear Security, as the Administrator of the National Nuclear Security Administration, and the Nuclear Regulatory Commission, should develop an early-warning monitoring capability in NMMSS to alert senior DOE officials when the inventory of unobligated LEU is particularly low.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: As of March 2017, NNSA has several initiatives underway to implement this recommendation. Later in 2017, we will know what changes NNSA and NRC made.
    Director: Currie, Christopher P
    Phone: (202) 512-8777

    3 open recommendations
    Recommendation: To better assess the impact of the fire grants program, the Secretary of Homeland Security should direct the FEMA Administrator to establish measurable performance targets linked to AFG and SAFER program goals, such as the desired percentage of awardees who used grants to achieve compliance with equipment standards.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to officials, FEMA's Grant Programs Directorate is reviewing the current set of program metrics to determine the feasibility of establishing performance targets. FEMA plans to include approved targets in its annual report to Congress that will be issued for fiscal year 2016; the report was undergoing internal review for approval and release as of November 2016. Pending issuance of the report with measurable performance targets linked to AFG and SAFER program goals, this recommendation will remain open.
    Recommendation: To enhance FEMA's efforts to assess and integrate the fire grant programs' contributions to national preparedness, the Secretary of Homeland Security should direct the FEMA Administrator to use the National Preparedness Goal's definition of critical infrastructure as the basis of collecting information from applicants and using the National Critical Infrastructure Prioritization Program list to measure fire grant programs' performance in addressing national priorities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to officials, FEMA's Grant Programs Directorate plans to incorporate the National Preparedness Goal definition of national critical infrastructure into fire grant performance measures in FEMA's fiscal year 2017 Annual Report to Congress. Specifically, they said FEMA plans to conduct an assessment of data from AFG program application and awards in order to verify recipients are reporting infrastructure that aligns with the National Preparedness Goal definition of critical infrastructure. In addition, FEMA plans to meet as needed with the National Programs and Protection Directorate's Office of Critical Infrastructure Analysis to determine how the Critical Infrastructure Prioritization Program list can be used in the application process. Pending completion of these efforts, this recommendation will remain open.
    Recommendation: To enhance FEMA's efforts to incorporate new National Fire Operations Reporting System (NFORS) and Fire Community Assessment Response Evaluation System (FireCARES) data elements into fire grants program management activities, the Secretary of Homeland Security should direct the FEMA Administrator to develop a project management plan for identifying relevant data elements in the new NFORS and FireCARES systems and determining how they can be used to improve fire grant applications and awards processes and the performance assessment system.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to officials, FEMA's Grant Programs Directorate intends to develop a plan to assess the data collected to determine feasibility for integration of NFORS and FireCARES data into the AFG programs. The plan will incorporate ways to improve the applications, awards processes, and tracking of performance. This plan should be completed by March 2017, and FEMA will continue to collaborate with stakeholders for the improvement of the AFG application, awards processes, and performance management. According to FEMA, the estimated completion of this effort is September 2017.
    Director: James McTigue
    Phone: (202) 512-9110

    5 open recommendations
    Recommendation: To ensure that Field Collection program case selection processes support IRS's and the Collection program's mission, including applying tax laws with integrity and fairness to all, the Commissioner of Internal Revenue should develop, document, and communicate Field Collection program and case selection objectives, including the role of fairness, in clear and measurable terms sufficient for use in internal control.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed with the recommendation and described actions it will take to address it, to include that the Small Business/Self-Employed Division (SB/SE) will develop fiscal year 2017 program objectives that align with the mission of SB/SE and that the Collection program will develop and document specific Field Collection and case selection activities that will support SB/SE objectives. However, it is not clear how these efforts will be fully responsive our recommendation to establish Field Collection (not division-level) program and case selection objectives sufficient for use in internal control. IRS said it planned to complete actions on this recommendation by July 2017. We will update the status of IRS's implementation of the recommendation after we complete review of any documents IRS provides on actions taken.
    Recommendation: To ensure that Field Collection program case selection processes support IRS's and the Collection program's mission, including applying tax laws with integrity and fairness to all, the Commissioner of Internal Revenue should develop, document, and implement performance measures clearly linked to the Field Collection program and case selection objectives.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed with the recommendation and outlined planned actions to address it. However, since it is not clear that IRS's planned actions to implement our first recommendation will result in Field Collection program and case selection objectives sufficient for internal control purposes, IRS's ability to address the related recommendation to establish performance measures may be limited. IRS said it planned to complete actions on this recommendation by August 2017. We will update the status of IRS's implementation of the recommendation after we complete review of any documents IRS provides on actions taken.
    Recommendation: To ensure that Field Collection program case selection processes support IRS's and the Collection program's mission, including applying tax laws with integrity and fairness to all, the Commissioner of Internal Revenue should incorporate program and case selection objectives into existing risk management systems or use other approaches to identify and analyze potential risks to achieving those objectives so that Field Collection can establish risk tolerances and appropriate control procedures to address risks.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed with the recommendation and outlined planned actions to address it. However, since it is not clear that IRS's planned actions to implement our first recommendation will result in Field Collection program and case selection objectives sufficient for internal control purposes, IRS's ability to address the related recommendation to assess program risks may be limited. IRS said it planned to complete actions on this recommendation by July 2017. We will update the status of IRS's implementation of the recommendation after we complete review of any documents IRS provides on actions taken.
    Recommendation: To ensure that Field Collection program case selection processes support IRS's and the Collection program's mission, including applying tax laws with integrity and fairness to all, the Commissioner of Internal Revenue should develop, document, and communicate control procedures guidance for group managers to exercise professional judgment in the Field Collection program case selection process to achieve fairness and other program and collection case selection objectives.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed with the recommendation and described actions it will take to address it, to include review of current procedures and guidance and making changes, if necessary. IRS said it planned to complete actions on this recommendation by July 2017. We will update the status of IRS's implementation of the recommendation after we complete review of any documents IRS provides on actions taken.
    Recommendation: To ensure that Field Collection program case selection processes support IRS's and the Collection program's mission, including applying tax laws with integrity and fairness to all, the Commissioner of Internal Revenue should develop, document, and implement procedures to periodically monitor and assess the design and operational effectiveness of both automated and manual control procedures for collection case selection to assure their continued effectiveness in achieving program objectives.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed with the recommendation and outlined planned actions to address it. However, since it is not clear that IRS's planned actions to implement our first recommendation will result in Field Collection program and case selection objectives sufficient for internal control purposes, IRS's ability to address the related recommendation to monitor control procedures may be limited. IRS said it planned to complete actions on this recommendation by July 2017. We will update the status of implementation of the recommendation after we complete review of documents IRS provides on the actions taken.
    Director: Seto Bagdoyan
    Phone: (202) 512-6722

    1 open recommendations
    Recommendation: To strengthen USCIS's EB-5 Program fraud risk management, the Director of USCIS should develop a fraud risk profile that aligns with leading practices identified in GAO's Fraud Risk Framework.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: In November 2016, Department of Homeland Security's (DHS) U.S. Citizenship and Immigration Services (USCIS)stated that the program would implement GAO's recommendation to develop a fraud risk profile and anticipated completion by September 30, 2017. In April 2017, USCIS provided an update including supporting documentation which reported that USCIS had contracted with an outside consultant to, among other things, develop a fraud risk profile that aligns with leading practices identified in GAO's Fraud Risk Framework. According to its response, USCIS expected to complete development of the profile by September 30, 2017.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the National Institute of Standards and Technology Cybersecurity Framework.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should update technical assistance that is provided to covered entities and business associates to address technical security concerns.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should revise the current enforcement program to include following up on the implementation of corrective actions.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS neither concurred nor nonconcurred with the recommendation but plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish performance measures for the Office of Civil Rights (OCR) audit program.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish and implement policies and procedures for sharing the results of investigations and audits between OCR and Centers for Medicare & Medicaid Services to help ensure that covered entities and business associates are in compliance with the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS neither concurred nor nonconcurred with the recommendation but plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Director: Neumann, John
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To ensure that DOE's control activities continue to be relevant and effective for managing supply chain risk, the Secretary should direct the Under Secretary for Nuclear Security, as the Administrator of the NNSA, to work with the Office of Intelligence and Counterintelligence and other DOE organizations, as appropriate, to assess the circumstances that might warrant using the enhanced procurement authority, and (1) if this assessment identifies circumstances that might warrant using the authority, the Secretary should direct the Under Secretary for Nuclear Security to work with other DOE organizations, as appropriate, to establish processes for using it and examine whether adequate resources are in place to support those processes, and (2) communicate the results of this assessment to the relevant congressional committees for their use in determining whether to extend the authority past its current termination date.

    Agency: Department of Energy
    Status: Open

    Comments: In an October 7, 2016, letter the Under Secretary for Nuclear Security and Administrator of the National Nuclear Security Administration (NNSA) said he agreed with GAO's recommendation to assess situations that might warrant the use of the enhanced procurement authority and, should specific circumstances be identified for use of the authority, NNSA would develop a process for its use. The assessment would include an examination of resources to support use of the authority. NNSA would work with other Department of Energy organizations as appropriate in conducting the assessment. The results would be shared with relevant congressional committees, as GAO recommended. NNSA had anticipated completion of the assessment by March 2017, but on June 1, 2017, NNSA officials told us they anticipated the completion date would be September 30, 2017.
    Director: Trimble, David C
    Phone: (202) 512-3841

    7 open recommendations
    Recommendation: To ensure that NNSA will acquire sufficient plutonium analysis equipment and space to meet its needs, including pit production to support critical life extension programs, the Secretary should direct that the Under Secretary for Nuclear Security, in his capacity as the NNSA Administrator, update the program requirements document for the revised CMRR project to identify a key performance parameter that describes the plutonium analysis capacity the CMRR project is required to provide to support specific pit production rates.

    Agency: Department of Energy
    Status: Open

    Comments: As of June 2017, NNSA plans to perform an analysis to identify the plutonium analysis capacity that the CMRR project is required to provide and reference that information in an updated version of the CMRR program requirements document. NNSA estimated that it will complete this action by September 30, 2017. We will evaluate NNSA's action once it is complete.
    Recommendation: To ensure that NNSA will acquire sufficient plutonium analysis equipment and space to meet its needs, including pit production to support critical life extension programs, the Secretary should direct that the Under Secretary for Nuclear Security, in his capacity as the NNSA Administrator, specify plans for how the agency will obtain additional plutonium analysis capacity if the revised CMRR project will not provide sufficient plutonium analysis capacity to support NNSA's pit production plans.

    Agency: Department of Energy
    Status: Open

    Comments: As of June 2017, NNSA planned to update its Plutonium Strategy to identify additional means, if necessary, to achieve sufficient plutonium analysis capacity to support pit production plans. NNSA estimated that it will complete this action by September 30, 2017. We will evaluate NNSA's action once it is complete.
    Recommendation: To ensure that NNSA will provide clear information to stakeholders about the program needs that the revised CMRR project will satisfy, the Secretary should direct the Under Secretary for Nuclear Security, in his capacity as the NNSA Administrator, to update the program requirements document for the revised CMRR project to clarify whether the project will provide plutonium analysis equipment to meet the needs of DOE and NNSA programs other than those in the Office of Defense Programs.

    Agency: Department of Energy
    Status: Open

    Comments: As of June 2017, NNSA planned to update the CMRR program requirements document to clarify that the CMRR project will not install any unique analysis equipment required solely for non-defense related programs. NNSA estimated that it would complete this action by December 31, 2017. We will evaluate NNSA's action once it is complete.
    Recommendation: To ensure that NNSA's future schedule estimates for the revised CMRR project provide the agency with reasonable assurance regarding meeting the project's completion dates, the Secretary should direct the Under Secretary for Nuclear Security, in his capacity as the NNSA Administrator, to develop future schedules for the revised CMRR project that are consistent with current DOE project management policy and scheduling best practices. Specifically, the Under Secretary should develop and maintain an integrated master schedule that includes all project activities under all subprojects prior to approving the project's first CD-2 decision.

    Agency: Department of Energy
    Status: Open

    Comments: As of June 2017, NNSA said it had identified the key milestone dates for the future subprojects including critical decisions and completion. We will update the status of this recommendation after we review the documentation.
    Recommendation: To ensure that NNSA's future schedule estimates for the revised CMRR project provide the agency with reasonable assurance regarding meeting the project's completion dates, the Secretary should direct the Under Secretary for Nuclear Security, in his capacity as the NNSA Administrator, to develop future schedules for the revised CMRR project that are consistent with current DOE project management policy and scheduling best practices. Specifically, the Under Secretary should conduct a comprehensive schedule risk analysis that applies to the integrated master schedule to identify the likelihood the project can meet its completion dates.

    Agency: Department of Energy
    Status: Open

    Comments: As of June 2017, NNSA said that it had completed risk analyses to satisfy the recommendation. We will update the status of this recommendation after we review the documentation.
    Recommendation: To ensure that NNSA is better positioned to objectively consider alternatives before making its selection of an alternative for the Plutonium Modular Approach, the Secretary should direct the Under Secretary for Nuclear Security, in his capacity as the NNSA Administrator, before completing the analysis of alternatives, to rephrase the statement of mission need and requirements for the Plutonium Modular Approach so that they are independent of a particular solution.

    Agency: Department of Energy
    Status: Open

    Comments: NNSA did not agree to implement the recommendation as stated in the report. However, NNSA stated that it would conduct the analysis of alternatives independent of a particular solution. NNSA has not estimated a completion date for the final analysis of alternatives. After the analysis is complete, we will review it to determine whether it includes information that meets the intent of our recommendation.
    Recommendation: To ensure that NNSA has information about program-specific needs to inform its analysis of alternatives for the Plutonium Modular Approach and to provide a clearer basis for selecting a project alternative, the Secretary should direct the Under Secretary for Nuclear Security, in his capacity as the NNSA Administrator, before completing the analysis of alternatives, to identify key performance parameters and program-specific requirements for the Plutonium Modular Approach.

    Agency: Department of Energy
    Status: Open

    Comments: NNSA did not agree to implement the recommendation as written in the report. However, NNSA stated that it would develop key parameters and project requirements as part of the analysis of alternatives. NNSA has not estimated a completion date for the AOA. After the analysis is complete, we will review it to determine whether it includes information that meets the intent of our recommendation.
    Director: Thomas Melito
    Phone: (202) 512-9601

    5 open recommendations
    including 5 priority recommendations
    Recommendation: To improve the financial oversight of U.S. programs to provide humanitarian assistance to people inside Syria, the USAID Administrator should update guidance to require non-governmental organizations to conduct risk assessments addressing the risk of fraud.

    Agency: United States Agency for International Development
    Status: Open
    Priority recommendation

    Comments: USAID concurred with our recommendation; however, as of April 2017, it has yet to fully implement this recommendation. In December 2016, the Office of Food for Peace updated its annual program statement to include language requiring organizations to complete an analysis of risks related to fraud, corruption, and mismanagement, with relevant mitigation measures. However, the Office of U.S. Foreign Disaster Assistance (OFDA) has yet to officially update its guidance, although USAID has previously noted that OFDA will require all organizations seeking funding to address fraud risks and submit a detailed mitigation plan in their proposal package. We will continue to update the status of this recommendation as we receive information.
    Recommendation: To improve the financial oversight of U.S. programs to provide humanitarian assistance to people inside Syria, the USAID Administrator should use risk assessments submitted by implementing partners to inform USAID oversight activities, for example, using information from assessments to ensure that control activities for programs are designed to mitigate identified risks.

    Agency: United States Agency for International Development
    Status: Open
    Priority recommendation

    Comments: USAID concurred with our recommendation, stating that they plan to tailor their oversight activities to mitigate risks identified in the fraud risk mitigation plans that organizations will submit as part of their funding proposal packages in the future. In addition, USAID noted that it planned to hire a compliance officer by October 2016 to manage fraud mitigation and other compliance issues for OFDA and FFP's Syria and Iraq portfolios. However, as of April 2017, USAID has yet to fill this position. We will continue to track the status of this recommendation.
    Recommendation: To improve the financial oversight of U.S. programs to provide humanitarian assistance to people inside Syria, the USAID Administrator should ensure that field monitors in Syria are trained on assessing and identifying potential fraud risks.

    Agency: United States Agency for International Development
    Status: Open
    Priority recommendation

    Comments: USAID concurred with our recommendation, but has yet to implement this recommendation, as of April 2017. USAID has previously stated that it would work to provide the third-party monitoring organization with information specific to the Syria context that identifies methods to detect fraud. USAID also stated that it would work with the third-party monitoring organization to ensure that data collectors are trained on fraud risks and methods for identifying fraud. We will continue to track the status of this recommendation.
    Recommendation: To improve the financial oversight of U.S. programs to provide humanitarian assistance to people inside Syria, the USAID Administrator should instruct the third party monitoring organization monitoring Office of U.S. Foreign Disaster Assistance programs in Syria to modify the site visit forms to include specific guidance for documenting incidents of potential fraud.

    Agency: United States Agency for International Development
    Status: Open
    Priority recommendation

    Comments: USAID concurred with this recommendation, stating that it would seek to have site visit forms revised to include indications of fraud, waste, and abuse. However, as of April 2017, USAID has yet to implement the recommendation. We will continue to track the status of this recommendation.
    Recommendation: To ensure that State has a comprehensive understanding of the risks facing its implementing partners providing humanitarian assistance to people inside Syria, the Secretary of State should include in its voluntary contribution agreements with implementing partners a requirement that the partner conduct risk assessments addressing the risk of fraud.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with GAO?s recommendation and has taken steps to implement it since our report. For example, in March 2017, State officials informed GAO that it began including this requirement in all of its 2017 voluntary contribution award letters to public international organizations. For one of the three public international organizations under consideration in our report, State provided GAO with an award letter including the updated language. According to Bureau of Population, Refugees, and Migration officials, the Bureau has not yet completed voluntary contributions for the other two public international organizations conducting activities inside Syria. We will continue to track relevant Bureau funding agreements to ensure that future awards to fund activities inside Syria contain similar language on fraud risk assessments.
    Director: Kimberly M. Gianopoulos
    Phone: (202) 512-8612

    3 open recommendations
    Recommendation: To better manage the AD/CV duty liquidation process, CBP should issue guidance directing the Antidumping and Countervailing Duty Centralization Team to (a) collect and analyze data on a regular basis to identify and address the causes of liquidations that occur contrary to the process or outside the 6-month time frame mandated by statute, (b) track progress on reducing such liquidations, and (c) report on any effects these liquidations may have on revenue.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: CBP concurred with this recommendation and said it would take steps to implement it. As of July 10, 2017, CBP was waiting for the results of its FY 2017 self-inspection to determine the extent to which it has made progress toward reducing liquidations that occur contrary to the process or outside the 6 month time frame mandated by statute. In addition, CBP was in the process of calculating the revenue effect of entries processed for deemed liquidation during FY 2017. We will continue to monitor CBP's progress towards closing this recommendation.
    Recommendation: To improve risk management in the collection of AD/CV duties and to identify new or changing risks, CBP should regularly conduct a comprehensive risk analysis that assesses both the likelihood and the significance of risk factors related to AD/CV duty collection. For example, CBP could construct statistical models that explore the associations between potential risk factors and both the probability of nonpayment and the size of nonpayment when it occurs.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: CBP concurred with this recommendation and said it would take steps to implement it. As of July 10, 2017, CBP had produced a risk analysis model consisting of a regression analysis to determine the probability of non-payment for type 3 AD/CVD entries. CBP plans to begin testing the accuracy of the model through testing of recently occurred transactions. CBP also plans to refine the model. CBP estimates that it will complete the development of the model by September 30, 2017.
    Recommendation: To improve risk management in the collection of AD/CV duties, CBP should, consistent with U.S. law and international obligations, take steps to use its data and risk assessment strategically to mitigate AD/CV duty nonpayment, such as by using predictive risk analysis to identify entries that pose heightened risk and taking appropriate action to mitigate the risk.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: CBP concurred with this recommendation and said it would take steps to implement it. As of July 10, 2017 CBP planned to use the model it is in the process of developing to improve risk management in the collection of AD/CVD duties. CBP expects to begin using the risk-based model that it is developing as part of an approach targeting high risk AD/CVD entries by October 31, 2018. Separately, a March 31, 2017 executive order requires CBP to develop a strategy and plan for covered importers that, based on an assessment of risk, pose a risk to the revenue of the United States. As of July 11, 2017, the strategy and plan had not been published.
    Director: Chris Currie
    Phone: (404) 679-1875

    1 open recommendations
    Recommendation: To help ensure that whistleblower retaliation reports are addressed efficiently and effectively, the Secretary of Homeland Security should direct the Under Secretary of DHS's National Protection and Programs Directorate's (NPPD), the Assistant Secretary for Infrastructure Protection, and the Director of the Infrastructure Security Compliance Division (ISCD) to develop a documented process and procedures to address and investigate whistleblower retaliation reports that could include existing practices, such as the Department of Labor's Occupational Safety and Health Administration's recommended practices, in developing the process and procedures.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to Infrastructure Security Compliance Division (ISCD) officials, in September 2016 they initiated development of a standard operating procedure for addressing and investigating whistleblower retaliation complaints. ISCD expects to complete a final version of the standard operating procedure by June 2017. According to ISCD officials, the procedure will consider OSHA's guidance, once available, when developing this set of procedures. We will update the status of this recommendation after additional information is received from DHS.
    Director: Robert Goldenkoff
    Phone: (202) 512-2757

    3 open recommendations
    including 3 priority recommendations
    Recommendation: To help ensure the Bureau produces a reliable cost estimate for the 2020 Census, the Secretary of Commerce and Under Secretary for Economic Affairs should direct the Census Bureau to take the following steps to meet the characteristics of a high-quality estimate: (1) Comprehensive--among other practices, ensure the estimate includes all life-cycle costs and documents all cost-influencing assumptions. (2) Well-documented--among other practices, ensure that its planned documentation plan captures the source data used; contains the calculations performed and the estimating methodologies used for each element; and describes step by step how the estimate was developed. (3) Accurate--among other practices, ensure the estimating technique for each cost element is used appropriately and that variances between planned and actual cost are documented, explained, and reviewed. (4) Credible--among other practices, ensure the estimate includes a sensitivity analysis, major cost elements are cross-checked to see whether results are similar, and an independent cost estimate is conducted to determine whether other estimating methods produce similar results.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: Commerce agreed with this recommendation. The Bureau should provide a cost estimate more current than the October 2015 estimate and ensure that the estimate is comprehensive, well-documented, accurate, and credible. In doing this the Bureau should consult the GAO's cost assessment guide (GAO-09-3SP) and Standards for Internal Control in the Federal Government (GAO-14-704G). High-quality estimates will: explicitly consider all life-cycle costs and assumptions, offer a clear step-by-step account of the methods and data sources used to compile the estimate, ensure the proper estimation techniques are used, reconcile any variances between actual and estimated costs, and allow cross-checking with independent cost estimates as verification of results. In August 2016, the Bureau laid out its action plan to implement this recommendation. The Bureau planned to develop a Cost Estimation Enhancement Plan that would mature the 2020 Census cost estimate and its associated processes via a series of 3-month sprints. According to the Bureau, the areas targeted for improvement were (I) Documentation, (2) Process, (3) Cost Estimate, and (4) Cost Integration. The Bureau's action plan reported the following deliverables: Incorporating the Decennial Census Management Division program work breakdown structure into the 2020 Census Cost Estimate (target completion was Q4 FY 2016); developing a formal basis of estimate document to address the cost elements, process flow, and calculations for the 2020 Census Cost Estimate (Q2 FY 2017); internal communication and training efforts to ensure these changes are widely shared and communicated (Q2 FY 2017); engaging with internal stakeholders to increase the amount of source and derivation documentation for estimates/model parameters currently based on expert judgment (Q4 FY 2016); developing a formal BOE document to address how 2020 Census program risk and uncertainty are dealt with in the 2020 Census Cost Estimate (Q2 FY 2017); and regularly comparing the results of the independent cost estimate conducted by the Office of Cost Estimation, Analysis and Assessment to the 2020 Census Cost Estimate and investigate/reconcile any significant differences (Q3 FY 2017). As of July 2017, we await this and other documentation from Bureau that may address this recommendation.
    Recommendation: To further ensure the credibility of data used in cost estimation, the Secretary of Commerce and Under Secretary for Economic Affairs should direct the Census Bureau to establish clear guidance on when information for cost assumptions can and should be changed as well as the procedures for documenting such changes and traceable sources for information being used.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: Commerce agreed with this recommendation. The Bureau should implement processes for controlling and changing cost assumptions. These processes should include methods for evaluating the justification for any changes and documentation requirements that clearly show the information changed and the basis for the change. In August 2016, Bureau officials laid out their action plan to address this recommendation. The action plan described developing a Decennial Census Cost Estimation and Analysis Process and supporting policy to improve the maturity levels in this area and mentioned developing a draft internal communication and training plan for staff--target date is Q2 FY 2017. As of July 2017, we await this and other documentation from Bureau that may address this recommendation.
    Recommendation: To ensure Bureau and congressional confidence that the Bureau's budgeted contingencies are at appropriate levels, the Secretary of Commerce and Under Secretary for Economic Affairs should direct the Census Bureau to improve control over how risk and uncertainty are accounted for and communicated with the Bureau's decennial cost estimation process, such as by implementing and institutionalizing processes or methods for doing so with clear guidance.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: Commerce agreed with this recommendation. The Bureau should ensure that its budget for contingencies reflects an accurate accounting of risk and uncertainty. In doing this, the Bureau should improve controls over risk and uncertainty accounting, ensure that risk accounting informs any relevant budgets and cost estimates, and institutionalize these controls by providing clear methods for their use. In August 2016, the Bureau laid out its action plan to implement this recommendation, describing that it would ensure regular review of 2020 Census program risks that would have high cost impacts if they occur and ensure estimates of these impacts are accounted for and documented in each iteration of the life-cycle cost estimates--target date is Q2 FY 2017. As of July 2017, we await documentation from Bureau that may address this recommendation.
    Director: Mackin, Michele
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: The Secretary of Defense should, before the downselect decision for the frigates, require the program to submit appropriate milestone documentation as identified by OSD, which could include an Independent Cost Estimate, an Acquisition Program Baseline, and a plan to incorporate the frigate into SAR updates.

    Agency: Department of Defense
    Status: Open

    Comments: DOD partially concurred with this recommendation, noting that the Navy views the LCS transition to the frigate as an incremental upgrade as opposed to a new acquisition program. DOD also stated that the Navy would be required to provide key documentation related to the seaframe, including an independent cost estimate and an updated acquisition program baseline. In 2017, the Navy decided to pursue a different frigate acquisition strategy, and according to the program office, the frigate is now considered a new, distinct acquisition program and will have milestone decisions and require the applicable milestone documentation and OSD oversight and reporting as the program moves toward an award decision in fiscal year 2020. The program office also noted that the specific milestone documentation that will be required is currently being assessed and the program plans to have a frigate Selected Acquisition Report. Once more details are finalized for the program, the planned actions would meet the intention of our recommendation. We will keep this recommendation open until the program's approach has been better defined.
    Director: David A. Powner
    Phone: (202) 512-9286

    22 open recommendations
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Education
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address it. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Energy
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO will update the CIO's OMB IT Dashboard Standard Operating Procedure to include the evaluation and assessment of active risks. This effort is to be completed by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department agreed with this recommendation and, in a written response, stated that it plans to address this recommendation with the following actions: (1) developing a method to review and assign ratings for active risks that will be incorporated into CIO ratings and (2) integrating the risk rating methodology into a new process for all major investments' CIO ratings. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it is amending its current monthly review process to ensure that risks are factored into its IT Dashboard CIO ratings. VA expects to complete this effort during the first quarter of 2017. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of State
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address the recommendation. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Office of Personnel Management
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Defense, Education, and Homeland Security; and the Commissioner of the Social Security Administration should direct their CIOs to update their CIO ratings at least as frequently as required in OMB's guidance.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) disagreed with this recommendation. In its written response, the Department noted that its semi-annual reporting is consistent with FITARA requirements and is documented in its OMB-approved FITARA Implementation Plan. After the publication of our report in June 2016, OMB issued its "Fiscal Year 2018 IT Budget-Capital Planning Guidance." This guidance removes the mandatory reporting frequency, but states that OMB expects that the CIOs would evaluate and rate their investments at specific times, including when the investment business cases are submitted to OMB in the agency budget request and when the business cases are prepared for the President's Budget release. In light of this new guidance, we analyzed the Department's update frequency for its 34 major investments (as listed on the IT Dashboard in June 2017). From June 2016 through May 2017, we found that 26 of the investments' ratings were updated once: in May 2017. The other 8 investments were not updated during this timeframe. Prior to this, the last DOD rating updates were made in March 2016, over a year beforehand. This analysis shows that DOD is not adhering to either its own semi-annual reporting requirements or to OMB's expectations. As such, we are not closing the recommendation at this time. We will continue to monitor the IT Dashboard for changes to DOD's update frequency. We maintain that frequent rating updates help ensure that the information on the Dashboard is timely and accurately reflects recent changes. Without such updates, the CIO ratings on the IT Dashboard may not reflect the current level of investment risk.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO Enterprise Business Management Office is updating its program assessment guideline. The updated guideline will include risk-based scores as the basis for its investment ratings. The Department expects to release this new guideline by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Education
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address it. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department agreed with our recommendation and, in a written response, stated that the CIO has revised the IT Dashboard assessment criteria to directly incorporate the degree of risk represented in the investments' Business Case documents. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Energy
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO will update its IT Dashboard Standard Operating Procedure to include an active risk sub-criteria comprised of probability and impact scores. This effort is to be completed by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. According to HHS, these risk areas reflect both internal and external risks that affect an investment's ability to accomplish its goals. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Social Security Administration
    Status: Open

    Comments: The agency partially agreed with our recommendation and, in a written response, stated that its CIO rating criteria includes a review of the level of risk facing an investment relative to that investment's ability to accomplish its goals. The written statement also notes that the CIO receives regular updates from key stakeholders on investment risks and mitigation plans. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of the Treasury
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it plans to require investment managers to assess operational risks detailing the probability and impact of pending threats to success. VA expects to complete this effort during the first quarter of 2017. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of State
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address the recommendation. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The agency disagreed with the recommendation and has not provided an update on its actions to address the recommendation. We will continue to monitor the implementation of this recommendation.
    Director: Jennifer Grover
    Phone: (202) 512-7141

    6 open recommendations
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should update the Risk Assessment of Airport Security to reflect changes to its risk environment, such as those updates reflected in Transportation Sector Security Risk Assessment (TSSRA) and JVA findings, and share results of this risk assessment with stakeholders on an ongoing basis.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should establish and implement a process for determining when additional risk assessment updates are needed.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should develop and implement a method for conducting a system-wide assessment of airport vulnerability that will provide a more comprehensive understanding of airport perimeter and access control security vulnerabilities.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should use security event data for specific analysis of system-wide trends related to perimeter and access control security to better inform risk management decisions.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should update the 2012 Strategy for airport security to reflect changes in risk assessments, agency operations, and the status of goals and objectives. Specifically, this update should reflect: (1) information from the Risk Assessment of Airport Security, as well as information contained in the most recent TSSRA and JVAs; (2) new airport security-related activities; (3) the status of TSA efforts to address goals and objectives; and (4) finalized outcome-based performance measures and performance levels--or targets--for each relevant activity and strategic goal.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should establish and implement a process for determining when additional updates to the Strategy are needed.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Jennifer Grover
    Phone: (202) 512-7141

    2 open recommendations
    Recommendation: To better ensure that FAMS uses its resources to cover the highest-risk flights, in addition to considering risk when determining how to divide FAMS's international flight coverage resources among international destinations, the Director of FAMS should incorporate risk into FAMS's method for initially setting its annual target numbers of average daily international and domestic flights to cover.

    Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
    Status: Open

    Comments: In May 2016, we found that FAMS officials considered risk when selecting specific domestic and international flights to cover, but they did not consider risk when deciding how to initially divide their annual resources between domestic and international flights. Rather, each year FAMS considered two variables--travel budget and number of air marshals--to identify the most efficient way to divide the agency's resources between domestic and international flights. As a result, we recommended that FAMS incorporate risk into FAMS's method for initially setting its annual target numbers of average daily international and domestic flights to cover. In March 2017, TSA officials reported that FAMS was continuing to identify ways to refine the methodology FAMS uses to allocate resources between international and domestic flights. Specifically, TSA officials noted that FAMS was considering ways to incorporate information on the travel patterns of known or suspected terrorists, trends in TSA PreCheck passenger data, airport screening capabilities, and other factors. FAMS officials also reported that, as part of this effort, they were reviewing their International Concept of Operations. It is unclear how these steps will address the recommendation. To fully address this recommendation, FAMS should incorporate risk into its method for initially setting its annual target numbers of average daily international and domestic flights to cover.
    Recommendation: To better ensure that FAMS uses its resources to cover the highest-risk flights, the Director of FAMS should conduct and document a risk assessment--systematically collecting information on and assigning value to current risks--to further support FAMS's domestic resource allocation decisions, including the identification of high-priority geographic areas.

    Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
    Status: Open

    Comments: In May 2016, we reported that FAMS's choice of domestic geographic focus areas and resource allocation levels were based on professional judgment, not risk assessment. With regard to the geographic focus areas, for example, FAMS officials explained that they did not conduct a risk assessment to inform this decision, but rather selected these areas in consultation with 30 subject matter experts from various offices within TSA based on their intuitive, qualitative perceptions of threats, vulnerabilities, potential impacts, history, and the demographics of the areas. Without fully incorporating risk when determining such priorities, FAMS cannot reasonably ensure it is targeting its resources to the highest-risk flights. As a result, we recommended that FAMS conduct and document a risk assessment--systematically collecting information on and assigning value to current risks--to further support FAMS's domestic resource allocation decisions, including the identification of high-priority geographic areas. In March 2017, TSA officials explained that they were continuing to develop their "risk-by-flight" initiative--a long-term effort to develop a method of assigning each domestic flight a relative risk score to assist in identifying high-risk flights. At the time of our report in 2016, FAMS officials estimated that the risk-by-flight tool would probably be ready for use within 7 to 10 years. In March 2017, TSA officials stated that they had developed a prototype Risk-Based Resource Deployment Decision Aid, which they refer to as R2D2. TSA officials further reported that the DHS Science and Technology Directorate had contracted for the development of a risk engine--based on the R2D2 data--to assign risk values to all U.S.-carrier domestic and international flights. TSA officials reported that this contract runs through early 2018. To fully address this recommendation, FAMS should conduct and document a risk assessment to further support FAMS's domestic resource allocation decisions, including the identification of high-priority geographic areas.
    Director: Steve Morris
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To further enhance FDA's PREDICT tool and its ability to ensure the safety of imported food, the Secretary of Health and Human Services should direct the Commissioner of FDA to document the process for identifying the type of open source data to collect, obtaining such data, and determining how PREDICT is to use the data.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: As of February 2017, GAO was awaiting action by the agency to implement this recommendation.
    Director: James R. McTigue, Jr.
    Phone: (202) 512-9110

    4 open recommendations
    Recommendation: To further deter noncompliance in the Taxpayer Protection Program, the Commissioner of Internal Revenue should, in accordance with Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) e-authentication guidance, conduct an updated risk assessment to identify new or ongoing risks for TPP's online and phone authentication options, including documentation of time frames for conducting the assessment

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of March 2017, IRS is taking steps to assess the risks of TPP authentication options, as GAO recommended in its May 2016 report. In November 2016, IRS reported that it will implement the recommendation by October 2017. According to IRS, the agency assessed the e-authentication risk for the TPP web application based on OMB and NIST guidance. Based on the results of these assessments, the agency stated that officials are working to improve the level of assurance for the web application. In the interim, IRS reported that taxpayers will authenticate their identities by phone or in-person until the TPP web application has been sufficiently updated. In March 2017, officials stated that they recently completed a risk assessment for TPP's phone and in-person authentication. Additionally, according to officials, IRS has implemented a new authentication process for TPP's phone authentication that began in February 2017. GAO requested documentation on IRS's risk assessment and authentication process. Once GAO receives and reviews documentation of these actions, it will determine the extent to which IRS has implemented the recommendation. Conducting an updated risk assessment for TPP in accordance with e-authentication and risk management standards, enabled IRS to identify appropriate opportunities to strengthen TPP authentication and prevent IDT fraudsters from passing and potentially receiving millions of dollars in refunds. In addition, strengthening TPP could improve IRS's return on investment by ensuring that efforts to flag fraudulent returns result in fewer refunds paid to IDT fraudsters.
    Recommendation: To further deter noncompliance in the Taxpayer Protection Program, the Commissioner of Internal Revenue should, in accordance with OMB and NIST e-authentication guidance, implement appropriate actions to mitigate risks identified in the assessment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of March 2017, IRS is taking steps to assess the risks of TPP authentication options, as GAO recommended in its May 2016 report. In November 2016, IRS reported that it will implement the recommendation by October 2017. According to IRS, the agency assessed the e-authentication risk for the TPP web application based on OMB and NIST guidance. Based on the results of these assessments, the agency stated that officials are working to improve the level of assurance for the web application. In the interim, IRS reported that taxpayers will authenticate their identities by phone or in-person until the TPP web application has been sufficiently updated. In March 2017, officials stated that they recently completed a risk assessment for TPP's phone and in-person authentication. Additionally, according to officials, IRS has implemented a new authentication process for TPP's phone authentication that began in February 2017. GAO requested documentation on IRS's risk assessment and authentication process. Once GAO receives and reviews documentation of these actions, it will determine the extent to which IRS has implemented the recommendation. Conducting an updated risk assessment for TPP in accordance with e-authentication and risk management standards, enabled IRS to identify appropriate opportunities to strengthen TPP authentication and prevent IDT fraudsters from passing and potentially receiving millions of dollars in refunds. In addition, strengthening TPP could improve IRS's return on investment by ensuring that efforts to flag fraudulent returns result in fewer refunds paid to IDT fraudsters.
    Recommendation: To improve the quality of the Taxonomy's IDT refund fraud estimates, the Commissioner of Internal Revenue should remove refund thresholds from criteria used to develop IRS's refunds-paid estimates.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In August 2016, IRS reported that the agency removed the lower limit threshold from the modeling dataset in March 2016, which will expand the population of returns considered for the 2015 Filing Season Taxonomy refund fraud estimates. Further, the agency noted that, to mitigate other thresholds, other returns receive manual reviews. GAO will analyze the 2015 Filing Season Taxonomy estimates, when available, to determine the extent to which GAO's recommendation has been implemented.
    Recommendation: To improve the quality of the Taxonomy's IDT refund fraud estimates, the Commissioner of Internal Revenue should utilize return-level data--where available--to reduce overcounting and improve the quality and accuracy of the refunds-prevented estimates.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In August 2016, IRS reported that the agency did not agree with GAO's recommendation and noted that the agency does not think that adopting a different methodology for Taxonomy estimates is an effective use of agency resources. According to IRS, the agency established the Global Identity Theft Report (Global Report) as a standardized report that uses return-level data for most of the identity theft protected categories and summary data elsewhere. Further, IRS reported that the agency will continue to improve the Global Report, which will flow into the Taxonomy. However, as we reported in May 2016, by using the Global Report to calculate Taxonomy estimates for refunds prevent, IRS may have overestimated the refunds protected or recovered. For example, electronically filed returns that are rejected are overcounted because the same return can be rejected multiple times. Additionally, IRS already has a count of known and potential identity theft returns in its modeling dataset that the agency could use to help calculate the refunds protected estimates. GAO will analyze the 2015 Filing Season Taxonomy estimates, when available, to determine the extent to which GAO's recommendation has been implemented.
    Director: Carolyn L. Yocom
    Phone: (202) 512-7114

    3 open recommendations
    including 2 priority recommendations
    Recommendation: To improve the effectiveness of states' and plans' Medicaid managed care (MMC) plan provider screening efforts, the Acting Administrator of CMS should consider which additional databases that states and MMC plans use to screen providers could be helpful in improving the effectiveness of these efforts and determine whether any of these databases should be added to the list of databases identified by CMS for screening purposes.

    Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
    Status: Open
    Priority recommendation

    Comments: HHS concurred with this recommendation. CMS analyzed 22 databases that were reported to GAO as being used by Medicaid managed care plans to screen providers. It determined that several were already in use by CMS and mentioned in its guidance, several required more study by CMS, and others were not reliable. In April 2017, we reviewed CMS's analysis. For 8 of the databases, CMS noted that more information is needed, including the availability of the data and whether CMS would need an identifier to link providers to the data. CMS has requested additional information for these databases and has not yet concluded whether the databases should be added to the list of databases it has identified for screening purposes. To close the recommendation, CMS will need to determine whether the remaining databases it has studied should be added to the CMS list of databases to be used for provider screening and take the appropriate action.
    Recommendation: To improve the effectiveness of states' and plans' MMC plan provider screening efforts, the Acting Administrator of CMS should collaborate with SSA to facilitate sharing CMS's Death Master File subscription with state Medicaid programs.

    Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
    Status: Open
    Priority recommendation

    Comments: HHS concurred with this recommendation. CMS has signed an Interagency Agreement that provides for the states' ability to access the SSA Death Master File. CMS said that it will provide Death Master File information to specific individuals within each state in the near future. To close the recommendation, CMS will need to begin to provide the states with access to Death Master File data and provide us with documentation that it has done so.
    Recommendation: To improve the effectiveness of states' and plans' MMC plan provider screening efforts, the Acting Administrator of CMS should coordinate with other federal agencies, as necessary, to explore the use of an identifier that is relevant for the screening of MMC plan providers and common across databases used to screen MMC plan providers.

    Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
    Status: Open

    Comments: HHS concurred with the recommendation. We will update the status of this recommendation when we receive additional information.
    Director: Andrew Von Ah
    Phone: (213) 830-1011

    4 open recommendations
    Recommendation: To ensure the quality of the risk assessments used to inform its future QHSR processes, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to ensure future QHSR risk assessment methodologies reflect key elements of successful risk assessment methodologies, such as being: (1) Documented, which includes documenting how risk information was integrated to arrive at the assessment results, (2) Reproducible, which includes producing comparable, repeatable results, and (3) Defensible, which includes communicating any implications of uncertainty to users of the risk results.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, the Office of Policy's Office of Strategy, Plans, Analysis and Risks completed initial meetings in April 2016 with government and non-government subject matter experts to refine risk analyses for the upcoming 2018 QHSR. Representatives from the department's component and headquarters staff are to take part in the Department's Risk Modeling and Analysis Steering Committee by reviewing, documenting and approving proposed new methodologies planned to help identify and prioritize threats and hazards. This effort is intended to lead to a documented, reproducible, and defensible assessment, according to the DHS officials. This recommendation will remain open until we verify that the risk analysis contains these elements.
    Recommendation: To enable the use of risk information in supporting resource allocation decisions, guiding investments, and highlighting the measures that offer the greatest return on investment, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to refine its risk assessment methodology so that in future QHSRs it can compare and prioritize homeland security risks and risk mitigation strategies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk, with support from the RAND Corporation, has proposed a methodology to assess threats, hazards, and vulnerabilities impacting U.S. homeland security. In addition, the department's Risk Modeling and Analysis Executive Steering Committee is to review and approve the proposed methodology. The methodology is intended to enable the Department of Homeland Security to compare and prioritize homeland security risks and risk mitigation strategies, according to DHS officials. The recommendation will remain open until we verify that the methodology allows such comparisons.
    Recommendation: To ensure proper management of the QHSR stakeholder consultation process, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to identify and implement stakeholder meeting processes to ensure that communication is interactive when project planning for the next QHSR.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk finalized a draft stakeholder outreach plan to include use of the Office of Management and Budget's Max electronic collaboration website to engage with federal, state, and local stakeholders. The OMB-MAX website is available to government and non-government offices and allows the posting of documents, articles, and links, as well as facilitating collaborative editing of documents and participant interaction threads, according to DHS officials. In addition, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk is exploring the use of different tools to facilitate more interactive stakeholder engagement. For example, DHS's Office of Partnerships and Engagement is to facilitate additional engagement with external subject matter experts, arrange interagency coordination, and organize review and approval with parties of the homeland security enterprise in order to coordinate and approve the development of the 2018 QHSR. This recommendation will remain open until we verify that interactive communication approaches are implemented.
    Recommendation: To ensure proper management of the internal QHSR stakeholder consultation process, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to clarify component detailee roles and responsibilities when project planning for the next QHSR.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk (SPAR) drafted a memorandum for the Deputy Secretary to solicit Component subject matter experts. The memorandum specifies component detailee roles and responsibilities, to include serving in an advisory, consultation, and coordination role, according to DHS officials. SPAR is to lead an integrated group of analysts and strategic planners that are to be supported and augmented by the subject matter experts. The experts and detailees are to serve as members of study teams analyzing key threats, trends, and strategy and policy alternatives associated with issues and challenges relating to DHS's mission and objectives. A second memorandum requesting additional detailee support is to be issued in November 2016, prior to the formal review phase of the new QHSR which is to begin in January 2017. This recommendation will remain open until we verify that clarified detailee roles and responsibilities are finalized and implemented.
    Director: John H. Pendleton
    Phone: (202) 512-3489

    1 open recommendations
    Recommendation: To identify and mitigate risk associated with the Army's planned force structure and improve future decision making, the Secretary of Defense should direct the Secretary of the Army to expand the Army's Total Army Analysis process to routinely require a mission risk assessment for the Army's combat and enabler force structure and an assessment of mitigation strategies for identified risk prior to finalizing future force structure decisions.

    Agency: Department of Defense
    Status: Open

    Comments: The Army is in the process of reissuing its force development regulation (Army Regulation 71-32) and issuing a new Army Pamphlet. Collectively, officials said that these documents will codify the Army's approach to assessing mission risk and mitigation strategies for its force structure and require that these assessments be completed prior to finalizing future force structure decisions. Army officials said that these documents will be published in September 2017.
    Director: Chris Currie
    Phone: (404) 679-1875

    5 open recommendations
    Recommendation: To enhance accountability for key risk-management activities and facilitate coordination with federal and industry stakeholders regarding electromagnetic risks, the Secretary of Homeland Security should designate roles and responsibilities within the department for addressing electromagnetic risks and communicate these to federal and industry partners.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In a June 2016 update to our proposed recommendation, DHS reported that the Cyber, Infrastructure and Resilience (CIR) Policy Office within the DHS Office of Policy is working with DHS components to identify and articulate the roles of the National Protection and Programs Directorate, Federal Emergency Management Agency, Science and Technology Directorate, and others regarding to address electromagnetic risks. As part of this effort, CIR is to coordinate the development of a joint roles and responsibilities document to be communicated through existing partnership structures with internal and external entities.
    Recommendation: To more fully leverage critical infrastructure expertise and address responsibilities to identify critical electrical infrastructure assets as called for in the National Infrastructure Protection Plan, the Secretary of Homeland Security and the Secretary of Energy direct responsible officials to review FERC's electrical infrastructure analysis and collaborate to determine whether further assessment is needed to adequately identify critical electric infrastructure assets, potentially to include additional elements of criticality that might be considered.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In a June 2016 update to our proposed recommendation, DHS reported that the National Protection and Programs Directorate (NPPD) will increase collaborative outreach activities with FERC staff that will include a review of identified critical substations developed by FERC. The intended outcome of this review is to inform DHS activities regarding identification and prioritization of critical infrastructure assets for use during steady state and response activities. NPPD is also to inform FERC of its criticality modeling capabilities through the National Infrastructure Simulation and Analysis Center (NISAC) to enhance engagement with FERC's electric power subject matter expertise and inform future capability developments regarding response to and recovery from events such as electromagnetic pulse.
    Recommendation: To more fully leverage critical infrastructure expertise and address responsibilities to identify critical electrical infrastructure assets as called for in the National Infrastructure Protection Plan, the Secretary of Homeland Security and the Secretary of Energy direct responsible officials to review FERC's electrical infrastructure analysis and collaborate to determine whether further assessment is needed to adequately identify critical electric infrastructure assets, potentially to include additional elements of criticality that might be considered.

    Agency: Department of Energy
    Status: Open

    Comments: In June 2016, DOE provided an update (60-day letter) reiterating their intent to continue with actions identified previously to address the GAO recommendation, namely that the Office of Electricity Delivery and Energy Reliability was to review the Federal Energy Regulatory Commission's electrical infrastructure analysis, and subsequently engage with FERC and DHS to identify if any additional elements of criticality should be considered.
    Recommendation: To enhance federal efforts to assess electromagnetic risks and help determine protection priorities, the Secretary of Homeland Security should direct the Under Secretary for National Protection and Programs Directorate and the Assistant Secretary for the IP to work with other federal and industry partners to collect and analyze key inputs on threat, vulnerability, and consequence related to electromagnetic risks--potentially to include collecting additional information from DOD sources and leveraging existing assessment programs such as the Infrastructure Survey Tool, Regional Resiliency Assessment Program, and DCIP.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In a June 2016 update, DHS reported that the department had completed the planned refresh of the Strategic National Risk Assessment, which was intended to incorporate potential impacts to the power system from electromagnetic events. In addition, DHS reported that the Electricity Sub-sector Coordinating Council created an Electromagnetic pulse (EMP) task force, which met in April 2016 and is currently working to develop a joint industry and government approach to address EMP. It was further noted that DHS and DOE initiated a joint study on the effects of EMP on the electric power sector - led by Los Alamos National Laboratory and the National Infrastructure Simulation and Analysis Center (NISAC) - to analyze the hazard environments, impacts, and consequences of EMP and GMD on U.S. electric power infrastructure. In addition, DHS noted their support of a new effort by the Electric Power Research Institute and 39 industry partners to further study EMP vulnerabilities.
    Recommendation: To facilitate federal and industry efforts to coordinate risk-management activities to address an EMP attack, the Secretary of Homeland Security and the Secretary of Energy should direct responsible officials to engage with federal partners and industry stakeholders to identify and implement key EMP research and development priorities, including opportunities for further testing and evaluation of potential EMP protection and mitigation options.

    Agency: Department of Energy
    Status: Open

    Comments: On March 9, 2016 DOE provided agency comments on GAO-16-243 concurring with the recommendation and identifying related actions. Specifically, DOE reported collaboration with the Electric Power Research Institute to develop a joint DOE/Industry EMP Strategy to include key goals and objectives and identification of R&D priorities. The Strategy is expected to be completed by August 31, 2016 to be followed by more detailed action plans. DOE reported that they will collaborate with DHS and DOD in development of the Strategy and action plans. DOE further noted that a report by the Idaho National Laboratory report also identifies potential technology gaps and includes recommendations for further R&D efforts, which will be incorporated when developing the forthcoming action plans.
    Director: Marcia Crosse
    Phone: (202) 512-7114

    28 open recommendations
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should revise existing department policies for managing hazardous biological agents in high-containment laboratories to contain specific requirements for reporting laboratory incidents to senior department officials, including the types of incidents that should be reported, to whom, and when, or direct the Administrator of the Food Safety and Inspection Service to develop agency policies that contain these requirements.

    Agency: Department of Agriculture
    Status: Open

    Comments: In October 2016 USDA reported that its science and safety councils chartered a joint biorisk management policy committee to oversee the revisions of existing policies to include department-wide incident reporting requirements and time frames. USDA also reported that FSIS will collaborate with the department to ensure that FSIS policies comply with USDA reporting requirements. USDA did not provide an anticipated completion date for revising departmental polices.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should review and update outdated department policies for managing hazardous biological agents in high-containment laboratories and direct the Administrators of the Animal and Plant Health Inspection Service (APHIS) and Agricultural Research Service to update their policies and, in the case of APHIS, establish a regular review schedule.

    Agency: Department of Agriculture
    Status: Open

    Comments: In October 2016, USDA reported that the science and safety councils' joint biorisk management policy committee will review and update the existing outdated USDA policies. In addition, USDA reported that APHIS will review agency policies for biological laboratories every 3-5 years or sooner, if necessary, and that this schedule will be reflected in USDA policy. USDA did not provide an anticipated completion date for reviewing and updating departmental polices. USDA reported that ARS has finalized its policies for its institutional biological safety committee in April 2016. Once all USDA and component agency policies have been updated and review schedules established, we will close this recommendation.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should routinely analyze results of the department's laboratory inspections and incident reports to identify potential trends that may highlight recurring laboratory safety or security issues and share lessons learned with laboratory personnel.

    Agency: Department of Agriculture
    Status: Open

    Comments: In October 2016, USDA reported that the joint biorisk management policy committee will oversee efforts to collect and analyze laboratory inspection and incident reports and share these reports and critical analyses with USDA senior leadership. USDA did not provide an anticipated start date for analyzing reports and sharing analyses with senior departmental officials. USDA stated that the joint biorisk committee also serves as an information-sharing platform across USDA agencies and, as such, is positioned to share lessons learned from analyses of inspection and incident reports with laboratory personnel as necessary. USDA also provided additional information on APHIS, ARS, and FSIS planned or ongoing inspection and incident report analyses.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should require routine reporting of the results of department, agency, and select agent laboratory inspections to senior department officials.

    Agency: Department of Agriculture
    Status: Open

    Comments: In October 2016, USDA reported that the joint biorisk management policy committee will oversee efforts to revise existing departmental regulations to include requirements for routine reporting of inspection results to senior USDA officials. USDA did not provide an anticipated completion date for revising existing departmental regulations. USDA also provided additional information on APHIS, ARS, and FSIS planned or ongoing reporting of inspection results or revisions of agency policies to require such reporting.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should require routine reporting of incidents at agency laboratories to senior department officials.

    Agency: Department of Agriculture
    Status: Open

    Comments: In October 2016, USDA reported that the joint biorisk management policy committee will oversee efforts to revise existing departmental regulations to include requirements for routine reporting of laboratory incidents to senior USDA officials. USDA did not provide an anticipated completion date for revising existing departmental regulations. USDA also provided additional information on APHIS, ARS, and FSIS planned or ongoing incident reporting or revisions of agency policies to require such reporting.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should revise existing department policies for managing hazardous biological agents in high-containment laboratories to contain specific requirements for inventory control for all of DOD's high-containment laboratories, not just for its select agent-registered laboratories, or direct the Secretaries of the Air Force, Army, and Navy to revise their existing, respective policies to contain these requirements.

    Agency: Department of Defense
    Status: Open

    Comments: In June 2016, DOD noted that its comments on the final report--in which it agreed with all of our findings and recommendations for the department--had not changed. However, DOD did not provide us with an update on its status in implementing these recommendations.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should direct the Secretaries of the Air Force and Army to review and update their respective outdated policies for managing hazardous biological agents in high-containment laboratories.

    Agency: Department of Defense
    Status: Open

    Comments: In June 2016, DOD noted that its comments on the final report--in which it agreed with all of our findings and recommendations for the department--had not changed. However, DOD did not provide us with an update on its status in implementing these recommendations.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should routinely analyze agencies' inspection results and incident reports to identify potential trends that may highlight recurring laboratory safety or security issues and share lessons learned with laboratory personnel, or direct the Secretaries of the Army and Navy to do so.

    Agency: Department of Defense
    Status: Open

    Comments: In June 2016, DOD noted that its comments on the final report--in which it agreed with all of our findings and recommendations for the department--had not changed. However, DOD did not provide us with an update on its status in implementing these recommendations.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should require routine reporting of the results of Air Force, Army, and Navy inspections of non-select agent registered laboratories to senior department officials.

    Agency: Department of Defense
    Status: Open

    Comments: In June 2016, DOD noted that its comments on the final report--in which it agreed with all of our findings and recommendations for the department--had not changed. However, DOD did not provide us with an update on its status in implementing these recommendations.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should require routine reporting of laboratory incidents at Air Force, Army, and Navy non-select agent registered laboratories to senior department officials.

    Agency: Department of Defense
    Status: Open

    Comments: In June 2016, DOD noted that its comments on the final report--in which it agreed with all of our findings and recommendations for the department--had not changed. However, DOD did not provide us with an update on its status in implementing these recommendations.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should direct the Secretaries of the Army and Navy to require reporting of agency and select agent laboratory inspection results to senior agency officials.

    Agency: Department of Defense
    Status: Open

    Comments: In June 2016, DOD noted that its comments on the final report--in which it agreed with all of our findings and recommendations for the department--had not changed. However, DOD did not provide us with an update on its status in implementing these recommendations.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should develop time frames for the 19 specific recommendations from the July 2015 review, or direct the Secretary of the Army to do so.

    Agency: Department of Defense
    Status: Open

    Comments: In June 2016, DOD noted that its comments on the final report--in which it agreed with all of our findings and recommendations for the department--had not changed. However, DOD did not provide us with an update on its status in implementing these recommendations.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Energy should revise existing department policies for managing hazardous biological agents in high-containment laboratories to contain specific requirements for inspections, or direct the Administrator of the National Nuclear Security Administration and the Director of the Office of Science to develop agency policies that contain this requirement.

    Agency: Department of Energy
    Status: Open

    Comments: In August 2016, DOE reported that it is revising department policy for its select agent and toxin work to highlight oversight of facilities working with these agents and toxins. DOE will solicit input from NNSA, the Office of Science, and its biosurety executive team to determine if specific inspection requirements should be included in the select agent, or other department or agency policies. DOE provided us with information as to other department policies and regulations that allow for inspections. DOE plans to complete its efforts by the end of July 2017. We maintain that DOE should make laboratory inspection requirements explicit and that these requirements apply to all high-containment laboratories, not just those registered with the select agent program.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Energy should review and update its outdated policies for managing hazardous biological agents in high-containment laboratories.

    Agency: Department of Energy
    Status: Open

    Comments: In August 2016, DOE reported that it is updating its outdated select agent policy and plans to complete this update by the end of July 2017.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Administrator of the Environmental Protection Agency (EPA) should revise existing EPA policies for managing hazardous biological agents in high-containment laboratories to contain specific requirements for inventory control, or direct the Director of the Office of Pesticide Programs to incorporate this requirement into its policy.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA agreed with this recommendation in its February 2016 comments on the draft report, but maintains that agency, or senior-level policies, exist that include this requirement. EPA officials cited a Microbiology Laboratory Branch standard operating procedure (SOP) as containing inventory control requirements for the agency's one high-containment laboratory. However, in July 2016, EPA officials told us that it disagreed with our assessment that the SOP, as a laboratory-level document, was insufficient to meet our expectations for senior-level policies. In November 2016, EPA officials reiterated its position stating that the SOP had been approved by senior agency management and, as the requirements in it are universally applied by all laboratory staff, appropriately represents an agency-level policy. EPA further noted that the Office of Pesticide Policy, in which the Microbiology Laboratory Branch is located, is a sub-office within EPA's Office of Chemical Safety and Pollution Prevention (OCSPP), an Assistant Administrator-level office. We continue to believe that senior-level policies--in this case, either those policies issued at the EPA level or at the OCSPP/OPP level--that include all of the policy elements we analyzed reflect critical management commitment to and support for a culture of laboratory safety throughout the organization, regardless of the number of agency laboratories.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Administrator of EPA should review and update EPA's outdated policies for managing hazardous biological agents in high-containment laboratories and establish a regular schedule for reviewing and updating EPA and Office of Pesticide Programs policies.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In July 2016, EPA reported that the policies and procedures for both the facility that houses its microbiology laboratory and the laboratory itself are reviewed and updated on a bi-yearly or yearly basis consistent with the EPA schedules for biosafety and laboratory plans set in policy. However, EPA did not provide us with the policy that sets the EPA schedules. In addition, our analysis focused on policy documents issued by EPA or its senior-level offices, such as EPA's Safety, Health, and Environmental Management Program manual, dated November 2012. When we analyzed that policy for the report, we were unable to determine whether it was up-to-date because it did not include a review and update schedule or a specific recertification date. As of November, 2016, EPA maintains that this recommendation has been completed, because the office revised the standard operating procedure that provides guidance for establishing the receipt, expiration dates, and disposal of biological inventory used in the laboratory. As of April 2017, we have reached out to EPA for documentation of the actions the agency stated it has taken. Until received, we continue to believe that EPA action on this recommendation is still needed, such as by providing an updated EPA-level safety manual that includes a schedule for reviewing and updating, or providing EPA's schedule set in policy, so long as it also applies to agency- or senior office-level policies.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Administrator of EPA should require routine reporting of the results of department, agency, and select agent laboratory inspections to senior department officials.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA agreed with this recommendation in its February 2016 comments on the draft report. ?In July 2016, EPA reported that its high-containment laboratory will notify senior officials within 3 weeks of any laboratory inspection findings. ?This is a positive step. We are waiting for EPA to provide us with supporting documentation.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should develop department policies for managing hazardous biological agents in high-containment laboratories that contain specific requirements for reporting laboratory incidents to senior department officials, including the types of incidents that should be reported, to whom, and when, or direct the Director of CDC and the Commissioner of FDA to incorporate these requirements into their respective policies.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In August 2016, HHS reported that both CDC and FDA were working to incorporate incident reporting requirements and time frames into formal agency policies and practices but did not provide an anticipated completion date. In summer 2017, CDC and FDA reported that they were continuing to incorporate incident reporting, which includes all laboratory incidents, accidents, injuries, infections, and near-misses, into formal agency policies. CDC did not provide an anticipated completion date. FDA anticipated completing the policy revisions/updates by summer 2018.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should develop department policies for managing hazardous biological agents in high-containment laboratories that contain specific requirements for training and inspections for all high-containment component agency laboratories and not just for their select-agent-registered laboratories; or direct the Director of CDC to provide these requirements in agency policies.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In August 2016, HHS reported that CDC plans to revise its policies to include training and inspection requirements for inspections for all high-containment laboratories but did not provide an anticipated completion date. In June 2017, HHS reported that CDC was in the process of revising its formal policies to ensure they included requirements for training and inspections for all of the agency's high-containment laboratories but did not provide an anticipated completion date.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should require routine reporting of the results of agency and select agent laboratory inspections to senior department officials.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In August 2016, HHS reported that CDC was working with FDA and NIH to establish a process for notifying HHS leadership of inspection results through the department's Biosafety and Biosecurity Coordinating Council. HHS did not provide us with an anticipated time frame for implementing this notification practice or when the agencies plan to begin notifying HHS of inspection results.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should direct the Director of NIH and the Commissioner of FDA to require routine reporting of the results of agency laboratory inspections--and in the case of FDA, require routine reporting of select agent inspection results--to senior agency officials.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In August 2016, HHS reported that FDA is working to establish a process for notifying senior agency officials of inspection results, and in August 2017, FDA reported that it was in the process of updating its policies to reflect such a notification process. FDA anticipated that the updated policies and processes would be in place by summer 2018. In August 2016, HHS reported that NIH's ongoing practice is to report the results of external inspections to senior agency officials and, in May 2016, developed a standard operating procedure that outlines this reporting process. In March 2017, NIH officials provided assurance that its Division of Occupational Safety and Health provides NIH's intramural governing body with information about NIH's safety performance at least annually; officials further assured that this information includes the overall results of annual inspections (or audits, as NIH calls them) of all NIH laboratories and discussion of the top 10 most report safety infractions for the year. GAO considers NIH to have implemented the recommended action. GAO will close the overall recommendation once FDA has taken equivalent, appropriate action.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should require routine reporting of incidents at CDC, FDA, and NIH laboratories to senior department officials.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In August 2016, HHS reported that its Biosafety and Biosecurity Council is working to establish incident reporting requirements for CDC, FDA, and NIH but did not provide an anticipated completion date. HHS noted that NIH formally adopted a standard operating procedure that lays out the agency's requirements for reporting incidents to senior officials.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of the Interior should develop department policies, or direct the Directors of Fish and Wildlife Service and U.S. Geological Survey to develop agency policies for managing hazardous biological agents in high-containment laboratories that contain specific requirements for reporting laboratory incidents to senior department officials--including the types of incidents that should be reported, to whom, and when--and specific requirements for roles and responsibilities, training, inventory control, and inspections.

    Agency: Department of the Interior
    Status: Open

    Comments: In July 2016, DOI reported that the Fish and Wildlife Service and U.S. Geological Survey will develop agency-level policies that contain the key elements GAO identified. DOI did not provide us with a time frame for these activities.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of the Interior should routinely analyze the results of the agency's laboratory inspections and incident reports to identify potential trends that may highlight recurring laboratory safety or security issues and share lessons learned with laboratory personnel, or direct the Directors of Fish and Wildlife Service and U.S. Geological Survey to do so.

    Agency: Department of the Interior
    Status: Open

    Comments: In July 2016, DOI reported that its Biosafety Working Group, composed of officials across the department, including Fish and Wildlife Service and U. S. Geological Survey, is developing an automated process for analyzing results of laboratory inspections and incident reports to identify safety and security trends. The working group is also developing a process to share information gleaned from these analyses, including lessons learned, with laboratory personnel in a timely manner. DOI did not provide us with a time frame for these activities.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of the Interior should require routine reporting of the results of agency and select agent inspections to senior department officials.

    Agency: Department of the Interior
    Status: Open

    Comments: In July 2016, DOI reported that in according with the reporting requirements it plans to incorporate into agency-level policies in response to our first recommendation, Fish and Wildlife Service and U. S. Geological survey will be required to submit routine or periodic reports of the results of agency and select agent inspections to the department's designated agency safety and health official.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of the Interior should direct the Director of the U.S. Geological Survey to require routine reporting of the results of agency and select agent laboratory inspections to senior agency officials.

    Agency: Department of the Interior
    Status: Open

    Comments: In July 2016, DOI reported that the U. S. Geological Survey will modify and expand its existing policies to require reporting of agency and select agent inspection results to senior USGS officials.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Veterans Affairs should develop department policies for managing hazardous biological agents in high-containment laboratories that contain specific requirements for reporting laboratory incidents to senior department officials--including the types of incidents that should be reported, to whom, and when--and requirements for inventory control for all of its high-containment laboratories, including its select agent-registered clinical laboratory, or direct the Under Secretary of Health to incorporate these requirements into its policies.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In June 2016, VA reported that while it has policies for reporting laboratory incidents at the local level (VA medical center or laboratory level), VA plans to develop a national level policy for reporting laboratory incidents to senior department officials, including the types of incidents to report, to whom, and when. VA will convene a task force for the purposes of developing such a policy and anticipates that the task force will finalize its policy by March 2018. In June 2017, VA reported that the task force concluded that VA's existing emergency management plan contained all of the necessary requirements for laboratory incident reporting. However, VA has not provided GAO with the emergency management plan. VA further noted that a intradepartmental memorandum was sufficient for making employees aware of such policy requirements in the emergency plan and that such a memorandum was drafted and was being processed for dissemination throughout VA, with an anticipated completion date of August 2017.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Veterans Affairs should direct the Under Secretary of Health to review and update outdated agency policies for managing hazardous biological agents in high-containment laboratories.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA updated and finalized its outdated policy for its clinical laboratories in February 2016. In July 2016, VA reported that it has begun updating its policies for its research laboratories and anticipated finalizing them in 6 months. In June 2017, VA reported that its policies for its research laboratories remain under review and revision, with an anticipated completion date of December 2017.
    Director: David J. Wise
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: To improve risk assessments for repair and alteration projects, the Administrator of GSA should develop and implement a plan to periodically analyze information GSA already collects, for example, based on a representative sample of repair and alterations projects, in order to: (1) identify the specific impacts unforeseen conditions have had on project costs, schedules, and scope of work; (2) analyze the causes of these conditions for those projects that experienced unforeseen site conditions; and (3) identify actions that will be taken to address the potential causes of unforeseen site conditions.

    Agency: General Services Administration
    Status: Open

    Comments: GSA said it is working to study potential unforeseen site conditions on repair and alteration projects. Based on the identification of new categories of unforeseen site conditions, GSA will implement plans to prevent and mitigate such unforeseen site conditions on future projects. Specifically, GSA will conduct a study of change orders. GSA will then analyze conditions and identify possible categories of unforeseen site conditions. GSA will include assessment of causes and impact on schedule and budget, and also assess potential causes of unforeseen site conditions. Finally, GSA will develop plans to address potential causes and mitigate risks of unforeseen site conditions. We will continue to follow-up with GSA to confirm that it follows through with these actions.
    Director: Jacqueline M. Nowicki
    Phone: (202) 512-7215

    1 open recommendations
    including 1 priority recommendation
    Recommendation: Using its general authority to collaborate with other federal agencies, the Secretary of Education should convene its federal interagency partners to develop a strategic approach to interagency collaboration on school emergency preparedness. This group could include designees or delegates from the Secretaries of DHS, HHS, and the Attorney General, including representatives from relevant agency components, such as the Federal Emergency Management Agency, Transportation Security Administration, and the Federal Bureau of Investigation, and others as appropriate, and should incorporate leading federal interagency collaboration practices, for example, by: (1) identifying leadership, (2) defining outcomes and assigning accountability, (3) including all relevant participants, and (4) identifying necessary resources.

    Agency: Department of Education
    Status: Open
    Priority recommendation

    Comments: The Department of Education agrees that improved federal coordination will better assist K-12 schools in preparing for emergencies, and noted that other federal agencies, including especially FEMA, play a significant role in school emergency preparedness. Additionally, Education cited the importance of involving other relevant agencies in obtaining agreement on the assignment of roles and responsibilities, including selecting a lead agency charged with primary responsibility for coordinating federal emergency preparedness assistance to K-12 schools. In August 2016, Education convened a committee of Assistant Secretary-level representatives from relevant agencies, including DHS, FEMA, and TSA, among others, to develop a strategic approach to interagency collaboration on school emergency management efforts. Subsequently, in October 2016, it convened a task force consisting of program staff from the relevant agencies to draft a plan for organizational structure, goals, and objectives for the next five years, which it expects will be approved for implementation beginning in January 2017. We are encouraged by these actions and will monitor the group's progress towards developing a strategic approach to school emergency preparedness. Education stated that it expects to complete these efforts very soon. At that time, we will await documentation showing that it has finalized and implemented its strategic approach for interagency collaboration around school emergency management.
    Director: Chaplain, Cristina T
    Phone: (202)512-4841

    1 open recommendations
    Recommendation: To help ensure DOD is sufficiently informed about the availability and reliability of data from U.S. civil government and international partner satellites as it plans for future SBEM capabilities that rely on such satellites, the Secretary of Defense should ensure the leads of future SBEM planning efforts establish formal mechanisms for coordination and collaboration with NOAA that specify roles and responsibilities and ensure accountability for both agencies.

    Agency: Department of Defense
    Status: Open

    Comments: In January 2017, the Air Force and NOAA signed a memorandum of agreement under which the parties are to establish annexes for interagency acquisitions or support on SBEM efforts. The Air Force and NOAA are in the process of drafting two annexes for collecting SBEM data, expected to be completed by the winter of 2017, according to the Air Force. This effort does not cover collaboration between NOAA and DOD entities outside the Air Force, but NOAA is engaged in a separate memorandum of agreement with the Navy, which includes one annex that involves sharing data for SBEM-related activities. According to the Navy, additional draft annexes that would further SBEM-related data sharing are being considered. In addition, DOD and NOAA are in the process of responding to section 1607 of the National Defense Authorization Act for Fiscal Year 2017, which directs the agencies to jointly establish mechanisms to collaborate and coordinate in defining roles and responsibilities to carry out SBEM activities and plan for future nongovernmental SBEM capabilities, and to submit a report on the mechanism established.
    Director: Lawrance Evans, Jr.
    Phone: (202) 512-8678

    6 open recommendations
    Recommendation: Congress should consider whether additional changes to the financial regulatory structure are needed to reduce or better manage fragmentation and overlap in the oversight of financial institutions and activities to improve (1) the efficiency and effectiveness of oversight; (2) the consistency of consumer and investor protections; and (3) the consistency of financial oversight for similar institutions, products, risks, and services. For example, Congress could consider consolidating the number of federal agencies involved in overseeing the safety and soundness of depository institutions, combining the entities involved in overseeing the securities and derivatives markets, transferring the remaining prudential regulators' consumer protection authorities over large depository institutions to the Consumer Financial Protection Bureau, and the optimal role for the federal government in insurance regulation, among other considerations.

    Agency: Congress
    Status: Open

    Comments: One bill has been introduced in the 115th Congress that would change the financial regulatory structure to address fragmented and overlapping regulatory authorities among agencies, as GAO suggested in February 2016. H.R. 594 was introduced on January 20, 2017, and calls for the functions of the Commodity Futures Trading Commission and the Securities and Exchange Commission to be combined in a single independent regulatory commission. Such an action could help to address fragmentation and overlap between the two agencies, and reduce opportunities for inefficiencies in the regulatory process and inconsistencies in how regulators conduct oversight activities over similar types of institutions, products, and risks.
    Recommendation: Congress should consider whether legislative changes are necessary to align FSOC's authorities with its mission to respond to systemic risks. Congress could do so by making changes to FSOC's mission, its authorities, or both, or to the missions and authorities of one or more of the FSOC member agencies to support a stronger link between the responsibility and capacity to respond to systemic risks. In doing so, Congress could solicit information from FSOC on the effective scope of its collective designation authorities, including any gaps.

    Agency: Congress
    Status: Open

    Comments: No legislative action identified. As of March 1, 2017, no legislation had been introduced that would align FSOC's authorities with its mission to respond to systemic risks, as GAO suggested in February 2016. Without such legislative changes, FSOC may lack the tools it needs to comprehensively address systemic risks that may emerge, and a gap will continue to exist in the post Dodd-Frank Wall Street Reform and Consumer Protection Act mechanisms for the mitigation of systemic risks.
    Recommendation: To help regulators address regulatory fragmentation and improve FSOC's ability to identify emerging systemic risks, as OFR develops and refines its financial stability monitoring tools, it should work with FSOC to determine ways in which to fully and regularly incorporate current and future monitors and assessments into Systemic Risk Committee deliberations, including, where relevant, those that present disaggregated or otherwise confidential supervisory information.

    Agency: Department of the Treasury: Financial Stability Oversight Council: Office of Financial Research
    Status: Open

    Comments: At the FSOC Systemic Risk Committee meeting held in December 2016, Treasury indicated that Office of Financial Research staff presented on the agency's Financial Stability Report. Officials indicated that they provided an assessment on potential financial stability risks, including macroeconomic, market, credit, funding and liquidity, and contagion risks. Systemic Risk Committee meeting attendees were able to compare and contrast these with the results from the Federal Reserve's systemic risk monitoring activities, which were also presented at the meeting. Office of Financial Research officials stated that there was general consensus at the meeting that these discussions were useful and that they should continue. GAO does not believe that this action is consistent with the intent of if February 2016 recommendation to fully and regularly incorporate current and future monitors and assessments into FSOC's Systemic Risk Committee deliberations. While GAO encourages sharing this type of information, the Office of Financial Research's Financial Stability Report is a publicly-available report. The intent of GAO's recommendation was to encourage the agency to fully incorporate all of its monitors into Systemic Risk Committee discussions, including its Financial Stability Monitor--its benchmark tool for assessing risks across the financial system. In addition, in its February 2016 report, GAO encouraged the agency to seek ways in which monitors that present disaggregated or otherwise confidential supervisory information can be incorporated in committee discussions. Without sharing such monitors and information, the Systemic Risk Committee may identify and advance the analysis of only a subset of systemic risks in a timely manner and may identify others too late or miss others altogether. The Financial CHOICE Act of 2016 was introduced in the 114th Congress. The act called for the Office of Financial Research to be eliminated. It was not passed before the end of the 114th Congress.
    Recommendation: To help regulators address regulatory fragmentation and improve FSOC's ability to identify emerging systemic risks, the Federal Reserve should work with FSOC to regularly incorporate the comprehensive results of its systemic risk monitoring activities into Systemic Risk Committee deliberations.

    Agency: Federal Reserve System
    Status: Open

    Comments: As of March 1, 2017, Federal Reserve officials indicated that they provided a presentation to FSOC's Systemic Risk Committee in December 2016, which included comprehensive results from its systemic risk monitoring activities. This action appears to be consistent with GAO's February 2016 recommendation, but the documentation provided by the Federal Reserve did not provide sufficient evidence that the agency has regularly incorporated these results into Systemic Risk Committee meetings. GAO will continue to monitor the Federal Reserve's participation in Systemic Risk Committee meetings to ensure that the agency continues to provide both regular and comprehensive results to the committee. Without better access to systemic risk monitoring tools and other outputs, the Systemic Risk Committee may identify and advance the analysis of only a subset of systemic risks in a timely manner and may identify others too late or miss others altogether.
    Recommendation: To more efficiently and effectively monitor the financial system for systemic risks and reduce the risk of unnecessary duplication, OFR and the Federal Reserve should jointly articulate individual and common goals for their systemic risk monitoring activities, including a plan to monitor progress toward articulated goals, and formalize regular strategic and technical discussions around their activities and outputs to support those goals.

    Agency: Department of the Treasury: Financial Stability Oversight Council: Office of Financial Research
    Status: Open

    Comments: As of March 1, 2017, the Federal Reserve and the Office of Financial Research had coordinated to organize semi-annual meetings to jointly discuss views from their respective monitoring of the financial system for risks; but these meetings had not yet taken place. The first of these meetings is to be held in May 2017 following the agencies' respective systemic risk exercises. Initiating these discussions addresses part of GAO's February 2016 recommendation. GAO plans to review documentation from these meetings in 2017 to further assess if the agencies will use these meetings to jointly articulate individual and common goals, including developing a plan to monitor progress toward the goals. Fully addressing GAO's recommendation could help to ensure comprehensiveness in systemic risk surveillance and reduced risk of duplication. On September 9, 2016, the Financial CHOICE Act of 2016 was introduced. It called for the Office of Financial Research to be eliminated. The legislation did not pass before the 114th Congress ended.
    Recommendation: To more efficiently and effectively monitor the financial system for systemic risks and reduce the risk of unnecessary duplication, OFR and the Federal Reserve should jointly articulate individual and common goals for their systemic risk monitoring activities, including a plan to monitor progress toward articulated goals, and formalize regular strategic and technical discussions around their activities and outputs to support those goals.

    Agency: Federal Reserve System
    Status: Open

    Comments: As of March 1, 2017, the Federal Reserve and the Office of Financial Research had coordinated to organize semi-annual meetings to jointly discuss views from their respective monitoring of the financial system for risks; but these meetings had not yet taken place. The first of these meetings is to be held in May 2017 following the agencies' respective systemic risk exercises. Initiating these discussions addresses part of GAO's February 2016 recommendation. GAO plans to review documentation from these meetings in 2017 to further assess if the agencies will use these meetings to jointly articulate individual and common goals, including developing a plan to monitor progress toward the goals. Fully addressing GAO's recommendation could help to ensure comprehensiveness in systemic risk surveillance and reduced risk of duplication. On September 9, 2016, the Financial CHOICE Act of 2016 was introduced. It called for the Office of Financial Research to be eliminated. The legislation did not pass before the 114th Congress ended.
    Director: Seto J. Bagdoyan
    Phone: (202) 512-6722

    8 open recommendations
    including 8 priority recommendations
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to conduct a comprehensive feasibility study on actions that CMS can take to monitor and analyze, both quantitatively and qualitatively, the extent to which data hub queries provide requested or relevant applicant verification information, for the purpose of improving the data-matching process and reducing the number of applicant inconsistencies; and for those actions identified as feasible, create a written plan and schedule for implementing them.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported that it considered this recommendation open and it was reviewing options for conducting a feasibility study to monitor and analyze information received from the Hub as recommended. HHS plans to examine the hub process in delivering usable information for applicant verification and analyzing data to identify trends or patterns that could suggest improvements in verification or actions that could reduce the number of inconsistencies that require further attention. HHS reported that this effort began March 2016. In March 2017, the agency said it is making significant progress towards implementing the recommendation. We will continue to monitor HHS's progress in this area.
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to track the value of advance premium tax credit and cost-sharing reduction (CSR) subsidies that are terminated or adjusted for failure to resolve application inconsistencies, and use this information to inform assessments of program risk and performance. (See related recommendation 7.)

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported it considers this recommendation closed because it expanded the use of analytics to analyze the value of premium tax credit and CSR subsidies that are eliminated or adjusted for 2015 actions at the policy level, and that CMS continues to analyze the data to develop future operations changes. In May 2016, we requested documentation of these actions, including (1) information produced using the capability described; (2) ways in which this information is being used for analysis for purposes such as program operations, monitoring, risk assessment, or fraud cleaning; and (3) a description of the future operational changes contemplated based on the analyses done. Once received, we will review to determine whether the efforts taken warrant closing the recommendation. In March 2017, HHS provided us information on their response to this and other recommendations from this report. However, HHS has not provided sufficient documentation to show that they have implemented this recommendation. We will continue to monitor the agency's progress in this area.
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to, in the case of CSR subsidies that are terminated or adjusted for failure to resolve application inconsistencies, consider and document, in conjunction with other agencies as relevant, whether it would be feasible to create a mechanism to recapture those costs, including whether additional statutory authority would be required to do so; and for actions determined to be feasible and reasonable, create a written plan and schedule for implementing them.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported it considers this recommendation closed because CMS has considered whether it would be feasible to create a mechanism to recapture CSRs and determined that this is not possible under the current statute. HHS also noted that as currently written, the statute does not provide this authority and to pursue developing a mechanism to do so would require Congress to change the statute. In May 2016, we agreed to consider the recommendation closed upon HHS advising us if it made any review or inquiry into the feasibility of recapture apart from statutory authority and providing documentation of such consideration so that we have a full record of the agency's consideration prior to closing the recommendation. In March 2017, HHS provided us information on their response to this and other recommendations from this report. However, HHS has not provided sufficient documentation to show that they have implemented this recommendation. We will continue to monitor the agency's progress in this area.
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to identify and implement procedures to resolve Social Security number inconsistencies where the Marketplace is unable to verify Social Security numbers or applicants do not provide them.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported that it considered this recommendation open and was working on implementing functionality for updating consumers' Social Security numbers (SSN) and their eligibility based on the correct SSN. HHS reported that is it targeting deployment of the SSN update functionality in 2017. In March 2017, HHS provided us information on their response to this and other recommendations from this report. However, HHS has not provided sufficient documentation to show that they have implemented this recommendation. We will continue to monitor the agency's progress in this area.
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to reevaluate CMS's use of Prisoner Update Processing System (PUPS) incarceration data and make a determination to either (a) use the PUPS data, among other things, as an indicator of further research required in individual cases, and to develop an effective process to clear incarceration inconsistencies or terminate coverage, or (b) if no suitable process can be identified to verify incarceration status, accept applicant attestation on status in all cases, unless the attestation is not reasonably compatible with other information that may indicate incarceration, and forego the inconsistency process.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported it considers this recommendation closed because in 2015, it made the determination to no longer require application filers to submit documentation regarding incarceration status. We were aware of that determination, but the recommendation was to reevaluate use of PUPS from the specific standpoint of using the data as it was intended to be used as in indicator of further research and then draw a conclusion on the use of the data. In May 2016, we requested documentation demonstrating that in the period since we made this recommendation, CMS has undertaken the reevaluation in the fashion that we indicated. Once received, we will review to determine whether the efforts taken warrant closing the recommendation. In March 2017, HHS provided us information on their response to this and other recommendations from this report. However, HHS has not provided sufficient documentation to show that they have implemented this recommendation. We will continue to monitor the agency's progress in this area.
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to create a written plan and schedule for providing Marketplace call center representatives with access to information on the current status of eligibility documents submitted to CMS's documents processing contractor.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported it considers this recommendation closed because since May 2015, call center representatives have received daily updates on the status of eligibility documentation. It is working to provide call center representatives with real-time data that is tentatively scheduled for later in 2016. In May 2016, we noted that our recommendation was focused on providing such real-time capability and requested (1) confirmation that call center representatives currently have on-demand, real-time access to up-to-date, application-level document status; and documentation showing development and implementation of this capability; or (2) a written plan and schedule for providing this capability as recommended. Once received, we will review to determine whether the efforts taken warrant closing the recommendation. In March 2017, HHS provided us information on their response to this and other recommendations from this report. However, HHS has not provided sufficient documentation to show that they have implemented this recommendation. We will continue to monitor the agency's progress in this area.
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to conduct a fraud risk assessment, consistent with best practices provided in GAO's framework for managing fraud risks in federal programs, of the potential for fraud in the process of applying for qualified health plans through the federal Marketplace.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported that it considered this recommendation open. It noted that CMS has launched a Marketplace Integrated Project Team (IPT) through the Program Integrity Board, which includes senior staff from across CMS. An objective of the IPT is to complete the fraud risk assessment of Marketplace eligibility and enrollment based on GAO's Fraud Risk Framework, as required by the recommendation. HHS said the first three steps of GAO's framework for this part were to be completed by early summer. Once HHS has completed all relevant steps of the framework, and the agency has fully documented its implementation efforts-including discussion of any items contemplated by the framework that HHS elected not to follow-we will review to determine whether the efforts taken warrant closing the recommendation. In March 2017, HHS provided us information on their response to this and other recommendations from this report. However, HHS has not provided sufficient documentation to show that they have implemented this recommendation. We will continue to monitor the agency's progress in this area.
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to fully document prior to implementation, and have readily available for inspection thereafter, any significant decision on qualified health plan enrollment and eligibility matters, with such documentation to include details such as policy objectives, supporting analysis, scope, and expected costs and effects.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported it considers this recommendation closed because CMS prepares an annual Marketplace and Related Programs Cycle Memo to fulfill reporting requirements for internal control. The Memo describes all significant eligibility and enrollment policy and process changes, including new internal key controls associated with these changes, and the 2015 Memo was released in September 2015. In May 2016, we notified HHS that its actions do not close the recommendation. Information contained in the Memos is after-the-fact and while useful, does not meet the full range of documentation contemplated by our recommendation, especially development and analysis of changes prior to implementation. In March 2017, HHS provided us information on their response to this and other recommendations from this report. However, HHS has not provided sufficient documentation to show that they have implemented this recommendation. We will continue to monitor the agency's progress in this area.
    Director: Marie A. Mak
    Phone: (202) 512-4841

    3 open recommendations
    Recommendation: To provide greater compliance with the GIDEP reporting requirement among the DOD components and their defense supplier-base, the Undersecretary of Defense for Acquisition, Technology and Logistics should establish mechanisms for department-wide oversight of defense agencies' compliance with the GIDEP reporting requirement.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: In providing comments to this report DOD concurred with this recommendation but has not completed actions to implement it. DOD stated that it will issue new DOD Instruction covering the use of GIDEP, as well as a companion DOD manual, to include identification of roles and responsibilities for submission of reports and oversight of such submission. Both documents are expected to be completed by the end of the second quarter fiscal year 2018.
    Recommendation: To provide greater compliance with the GIDEP reporting requirement among the DOD components and their defense supplier-base, the Undersecretary of Defense for Acquisition, Technology and Logistics should develop a standardized process for determining the level of evidence needed to report a part as suspect counterfeit in GIDEP, such as a tiered reporting structure in GIDEP that provides an indication of where the suspect part is in the process of being assessed.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: In providing comments to this report DOD concurred with this recommendation but has not completed actions to implement it. DOD stated that it will issue new DOD Instruction covering the use of GIDEP, as well as a companion DOD manual, to include identification of roles and responsibilities for submission of reports and oversight of such submission. Both documents are expected to be completed by the end of the second quarter of fiscal year 2018.
    Recommendation: To provide greater compliance with the GIDEP reporting requirement among the DOD components and their defense supplier-base, the Undersecretary of Defense for Acquisition, Technology and Logistics should develop guidance for when access to GIDEP reports should be limited to only government users or made available to industry.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: In providing comments to this report DOD concurred with this recommendation but has not completed actions to implement it. DOD stated that it will issue new DOD Instruction covering the use of GIDEP, as well as a companion DOD manual, to include identification of roles and responsibilities for submission of reports and oversight of such submission. Both documents are expected to be completed by the end of the second quarter of fiscal year 2018.
    Director: Kathleen M. King
    Phone: (202) 512-7114

    2 open recommendations
    Recommendation: To strengthen oversight of the provision of care coordination services in the Financial Alignment Demonstration, the Secretary of Health and Human Services should direct the Administrator of CMS to expediently develop and require organizations in the capitated model, and the states in the MFFS model, to report comparable core data measures across the demonstration that measure the following: (1) the extent to which interdisciplinary care team meetings are occurring, and (2) for MFFS states, the extent to which health risk assessments are completed.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In April 2016, CMS officials told us they are exploring whether it would be feasible to identify and develop additional measures related to interdisciplinary care team meetings and health risk assessment completion within the demonstration period. For the first part of our recommendation, CMS officials said that they did not believe it was feasible to implement a care team measure during the demonstration period. For the second part of our recommendation, CMS officials said they had begun discussions with their existing CMS contractor about the level of effort required to develop and implement a health risk assessment measure in the Managed-Fee-For-Service (MFFS) demonstrations. CMS also planned to have discussions with the MFFS model states about the feasibility of collecting and reporting this type of data. As of June 2017, HHS officials have not informed us of any actions taken to implement this recommendation. We will update the status of this recommendation when we receive additional information.
    Recommendation: To strengthen oversight of the provision of care coordination services in the Financial Alignment Demonstration, the Secretary of Health and Human Services should direct the Administrator of CMS to align CMS's existing state-specific measures regarding the extent to which individualized care plans are being developed across the capitated and MFFS states to make them comparable and designate them as a core reporting requirement.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In April 2016, CMS officials said they planned to use an existing CMS contractor to develop a care plan measure that more closely aligns the specifications across demonstrations. As of June 2017, HHS officials have not informed us of any actions taken to implement this recommendation. We will update the status of this recommendation when we receive additional information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    7 open recommendations
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of Homeland Security should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear sectors' cybersecurity progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS has released updated sector-specific plans for the chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear reactors sectors. The plans include a section on measuring effectiveness based on the plan development guidance. The plans provide expected metrics to track the progress of sector activities and state that the outcomes will be reported through the National Annual Reporting process as well as through the quadrennial plan update. Because the metrics are new and annual reporting has not yet occurred, DHS has not provided evidence of metrics data collected and reported to address the challenges. We will continue to follow-up to determine how performance measures have been implemented and what reporting is available based on those measures.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of the Treasury should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the financial services sector's cybersecurity progress.

    Agency: Department of the Treasury
    Status: Open

    Comments: The 2015 sector-specific plan for the financial services sector includes a section on measuring the effectiveness of sector activities; however, the plan does not include specific metrics. The plan refers to working groups and meetings of sector stakeholders as mechanisms to track sector progress. No specific metrics and associated reports of outcomes have been provided to address overcoming the challenges of monitoring the sector's cybersecurity progress. We will continue to monitor financial services sector activities and determine any specific metrics and related reports developed and implemented to track and report on the sector's cybersecurity progress.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Departments of Agriculture and Health and Human Services released an update to the food and agriculture sector-specific plan for 2015. The plan states the sector's lack of an overarching mechanism to measure and evaluate risk mitigation activities and the challenge of obtaining performance measurement data from non-federal partners. However, the plan notes a goal of evaluating the progress of individual protective programs and strategies. No metrics or reports of outcomes have been provided to address the challenge of monitoring the sector's cybersecurity progress. We will continue to follow up to determine whether USDA and HHS have developed and implemented mechanisms to measure the outcomes of their sector cybersecurity-related activities.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Departments of Agriculture and Health and Human Services released an update to the food and agriculture sector-specific plan for 2015. The plan states the sector's lack of an overarching mechanism to measure and evaluate risk mitigation activities and the challenge of obtaining performance measurement data from non-federal partners. However, the plan notes a goal of evaluating the progress of individual protective programs and strategies. No metrics or reports of outcomes have been provided to address the challenge of monitoring the sector's cybersecurity progress. We will continue to follow up to determine whether HHS has developed and implemented mechanisms to measure the outcomes of its sector cybersecurity-related activities.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Homeland Security and Transportation (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the transportation systems sector's cybersecurity progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The co-Sector-Specific Agencies (SSAs) for the Transportation Systems Sector, DHS (TSA and Coast Guard) and the Department of Transportation, provided an update on efforts to develop sector cybersecurity metrics. The update described measures under consideration such as tracking the number of sector stakeholders receiving cybersecurity products, monitoring the usefulness of products through satisfaction surveys, and tracking attendance at sector events and seminars encompassing cybersecurity. The co-SSAs plan to report sector cyber activities, progress, and relevant metrics annually through the Critical Infrastructure National Annual Report and through quadrennial updates to the sector-specific plan. The latest sector-specific plan was released in 2015. The proposed metrics have not been formalized in a strategy or plan. We will continue to monitor and evaluate efforts to formalize and implement the proposed metrics to determine whether they address the intent of the recommendation.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Homeland Security and Transportation (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the transportation systems sector's cybersecurity progress.

    Agency: Department of Transportation
    Status: Open

    Comments: The co-Sector-Specific Agencies (SSAs) for the Transportation Systems Sector, DHS (TSA and Coast Guard) and the Department of Transportation, provided an update on efforts to develop sector cybersecurity metrics. The update described measures under consideration such as tracking the number of sector stakeholders receiving cybersecurity products, monitoring the usefulness of products through satisfaction surveys, and tracking attendance at sector events and seminars encompassing cybersecurity. The co-SSAs plan to report sector cyber activities, progress, and relevant metrics annually through the Critical Infrastructure National Annual Report and through quadrennial updates to the sector-specific plan. The latest sector-specific plan was released in 2015. The proposed metrics have not been formalized in a strategy or plan. We will continue to monitor and evaluate efforts to formalize and implement the proposed metrics to determine whether they address the intent of the recommendation.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Administrator of the Environmental Protection Agency should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the water and wastewater systems sector's cybersecurity progress.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The 2015 water and wastewater sector-specific plan includes a segment on measuring the effectiveness of sector activities that describes the overall principles for collecting data and using the National Annual Report data calls as a tool for assessing performance and reporting on progress within the sector. However, the plan does not state specific measures and the agency acknowledged in its response to our report that it does not collect performance metrics on the effectiveness of its cybersecurity programs for the sector. According to agency officials, the development of performance metrics in collaboration with sector partners is underway. We will continue to follow up to identify any specific metrics developed and implemented and resulting outcome-based reports.
    Director: J. Lawrence Malenich
    Phone: (202) 512-9399

    1 open recommendations
    Recommendation: The Foundation's Executive Director should update the Foundation's draft written policies and procedures over its contracting practices to include all key internal control activities, issue them in final form, and establish a date by which these actions will be completed.

    Agency: Morris K. Udall and Stewart L. Udall Foundation
    Status: Open

    Comments: The Foundation concurred with our recommendation and stated that it will implement the recommended actions. In addition, the Foundation stated that our recommendations will be incorporated in the Foundation's risk assessment documentation, established as a priority, and included in the Foundation's fiscal year 2016 Corrective Action Plan. As of July 2017, the Foundation has not implemented corrective actions to address this recommendation.
    Director: Brenda S. Farrell
    Phone: (202) 512-3604

    5 open recommendations
    Recommendation: To improve the effectiveness of DOD's strategy for preventing sexual assault in the military, as part of the department's next biennial update to the 2014-16 sexual-assault prevention strategy, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in conjunction with the Secretaries of the military departments, to link sexual-assault prevention activities with desired outcomes.

    Agency: Department of Defense
    Status: Open

    Comments: DOD action in progress. DOD is conducting assessments at large installations that reflect a cross-section of each of the service's cultures and result in the development of the 2017-2021 DOD Sexual Assault Prevention Plan of Action. According to department officials, the plan will link risks and protective factors.
    Recommendation: To improve the effectiveness of DOD's strategy for preventing sexual assault in the military, as part of the department's next biennial update to the 2014-16 sexual-assault prevention strategy, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in conjunction with the Secretaries of the military departments, to identify risk and protective factors for all of its domains, including the military community and its leaders.

    Agency: Department of Defense
    Status: Open

    Comments: DOD action in progress. DOD is conducting assessments at large installations that reflect a cross-section of each of the service's cultures and will inform the development of the 2017-2021 DOD Sexual Assault Prevention Plan of Action. According to department officials, the plan will identify risk and protective factors for all domains, including military community and leaders.
    Recommendation: To help ensure widespread adoption and implementation of DOD's sexual-assault prevention strategy and to fulfill its role as a framework that can assist leaders and planners in the development of appropriate tasks, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in conjunction with the Secretaries of the military departments, to communicate and disseminate DOD's prevention strategy and its purpose to the appropriate levels of program personnel as well as their roles and responsibilities for its implementation.

    Agency: Department of Defense
    Status: Open

    Comments: DOD action in progress. According to DOD officials, DOD's 2017-2021 Sexual Assault Prevention Plan of Action will include a comprehensive communications roll-out plan to ensure every level of DOD understands its role in prevention.
    Recommendation: To help improve DOD's ability to measure the effectiveness of the department's efforts in preventing sexual assault in the military, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in collaboration with the Secretaries of the military departments, to fully develop the department's performance measures for the prevention of sexual assault so that the measures include all key attributes of successful performance measures.

    Agency: Department of Defense
    Status: Open

    Comments: DOD action in progress. DOD is conducting a feasibility assessment to identify metrics that will detect impacts of prevention efforts and show progress on reducing risk and prevalence of sexual assault. The results will be included in the 2017-2021 DOD Sexual Assault Prevention Plan of Action.
    Recommendation: To help ensure widespread adoption and implementation of DOD's sexual-assault prevention strategy and to fulfill its role as a framework that can assist leaders and planners in the development of appropriate tasks, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in conjunction with the Secretaries of the military departments, to ensure the military services' Sexual Assault Prevention and Response policies are aligned with the department's prevention strategy.

    Agency: Department of Defense
    Status: Open

    Comments: DOD action in progress. As part of its development of the department's 2017-2021 Sexual Assault Prevention Plan of Action, DOD is working to align military service sexual assault prevention policies with the department's overarching sexual assault prevention strategy.
    Director: Mark Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: To ensure that NTIA's evaluation of the Internet multistakeholder community's transition proposal fully considers whether the proposal provides reasonable assurance that NTIA's core goals for the transition will be met, the NTIA Administrator should review relevant frameworks for evaluation, such as the Committee of Sponsoring Organizations of the Treadway Commission framework and the International Organization for Standardization quality management principles, and use the relevant portions of the frameworks to help evaluate and document whether and how the transition proposal meets NTIA's core goals.

    Agency: National Telecommunications and Information Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gambler, Rebecca S
    Phone: (202) 512-8777

    3 open recommendations
    Recommendation: To strengthen USCIS's EB-5 Program fraud prevention, detection, and mitigation capabilities, and to more accurately and comprehensively assess and report program outcomes and the overall economic benefits of the program, the Director of USCIS should plan and conduct regular future fraud risk assessments of the EB-5 Program.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: The Department of Homeland Security's (DHS) U.S. Citizenship and Immigration Services (USCIS) is responsible for administering the Employment-Based Fifth Preference Immigrant Investor Program (EB-5 Program). In 2015, we reviewed the EB-5 program to determine if USCIS assesses fraud and other related risks facing the program. We found that USCIS had collaborated with its interagency partners to assess fraud and national security risks in the program in fiscal years 2012 and 2015 but that these assessments were onetime efforts that did not have documented plans to conduct regular future risk assessments, in accordance with fraud prevention practices, which could help inform efforts to identify and address evolving program risks. To strengthen the program's fraud prevention, detection, and mitigation capabilities, we recommended that USCIS plan and conduct regular future fraud risk assessments. USCIS concurred with the recommendation, stating that it will continue to conduct at least one fraud, national security, or intelligence assessment on an aspect of the program annually. In September 2015, USCIS stated that the Fraud Detection and National Security Directorate unit of its Immigrant Investor Program (IPO) will conduct its next fraud, national security, and intelligence assessment in FY 2016 and one assessment annually thereafter. In an August 2016 update, USCIS stated that it had conducted a national security assessment, the draft of which was under review by management, to be finalized by September 30, 2016. We will continue to monitor USCIS's efforts to ensure that the agency finalizes this assessment and documents plans to conduct future fraud assessments on a regular basis.
    Recommendation: To strengthen USCIS's EB-5 Program fraud prevention, detection, and mitigation capabilities, and to more accurately and comprehensively assess and report program outcomes and the overall economic benefits of the program, the Director of USCIS should develop a strategy to expand information collection, including considering the increased use of interviews at the I-829 phase as well as requiring the additional reporting of information in applicant and petitioner forms.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: In 2015, we evaluated the Department of Homeland Security's (DHS) U.S. Citizenship and Immigration Services (USCIS) Employment-Based Fifth Preference Immigrant Investor Program (EB-5 Program) to determine the extent to which the agency had addressed any identified fraud risks in the program. We found that USCIS had identified unique fraud risks in the program and had taken certain steps to address and enhance its fraud risk management efforts, including establishing a dedicated entity to oversee these efforts. However, we found that USCIS's information systems and processes limited its ability to collect and use data on EB-5 Program participants to comprehensively address fraud risks in the program. To strengthen the program's fraud mitigation capabilities, we recommended that USCIS develop a strategy to expand information collection, including considering the increased use of interviews at the application for permanent residency (form I-829) phase as well as requiring the additional reporting of information in applicant and petitioner forms. USCIS concurred with the recommendation, stating that IPO will develop a strategy to enhance and expand information collection, including publishing revised EB-5 application and petition forms, and considering the use of interviews. In a September 2015 update to this recommendation, USCIS stated that it had begun internal discussions for developing a comprehensive strategy to incorporate interviews into various stages of the EB-5 process, including the I-829 phase. In addition, USCIS was implementing a comprehensive approach for revising all EB-5 specific forms (I-526, I-924, and I-924A) to improve program integrity and data collection. USCIS expects the revised forms to be available after December 31, 2015. In an August 2016 update, USCIS stated that it has revised Forms I-924, I-924A, and I-526, and anticipated revising Forms I-924 and I-924A by November 2016 and Form I-829 by March 2017. USCIS also stated that IPO had initiated a new process to allow interview of Form I-829 petitioners by video conference, and planned to develop a comprehensive interview strategy based on the results of initial and future interviews as well as other relevant information. We will continue to monitor USCIS's efforts to develop and implement this more comprehensive EB-5 data collection strategy.
    Recommendation: To strengthen USCIS's EB-5 Program fraud prevention, detection, and mitigation capabilities, and to more accurately and comprehensively assess and report program outcomes and the overall economic benefits of the program, the Director of USCIS should track and report data that immigrant investors report, and the agency verifies on its program forms for total investments and jobs created through the EB-5 Program.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: In 2015, we evaluated the Department of Homeland Security's (DHS) U.S. Citizenship and Immigration Services (USCIS)'s capacity to verify job creation and to use a valid and reliable methodology to report the economic benefits of its Employment-Based Fifth Preference Immigrant Investor Program (EB-5 Program). We found that over time USCIS had increased its capacity to verify job creation by increasing the size and expertise of its workforce and by providing clarifying guidance and training, among other actions. However, we found that USCIS's methodology for reporting program outcomes and overall economic benefits of the EB-5 Program was not valid and reliable because it may understate or overstate program benefits in certain instances as it was based on the minimum program requirements of 10 jobs and a $500,000 investment per investor, instead of the number of jobs and investment amounts collected by USCIS on individual EB-5 Program forms. To more accurately and comprehensively assess and report the overall economic benefits of the program, we recommended that USCIS track and report data that immigrant investors report, and the agency verifies on its program forms for total investments and jobs created. USCIS concurred with this recommendation, stating that IPO will develop a plan to collect and aggregate additional data regarding EB-5 investment amounts and job creation, including revising USCIS data systems and processes, as appropriate. In a September 2015 update, USCIS further stated that IPO officials had already met with officials from the USCIS Office of information Technology (OIT) on August 25, 2015, to discuss EB-5 data requirements, and that IPO is reviewing the fields in the Intranet Computer Linked Application Information Management System (iCLAIMS) database used for maintaining EB-5 and other immigration program data, to define data entry requirements. Once that is completed, USCIS stated that IPO will work with OIT to discuss any system changes needed to reliably aggregate data regarding EB-5 program investment amounts and job creation. In an August 2016 update, USCIS stated that through regular meetings with OIT, IPO has identified the assets needed to develop a case management system to meet the complex data needs of the EB-5 program. This system, which will be compatible with USCIS's electronic immigration system, is tentatively projected to be completed in FY 2017. We will continue to monitor USCIS's efforts to develop a system that will enable it to accurately and comprehensively assess and report the overall economic benefits of the program.
    Director: Gerald Dillingham
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To implement a more effective international strategy for achieving NextGen interoperability with other nations, the Secretary of Transportation should direct the FAA Administrator to conduct a risk assessment to identify potential threats and vulnerabilities to NextGen interoperability and establish timeframes for periodically re-evaluating these risks.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To implement a more effective international strategy for achieving NextGen interoperability with other nations, the Secretary of Transportation should direct the FAA Administrator to identify and document actions FAA will undertake to mitigate these risks, using information from the risk assessment as a basis for making management decisions about how to allocate resources for these activities.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Chris Currie
    Phone: (404) 679-1875

    2 open recommendations
    Recommendation: To ensure the accuracy of the data submitted by chemical facilities, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for the Office of Infrastructure Protection, and the Director of ISCD, in the interim, to identify potentially miscategorized facilities with the potential to cause the greatest harm and verify the Distance of Concern these facilities report is accurate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to Infrastructure Security Compliance Division (ISCD) officials, as of November 2016 ISCD completed its assessment of all Top-Screens which reported threshold quantities of release-toxic chemicals of interest and identified 158 facilities with the potential to cause the greatest harm. ISCD contacted all 158 facilities and received revised Top-Screens from 101, according to ISCD officials. ISCD halted pursuit of revised Top-Screens from the remaining facilities during summer 2016 in anticipation of the pending release of CSAT 2.0, the Top-Screen application, which both eliminates the Distance of Concern question and will result in all remaining facilities being required to submit a new Top-Screen upon the activation of CSAT 2.0. CSAT 2.0 was activated October 1, 2016, and DHS sent a letter to each of the remaining facilities informing them of their obligation to submit a new top-screen, according to ISCD officials. ISCD is continuing to monitor the resolution of the remaining cases and expects to have assessed updated Top-Screens for all of them within the first or second quarter of 2017. We will update the status of this recommendation after additional information is received from DHS.
    Recommendation: In addition, to better manage compliance among high-risk chemical facilities and demonstrate program results, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for the Office of Infrastructure Protection, and the Director of ISCD to develop documented processes and procedures to track noncompliant facilities and ensure they implement planned measures as outlined in their approved site security plans.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to Infrastructure Security Compliance Division (ISCD) officials, ISCD is nearing finalization of the updated CFATS Inspection Standard Operating Procedure (SOP) and has made progress on the new CFATS Enforcement SOP. Once completed, expected in mid-2017, these two documents collectively will formally document the processes and procedures currently being used to track noncompliant facilities and ensure they implement planned measures as outlined in their approved site security plans, according to ISCD officials. We will update the status of this recommendation after additional information is received from DHS.
    Director: Cristina Chaplain
    Phone: (202) 512-4841

    3 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that the SLS cost and schedule estimates better conform with best practices and are useful to support management decisions, the NASA Administrator should direct SLS officials to update the SLS cost and schedule estimates, at least annually, to reflect actual costs and schedule and record any reasons for variances before preparing their budget requests for the ensuing fiscal year. To the extent practicable, these updates should also incorporate additional best practices including thoroughly documenting how data were adjusted for use in the update and cross-checking results to ensure they are credible.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA agreed with this recommendation and reported taking steps to address it through its annual assessment of the SLS's current cost and schedule estimates against its Agency Baseline Commitment. The agency provided the results of this assessment but did not address the deficiencies we identified in NASA's original estimate, including thoroughly documenting how data were adjusted for the update and cross-checking the results to ensure credibility. In order to close this recommendation, NASA's estimate of its current costs would ideally include documentation of how data were adjusted for use in the updated estimate as well as an explanation of any estimating methodology crosschecks. At a minimum, the estimate documentation should include an explanation of variances between the original estimate and the current estimate.
    Recommendation: To provide more comprehensive information on program performance, the NASA administrator should direct the SLS program to expedite implementation of the program-level EVM system.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The SLS program concurred with our recommendation and has taken steps to implement a program-level earned value management (EVM) system. In May 2016, NASA and Boeing finalized its contract with Boeing for the SLS core stage, the largest development effort in the program. According to NASA officials, the SLS program began receiving contractor earned value management data derived from the new core stage performance measurement baseline in fall 2016. At that time the program implemented a program-level EVM system tracking both in-house and contractor effort.
    Recommendation: To ensure that decisionmakers are able to track progress toward the agency's committed launch readiness date, the NASA administrator should direct the SLS program to include as part of the program's quarterly reports to NASA headquarters a reporting mechanism that tracks and reports program progress relative to the agency's external committed cost and schedule baselines.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The SLS program concurred with our recommendation. According to NASA officials, the program has taken steps to track and report progress relative to the agency's external committed cost and schedule baselines within the program's quarterly reports to NASA headquarters. The program, however, has not yet provided documentation of these actions to GAO.
    Director: Goldstein, Mark L
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To strengthen the Washington Metropolitan Area Transit Authority's (WMATA) risk assessment and monitoring components of internal control, WMATA's board of directors, working with the General Manager and Chief Executive Officer of WMATA, should direct the appropriate WMATA officials to develop and implement a policy and related procedures for assessing WMATA's financial management-related risks.

    Agency: Washington Metropolitan Area Transit Authority
    Status: Open

    Comments: In July and August 2016, WMATA officials described to GAO the steps they have taken to address this recommendation. However, WMATA did not provide sufficient supporting documentation for GAO to verify that the recommendation was implemented. GAO continues to work with WMATA to understand the steps it has taken to address this recommendation.
    Recommendation: To strengthen the WMATA's risk assessment and monitoring components of internal control, WMATA's board of directors, working with the General Manager and Chief Executive Officer of WMATA, should direct the appropriate WMATA officials to develop and implement a policy and related written procedures for the Office of Internal Compliance to monitor the design and operating effectiveness of the five components of internal control related to financial management.

    Agency: Washington Metropolitan Area Transit Authority
    Status: Open

    Comments: In July and August 2016, WMATA officials described to GAO the steps they have taken to address this recommendation. However, WMATA did not provide sufficient supporting documentation for GAO to verify that the recommendation was implemented. GAO continues to work with WMATA to understand the steps it has taken to address this recommendation.
    Director: Joseph Kirschbaum
    Phone: (202) 512-9971

    3 open recommendations
    Recommendation: To improve the identification, alignment, and management of DOD's chemical and biological defense infrastructure and to fully institutionalize the use of risk assessments to support future investment decisions, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology and Logistics to update the roles and responsibilities guidance in DOD Directive 5160.05E to identify which organizations are responsible for conducting and participating in CBDP Enterprise risk assessments.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with this recommendation but has not yet completed actions to implement it. As of August 2017, DOD was still waiting to release the final version of DOO Directive 5160.05E.
    Recommendation: To improve the identification, alignment, and management of DOD's chemical and biological defense infrastructure and to fully institutionalize the use of risk assessments to support future investment decisions, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology and Logistics to update the CBDP Enterprise's portfolio planning process, to include when risk assessments will be conducted.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with this recommendation but has not yet completed actions to implement it. On 6/8/16, DOD reported that the risk assessment process was initially piloted in 2014 to determine its utility for informing CBDP Enterprise portfolio planning and guidance. Moving forward, the CBDP Enterprise plans to conduct risk assessments annually to support portfolio planning and guidance. As of August 2017, DOD reported that the department was beginning an approximately 12-month process to revise the CBDP Business Plan, which would likely be published as a DOD Instruction. This plan should address the risk assessment recommendation.
    Recommendation: To improve the identification, alignment, and management of DOD's chemical and biological defense infrastructure and to enhance PAIO's ongoing analysis of potential infrastructure duplication in the CBDP Enterprise and gain potential efficiencies, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology and Logistics to identify, request, and consider any information from existing infrastructure studies from other federal agencies with chemical and biological research and development and test and evaluation infrastructure.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with this recommendation but has not yet completed actions to implement it. As of July 2017, DOD has requested, but not received, such studies from other federal agencies. However, DOD is currently engaged in phase two of a three-phase effort regarding its chemical and biological defense infrastructure program (CBDP), which includes a review of the department's interagency roles and responsibilities for its chemical and biological defense Infrastructure Manager. Targeted completion for this phase is December 2017, at which time, DOD may have obtained relevant information from other federal agencies.
    Director: Joseph W. Kirschbaum
    Phone: (202) 512-9971

    4 open recommendations
    Recommendation: To further enhance the department's efforts to protect its classified information and systems from insider threats, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to, in planned supplemental planning guidance to be developed, identify actions beyond the minimum standards that components should take to enhance their insider-threat programs.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To further enhance the department's efforts to protect its classified information and systems from insider threats, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to evaluate and document the extent to which current assessments provide a continuing analysis of gaps for all DOD components; report to Congress on the results of this evaluation; and direct that the overall results of these self- and independent assessments be reviewed by the Office of the Under Secretary of Defense for Intelligence.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To further enhance the department's efforts to protect its classified information and systems from insider threats, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to provide DOD components supplemental guidance that directs them to incorporate risk assessments into their insider-threat programs.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To further enhance the department's efforts to protect its classified information and systems from insider threats, the Secretary of Defense should identify an insider-threat program office to support the Under Secretary of Defense for Intelligence's responsibilities in managing and overseeing DOD and components' insider-threat programs.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: John Pendleton
    Phone: (202) 512-3489

    1 open recommendations
    Recommendation: To balance combatant commanders' demands for forward presence with the Navy's needs to sustain a ready force over the long term and identify and mitigate risks consistent with Federal Standards for Internal Control, the Secretary of Defense should direct the Secretary of the Navy to develop a comprehensive assessment of the long-term costs and risks to the Navy's surface and amphibious fleet associated with its increasing reliance on overseas homeporting to meet presence requirements, make any necessary adjustments to its overseas presence based on this assessment, and reassess these risks when making future overseas homeporting decisions and developing future strategic laydown plans.

    Agency: Department of Defense
    Status: Open

    Comments: As of August 2017, the Navy had not completed their assessment.
    Director: A. Nicole Clowers
    Phone: (202) 512-8678

    1 open recommendations
    Recommendation: To improve SEC's FINRA oversight program, the SEC Chair should direct the appropriate offices and divisions to incorporate additional risk-management practices by taking several actions, including: (1) establishing specific performance goals for the program and performance measures and related targets to assess Market Oversight's progress in meeting those goals; (2) formalizing documentation of procedures, including procedures for making changes to the annual planned oversight activities and decision-making rationales; and (3) modifying existing risk-assessment procedures to require an assessment of internal risks to successfully meeting the FINRA oversight program's goals and objectives.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: On August 26, 2016, SEC staff said that they had put together proposals to address the recommendation shortly after the report was issued and was awaiting management approval. However, in the meantime, SEC reorganized its examination staff and created a dedicated FINRA oversight group. The reorganization was expected to be complete by October 2016. SEC staff planned to incorporate, for management's approval, the elements in the proposals into the new policies and procedures for the FINRA oversight group. Subsequently, on February 13, 2017, SEC staff said that SEC now has new management in place that are learning about the risk management framework, and are assessing how best to incorporate GAO's recommendations into the framework.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: To improve the accountability and transparency of FirstNet's operations, and ensure that FirstNet is gaining as much knowledge from the early builder projects as possible, FirstNet should strengthen FirstNet's internal control system by fully assessing risks, developing standards of conduct, and evaluating performance against these standards.

    Agency: Department of Commerce: National Telecommunications and Information Administration: First Responder Network Authority
    Status: Open

    Comments: When we confirm what actions the First Responder Network Authority (FirstNet) has taken in response to this recommendation, we will provide updated information.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Secretary of the Department of Homeland Security should direct FPS to develop and implement a strategy for using covert-testing data and data on prohibited items to improve FPS's security-screening efforts. The strategy should, at a minimum, aim to ensure that: (1) covert-testing data are used to systematically monitor, review, and improve performance nationwide; (2) covert-testing data are used to determine which testing scenarios will be implemented or reinstated; and (3) data on prohibited items are analyzed to determine the reasons for wide variations in the number of reported prohibited-items detected across buildings and to assist with managing the screening process and informing policy.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, implementation of this recommendation was in process, according to the Federal Protective Service (FPS). FPS provided no additional information, but plans to update GAO in the coming weeks on the status of this and other open recommendations.
    Director: Thomas Melito
    Phone: (202) 512-9601

    2 open recommendations
    including 2 priority recommendations
    Recommendation: To strengthen its management of cash-based food assistance projects and help ensure improved oversight of these projects, the USAID Administrator should develop policy and comprehensive guidance for USAID staff and implementing partners for financial oversight of cash-based food assistance projects.

    Agency: United States Agency for International Development
    Status: Open
    Priority recommendation

    Comments: USAID concurred with this recommendation in its comments to the March 2015 GAO report. In June 2016, USAID reported that it would work with the Cash Learning Partnership (CaLP) on the development and dissemination of policy and guidance related to financial oversight of cash-based food assistance projects. In April 2017, USAID stated that it is continuing to work with CaLP and provide training for FFP staff and implementing partners for the oversight and management of cash-based food assistance programs, including courses related to the financial oversight. However, as of April 2017, USAID had not completed any guidance for USAID staff and implementing partners for financial oversight of cash-based food assistance projects.
    Recommendation: To strengthen its management of cash-based food assistance projects and help ensure improved oversight of these projects, the USAID Administrator should require USAID staff to conduct systematic financial oversight of USAID's cash-based food assistance projects in the field.

    Agency: United States Agency for International Development
    Status: Open
    Priority recommendation

    Comments: USAID concurred with this recommendation in its comments to the March 2015 GAO report. In January 2017, USAID stated that it was continuing to pursue training opportunities for staff in response to this recommendation. However, USAID, as of April 2017, had not completed efforts to address the recommendation. GAO will continue to monitor USAID's efforts to require staff to conduct systematic financial oversight and determine the extent to which the training and third monitoring will address this issue.
    Director: J. Christopher Mihm
    Phone: (202) 512-6806

    1 open recommendations
    Recommendation: The Director of the Office of Management and Budget should direct, as appropriate, federal agencies involved with the White House Working Group on Detroit, to collect good practices and lessons learned from their efforts to assist Detroit during its fiscal crisis and share them with other federal agencies and local governments. Toward this end, OMB may want to consider making use of existing knowledge and capacity associated with the Strong Cities, Strong Communities Initiative and its National Resource Network.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In commenting on a draft of GAO's March 2015 report, OMB neither agreed nor disagreed with this recommendation. In April 2017, OMB staff stated that they believed steps had been taken to preserve some of the lessons coming out of the administration's efforts to assist the City of Detroit during its fiscal crisis. However, they were unable to provide specifics. GAO has requested additional information and supporting documentation regarding this effort.
    Director: Johana Ayers
    Phone: (202) 512-5741

    2 open recommendations
    Recommendation: To help manage the risks from changes in conference participation and any potential effects on the defense S&T enterprise, the Secretary of Defense should direct the Assistant Secretary of Defense for Research and Engineering, in consultation with the Office of the DCMO, to develop a plan to analyze and periodically reevaluate the risks from changes in participation at S&T conferences for any potential effects on DOD's ability to meet its scientific mission, including identifying and collecting additional information needed to conduct this analysis.

    Agency: Department of Defense
    Status: Open

    Comments: In September 2015, DOD updated its conference approval guidelines. According to DOD, these guidelines were designed to facilitate conference participation and attendance by DOD employees. The updated guidelines now treat conference attendance as Temporary Duty/Temporary Assigned Duty, and delegate approval authority to the lowest level possible. However, DOD has not yet implemented a requirement to develop a plan and periodically reevaluate the risks from changes in participation at S&T conferences as of June 2016 because officials in the Office of the Deputy Chief Management Officer believe this recommendation in GAO-15-278 is no longer applicable as a result of its updated conference approval guidelines. We disagree and believe this recommendation continues to have merit in order for DOD to better understand and manage the risks to achieving its S&T mission from any future changes in conference participation, and to determine if any future actions to adjust its conference approval guidelines are warranted.
    Recommendation: To help manage the risks from changes in conference participation and any potential effects on the defense S&T enterprise, the Secretary of Energy should direct the Administrator of NNSA and the relevant national lab directors, in consultation with DOE's Office of Management, to develop a plan to analyze and periodically reevaluate the risks from changes in participation at S&T conferences for any potential effects on NNSA's ability to meet its scientific mission, including identifying and collecting additional information needed to conduct this analysis.

    Agency: Department of Energy
    Status: Open

    Comments: In August 2015, DOE updated its conference management policies and procedures to, among other things, expedite the conference attendance approval process by establishing timeframes for review and approval. According to DOE, as of September 2016, streamlining the conference approval process eliminates the need to periodically evaluate risks from changes in participation at S&T conferences. We disagree and believe this recommendation continues to have merit in order for DOE to better understand and manage the risks to achieving its S&T mission from any future changes in conference participation, and to determine if any future actions to adjust its conference approval guidelines are warranted.
    Director: Cary Russell
    Phone: (202) 512-5431

    1 open recommendations
    Recommendation: To address the limitations of existing distribution performance metrics, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with TRANSCOM, to revise guidance to ensure that a customer wait time standard is established and used for the Marine Corps.

    Agency: Department of Defense
    Status: Open

    Comments: In September 2016, the Marine Corps had established a Customer Wait Time (CWT) standard and developed CWT metrics that are in alignment with DOD policy. These changes were to be incorporated into Marine Corps policy through their normal Service procedures. As of September 2017, we are unaware of any actions taken to implement this recommendation.
    Director: David Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To improve the reliability and reporting of investment performance information and management of selected major investments, the Commissioner of the IRS should direct the Chief Technology Officer to modify reporting of the Affordable Care Act Administration testing status to senior management to include a comprehensive report on all impacted systems--including an explanation for why impacted systems were not tested at a particular level--and ensure this reporting is aligned with the manner in which testing is being performed.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS disagreed with this recommendation at the time we made it stating that it followed a rigorous risk-based process for planning the tests of ACA-impacted systems, including the types and levels of testing, and that it had comprehensive reporting for the filing season 2015 release, which included ACA impacted systems. However, as noted in our report, our review of ACA Testing Review Checkpoint reports and filing season reports, which officials stated were used to provide comprehensive reports to senior managers, did not identify the status of testing for all systems impacted by ACA Releases 5.0 and 6.0. We therefore concluded that the recommendation was still valid. As of July 2017, IRS had not changed its position. We will be following up with the agency to discuss the recommendation.
    Director: Mctigue Jr, James R
    Phone: (202) 512-7968

    2 open recommendations
    Recommendation: To improve the reliability of Taxonomy estimates for future filing seasons, the Commissioner of Internal Revenue should follow relevant best practices outlined in the GAO Cost Guide by documenting the underlying analysis justifying cost-influencing assumptions.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of April 2017, IRS has taken steps to update its methodology for calculating and reporting its Taxonomy estimates. IRS provided GAO with updated Taxonomy estimates for 2015; GAO is reviewing these estimates to determine the extent to which IRS has implemented GAO's recommendation.
    Recommendation: To improve the reliability of Taxonomy estimates for future filing seasons, the Commissioner of Internal Revenue should follow relevant best practices outlined in the GAO Cost Guide by reporting the inherent imprecision and uncertainty of the estimates. For example, IRS could provide a range of values for its Taxonomy estimates.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of April 2017, IRS has taken steps to update its methodology for calculating and reporting its Taxonomy estimates. IRS provided GAO with updated Taxonomy estimates for 2015; GAO is reviewing these estimates to determine the extent to which IRS has implemented GAO's recommendation.
    Director: David C. Trimble
    Phone: (202) 512-3841

    5 open recommendations
    Recommendation: To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and direct field office sites with responsibility for non-M&O contractor risk assessments to address risk factors as they relate to those sites and take steps to ensure sites implement it.

    Agency: Department of Energy
    Status: Open

    Comments: As of May 2017, DOE had revised its fiscal year 2015 and 2016 improper payments guidance. The revised guidance directs field office sites with responsibility for non-M&O contractor risk assessments to address risk factors as they relate to those sites. The guidance further requires each site Chief Financial Officer to certify to the accuracy of improper payments and risk rating. We will continue to monitor DOE's efforts to ensure sites implement this new guidance.
    Recommendation: To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and clarify how payment sites are to address risk factors and document the basis for their risk rating determinations and take steps to ensure sites implement it.

    Agency: Department of Energy
    Status: Open

    Comments: As of May 2017, DOE had revised its fiscal years 2015 and 2016 improper payments guidance requiring sites to prepare risk assessments using a new risk assessment format. The guidance states that the new format was developed to improve consistency among the sites and improve documentation supporting the risk ratings. In the new format, each risk factor includes a description of the risk factor, rating criteria and/or questions to consider during the evaluation to assist sites in determining a risk rating by payment type. The guidance also requires all sites to maintain supporting documentation for their risk assessment. We will continue to monitor DOE's efforts to ensure sites implement this new guidance.
    Recommendation: To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and clarify who is responsible at DOE for reviewing and approving risk assessments for consistency across sites and take steps to ensure those entities implement it.

    Agency: Department of Energy
    Status: Open

    Comments: As of May 2017, DOE had revised its fiscal years 2015 and 2016 improper payments guidance to require site Chief Financial Officers and the Director of Risk Management of the Loan Programs Office to provide a signed certification to DOE's Director of the Office of Finance and Accounting certifying to the accuracy of improper payments and the risk assessment and rating submitted. The guidance provides templates for these certifications. We will continue to monitor DOE's efforts to ensure sites implement this new guidance.
    Recommendation: To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and provide specific examples of other risk factors that present inherent risks likely to contribute to significant improper payments, in addition to the eight risk factors, direct payment sites to consider those when performing their improper payment risk assessments, and take steps to ensure sites implement it.

    Agency: Department of Energy
    Status: Open

    Comments: As of May 2017, DOE had revised its fiscal year 2015 and 2016 improper payments guidance. In addition to the required OMB risk factors, the guidance added the following additional risk factors to be included in the risk assessments: (1) contractor payment processing oversight and (2) segregation of duties. The guidance states these factors have been added to ensure that inherently high-risk areas that can contribute to a site's susceptibility to significant improper payments are properly evaluated. We will continue to monitor DOE's efforts to ensure sites implement this new guidance.
    Recommendation: To provide better transparency regarding its total known improper payments reported under IPERA, the Secretary of Energy should direct the department's Chief Financial Officer to improve public reporting on the amount of total known improper payments by disclosing additional information regarding this amount and the extent to which improper payments could be occurring.

    Agency: Department of Energy
    Status: Open

    Comments: As of May 2017, DOE had added supplemental information to its fiscal year 2016 Agency Financial Report. We will continue to gather additional information from DOE to determine the extent to which this information addresses the amount of total known improper payments.
    Director: Brian Lepore
    Phone: (202) 512-4523

    2 open recommendations
    Recommendation: To improve the ability of the Department of Defense and the military departments to manage the potential for foreign encroachment near their test and training ranges, the Secretary of Defense, in consultation with the military departments, should develop and implement guidance for assessing risks to test and training ranges from foreign encroachment in particular, to include: (1) determining the criticality and vulnerability of DOD's ranges and the level of the threat; and (2) a time frame for completion of risk assessments.

    Agency: Department of Defense
    Status: Open

    Comments: In October 2017, DOD stated that it has conducted a data call to the services to identify the locations that the services consider to be at risk from foreign encroachment. DOD has received this information from the services and is using it to inform the development of guidance. That effort is in process, so this recommendation is still open.
    Recommendation: To identify potential foreign encroachment concerns on federally-owned land near test and training ranges, the Secretary of Defense should collaborate with the secretaries of relevant federal agencies, including at a minimum the Secretaries of the Interior and Transportation, to obtain additional information needed from federal agencies managing land and transactions adjacent to DOD's test and training ranges. If appropriate, legislative relief should be sought to facilitate this collaborative effort.

    Agency: Department of Defense
    Status: Open

    Comments: In October 2017, DOD stated that it continues to engage with land management agencies on this issue and has met with about eight agencies in the past several years, including the Forest Service in September 2017. The agencies that DOD has met with fit into two main categories: (1) land management agencies such as Department of the Interior and Department of Transportation and (2) trade and foreign relation focused agencies such as Department of State and the Department of Treasury. In addition, DOD continues to explore the possibility of legislative relief to assist in this area. This effort is in process, so this recommendation is still open.
    Director: Cristina Chaplain
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: In order to provide additional information and analyses to effectively manage the program and account for new risks identified after the 2011 replan, the NASA Administrator should direct JWST project officials to follow best practices while conducting a cost risk analysis on the prime contract for the work remaining and ensure the analysis is updated as significant risks emerge.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: JWST did conduct a cost risk analysis and provided the results to GAO. We reported in GAO-16-112 that it substantially met best practices. However, the project stated they did not plan to update the analysis as significant risks emerged, which is a key element of the recommendation.
    Director: Grover, Jennifer A
    Phone: (202)512-7141

    1 open recommendations
    Recommendation: To ensure that TSA's planned testing yields reliable results, the TSA Administrator should take steps to ensure that TSA's planned effectiveness testing of the Managed Inclusion process adheres to established evaluation design practices.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: TSA continues to make progress on implementing this recommendation. In March 2017, TSA reported that an evaluation of the security effectiveness of the managed inclusion process is to be completed over the next few weeks. Once documentation for the evaluation is available, TSA will provide it for review and analysis.
    Director: Alicia Puente Cackley
    Phone: (202) 512-8678

    2 open recommendations
    Recommendation: To achieve greater efficiency and effectiveness, Congress should consider transferring the oversight of the markings of toy and imitation firearms in 15 U.S.C. 5001 from the National Institute of Standards and Technology (within the Department of Commerce) to the Consumer Product Safety Commission.

    Agency: Congress
    Status: Open

    Comments: This matter is an action identified in GAO's annual Duplication and Cost Savings reports. There has been no legislative action identified. The Gun Look-Alike Case Act, H.R. 3224, which was introduced on July 27, 2015, in the 114th Congress, would transfer the authority to regulate the markings of toy, look-alike, and imitation firearms in section 5001 of title 15 of the U.S. Code from NIST to CPSC, as GAO suggested in November 2014. This bill was referred to the Subcommittee on Commerce, Manufacturing, and Trade of the Committee on Energy and Commerce in the United States House of Representatives, and did not pass out of committee. As of March 1, 2017, the bill has not been reintroduced in the 115th Congress.
    Recommendation: To improve existing coordination of oversight for consumer product safety, Congress should consider establishing a formal comprehensive oversight mechanism for consumer product safety agencies to address crosscutting issues as well as inefficiencies related to fragmentation and overlap such as communication and coordination challenges and jurisdictional questions between agencies. Different types of formal mechanisms could include, for example, creating a memorandum of understanding to formalize relationships and agreements or establishing a task force or interagency work group. As a starting point, Congress may wish to obtain agency input on options for establishing more formal coordination.

    Agency: Congress
    Status: Open

    Comments: This matter is an action identified in GAO's annual Duplication and Cost Savings reports. There has been no legislative action identified. No legislation was introduced as of March 1, 2017, that would establish a collaborative mechanism to facilitate communication across the relevant agencies and to help enable them to collectively address crosscutting issues, as GAO suggested in November 2014. Some of the agencies with direct regulatory oversight responsibilities for consumer product safety reported that they continue to collaborate to address specific consumer product safety topics. However, without a formal comprehensive oversight mechanism, the agencies risk missing opportunities to better leverage resources and address challenges, including those related to fragmentation and overlap.
    Director: Daniel Bertoni
    Phone: (202) 512-7215

    3 open recommendations
    including 1 priority recommendation
    Recommendation: To improve the ability of the agency to detect and prevent potential physician-assisted fraud, and to address potential disincentives for staff to detect and prevent physician-assisted fraud, SSA should review the standards used to assess DDS performance; and develop and distribute promising practices to incentivize staff to better balance the goal of processing claims promptly with the equally important goal of identifying and reporting evidence of potential fraud.

    Agency: Social Security Administration
    Status: Open

    Comments: SSA partially agreed with this recommendation, citing that their employees take their stewardship responsibilities seriously and that field office and disability determination services (DDS) employees are the agency's first and best line of defense against fraud. In 2016, the agency reported that it was working with experts in its OIG and Office of Anti-Fraud Programs to develop and disseminate promising practices on identifying and reporting fraud. We will close this recommendation once SSA takes steps to review its standards for assessing DDS performance and disseminates the best practices it is developing.
    Recommendation: To improve the ability of the agency to detect and prevent potential physician-assisted fraud, and to address the potential risks associated with medical evidence submitted by sanctioned physicians, SSA should evaluate the threat posed by this information and, if warranted, consider changes to its policies and procedures.

    Agency: Social Security Administration
    Status: Open

    Comments: As of 2016, SSA reported that it was pursuing several options to address the potential risks of medical evidence submitted by sanctioned physicians. This included determining how it could use licensure information from the List of Excluded Individuals and Entities. SSA stated that it believes the best opportunity to further evaluate the possible review of the license statuses of medical evidence providers is in conjunction with the implementation of the National Vendor File, part of the national Disability Case Processing System, which is under development. In addition, SSA reported it had drafted two Social Security Rulings to define fraud and to provide processes for disregarding evidence and making redeterminations in disability claims when there is reason to believe that fraudulent evidence was provided. We will close this recommendation once SSA articulates a strategy for using license status information in the vendor file and it finalizes its rulings.
    Recommendation: To improve the ability of the agency to detect and prevent potential physician-assisted fraud, and to help ensure new initiatives that use analytics to identify potential fraud schemes are successful, SSA should develop an implementation plan that identifies both short- and long-term actions, including: (1) timeframes for implementation; (2) resources and staffing needs; (3) data requirements, e.g., the collection of unique medical provider information; (4) how technology improvement will be integrated into existing technology improvements such as the Disability Case Processing System and National Vendor File; and (5) how different initiatives will interact and support each other.

    Agency: Social Security Administration
    Status: Open
    Priority recommendation

    Comments: Since fiscal year 2015, SSA has taken several steps that will help the agency to combat fraud, waste, and abuse. SSA established the Office of Anti-Fraud Programs to provide centralized oversight and accountability for the agency's initiatives, which, in consultation with the Office of the Inspector General and other SSA components, will lead the development of SSA's anti-fraud initiatives and activities. This includes efforts to mitigate fraud through data analytics that utilize SSA's existing data systems. SSA developed a strategic plan for fiscal years 2016-2018 to guide its anti-fraud efforts that includes the use of data analytics. However, this plan does not specifically address actions to combat potential physician-assisted fraud. As of April 2017, SSA stated that it continued to develop a fraud management strategy that is consistent with the leading practices identified in GAO's report. Once the strategy is complete, SSA plans to conduct a fraud risk assessment on its major lines of business, beginning with the disability program in fiscal year 2017. We will continue to monitor SSA's progress to identify and prevent fraud schemes that include physicians.
    Director: Asif A. Khan
    Phone: (202) 512-9869

    2 open recommendations
    Recommendation: To help improve the implementation of GCSS-Army, the Secretary of the Army should ensure that the Under Secretary of the Army, in his capacity as the Chief Management Officer, directs the GCSS-Army Program Management Office to develop an updated schedule that fully incorporates best practices, including (1) assigning resources to all activities, (2) establishing durations of all activities, (3) confirming that the critical path is valid, and (4) ensuring reasonable total float.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: We are in the process of obtaining an updated integrated master schedule from DOD to determine if Army fully incorporated best practices. As of June 2017,Army officials told us that the integrated master schedule and revised cost estimate will not be available until December 2017. This recommendation remains open.
    Recommendation: To help improve the implementation of GCSS-Army, the Secretary of the Army should ensure that the Under Secretary of the Army, in his capacity as the Chief Management Officer, directs the GCSS-Army Program Management Office to update the cost estimate to fully incorporate best practices by documenting the results of (1) a risk and uncertainty analysis, (2) the cross-checking of major cost elements to see if results are similar, and (3) a sensitivity analysis.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: We are in the process of obtaining an updated cost estimate from DOD to determine if Army fully incorporated best practices. As of June 2017, Army officials told us that the integrated master schedule and revised cost estimate will not be available until December 2017. This recommendation remains open.
    Director: Charles Michael Johnson, Jr.
    Phone: (202) 512-7331

    1 open recommendations
    Recommendation: For elements identified in the Countering Iran in the Western Hemisphere Act of 2012 that were not fully addressed in the strategy, the Secretary of State should provide the relevant congressional committees with information that would fully address these elements. In the absence of such information, State should explain to the congressional committees why it was not included in the strategy.

    Agency: Department of State
    Status: Open

    Comments: In a letter dated December 23, 2014, the Department of State (State) noted that the elements identified in the GAO report as not being adequately addressed by State were matters where the consensus of the intelligence community was that there was not an identifiable threat to counter. GAO's report assessed that State did not address four specific elements identified in the Countering Iran in the Western Hemisphere Act of 2012. State's December 2014 letter provided explanations for these four elements, including the availability of information on existing agency websites, briefings provided to Congress, and State's lack of finding that foreign governments showed clear threats. We continue to maintain that the strategy did not include all of the elements that the law stated should be included, and State did not demonstrate that it provided relevant congressional committees with information that would fully address these elements. In December 2015, State noted that it remains in close contact with the relevant congressional committees across a range of security, economic and political with regard to the Western Hemisphere on a regular and continuing basis. State further noted that it provided an oral briefing along with its original submission of the report to Congress and answered questions posed by Congress. State officials said that they stand ready to provide further information in the appropriate setting should it be requested. However, State did not provide GAO with information about whether it had provided information to Congress specifically for the elements identified in the Countering Iran in the Western Hemisphere Act of 2012 that were not fully addressed in the strategy, nor provide additional information about whether State explained to the congressional committees why any absence of such information was not included in the strategy. Furthermore, GAO learned from the House Foreign Affairs Committee staff that State and the Office of the Director for National Intelligence provided a briefing to the committee regarding Iranian activities in Latin America on February 25, 2016. As of August 2016, GAO did not receive any documents related to the briefings because, according to State, the talking points document was considered deliberative and therefore could not be shared. According to State officials, they continue to monitor the issue and brief Congress as appropriate. As of June 2017, State noted that its position regarding this recommendation and the deliberative nature of the talking points document remains unchanged.
    Director: Cary Russell
    Phone: (202) 512-5431

    6 open recommendations
    including 1 priority recommendation
    Recommendation: To help DOD develop an affordable sustainment strategy for the F-35, the Secretary of Defense should direct the Under Secretary of Defense for Acquisitions, Technology and Logistics to direct the F-35 Program Executive Officer to establish affordability constraints linked to, and informed by, military service budgets that will help guide sustainment decisions, prioritize requirements, and identify additional areas for savings by March 2015, at which point the Future Support Construct decision will be approved.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: DOD concurred with our recommendation and stated in April 2017 that the F-35 Program Executive Officer and the F-35 enterprise have expanded their collaborative effort to reduce F-35 operating and support (O&S) costs to ensure that they deliver affordable readiness for the F-35 fleet. In an effort to reduce overall O&S costs, the department has undertaken several initiatives. For example, according to DOD, as of January 2017, a program office "cost war room" initiative had reduced the 2012 F-35 annual cost estimate by $60.7 billion. Additionally, according to DOD, a Reliability and Maintainability Improvement Program has resulted in a $1.7 billion O&S cost avoidance through the program's life cycle. Other efforts are also under way that aim to help reduce O&S costs by better informing sustainment decision-making. While the department is taking steps to try to reduce overall O&S costs, the program has yet to develop affordability constraints linked to the military services' budgets. Without affordability constraints that are linked to military service budgets, it remains unclear the extent to which the military services can afford to operate and sustain the F-35 throughout its life cycle as currently planned.
    Recommendation: To help DOD address key risks to F-35 affordability and operational readiness, and to improve the reliability of its O&S cost estimates for the life cycle of the program, the Secretary of Defense should direct the F-35 Program Executive Officer, to enable DOD to better identify, address, and mitigate performance issues with the Autonomic Logistics Information System (ALIS) that could have an effect on affordability, as well as readiness, to establish a performance-measurement process for ALIS that includes, but is not limited to, performance metrics and targets that (1) are based on intended behavior of the system in actual operations and (2) tie system performance to user requirements.

    Agency: Department of Defense
    Status: Open

    Comments: According to DOD officials, the ALIS Integrated Product Team (IPT) is continuing to work with the Joint Program Office's Performance Based Logistics (PBL) team to further develop and refine appropriate metrics for inclusion into future sustainment contracts. Although DOD has made progress in developing performance metrics for ALIS, as of September 2017, DOD has yet to develop metrics that are based on intended behavior of the system and tie system performance to user requirements. Until this progression is made, this recommendation will remain open.
    Recommendation: To help DOD address key risks to F-35 affordability and operational readiness, and to improve the reliability of its O&S cost estimates for the life cycle of the program, the Secretary of Defense should direct the F-35 Program Executive Officer, to develop a high level of confidence that the aircraft will achieve its R+M goals, to develop a software reliability and maintainability (R+M) assessment process, with metrics, by which the program can monitor and determine the effect that software issues may have on overall F-35 R+M issues.

    Agency: Department of Defense
    Status: Open

    Comments: DOD has an R&M assessment process in place, but as of September 2017, had not developed a process that would focus directly on software reliability and maintainability. Until DOD develops a process more focused on software and its effects on overall R&M issues, this recommendation will remain open.
    Recommendation: To help DOD address key risks to F-35 affordability and operational readiness, and to improve the reliability of its O&S cost estimates for the life cycle of the program, the Secretary of Defense should direct the F-35 Program Executive Officer, to promote competition, address affordability, and inform its overarching sustainment strategy, to develop a long-term Intellectual Property (IP) Strategy to include, but not be limited to, the identification of (1) current levels of technical data rights ownership by the federal government and (2) all critical technical data needs and their associated costs.

    Agency: Department of Defense
    Status: Open

    Comments: DOD has still not developed an overall strategy that would identify data rights ownership, needs, and costs. As of September 2017, the program had taken some steps to develop an Intellectual Property Strategy, but has not identified all critical needs and their associated costs. Program office officials said that they are currently working with the prime contractor to develop a list of technical data requirements. Until this strategy is developed, this recommendation will remain open.
    Recommendation: To help DOD address key risks to F-35 affordability and operational readiness, and to improve the reliability of its O&S cost estimates for the life cycle of the program, the Secretary of Defense should direct the F-35 Program Executive Officer, to understand the potential range of costs associated with the JPO F-35 O&S cost estimate, to conduct uncertainty analyses on future JPO estimates.

    Agency: Department of Defense
    Status: Open

    Comments: As of September 2017, DOD had not applied risk/uncertainty analyses to its cost estimates. Until it does so, this recommendation will remain open.
    Recommendation: To improve the reliability of the CAPE F-35 O&S cost estimate, the Secretary of Defense should direct the Director of CAPE, for future F-35 O&S cost estimates, to conduct uncertainty analyses to understand the potential range of costs associated with its estimates to reflect the most likely costs associated with the program.

    Agency: Department of Defense
    Status: Open

    Comments: According to DOD officials, the Cost Assessment and Program Evaluation (CAPE) has not updated its F-35 estimate subsequent to the release of GAO-14-778. Pending a major program change, CAPE will update the F-35 O&S estimate for the full-rate production decision point in the second quarter of fiscal year 2019. Until CAPE updates its F-35 estimate, we will not be able to determine if they will perform any uncertainty analyses on its cost estimate; therefore, this recommendation will remain open as of September 1, 2017.
    Director: Maurer, Diana C
    Phone: (202) 512-9627

    6 open recommendations
    including 5 priority recommendations
    Recommendation: The Secretary of Homeland Security should designate the headquarters consolidation program a major acquisition, consistent with DHS acquisition policy, and apply DHS acquisition policy requirements.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: In alignment with GAO's recommendation, on September 16, 2014, DHS issued an Acquisition Decision Memorandum designating the DHS-funded portions of the headquarters consolidation program as a Major Acquisition Program to be overseen by the departmental Acquisition Review Board (ARB). DHS made further progress implementing this recommendation by conducting and documenting an ARB of the program on November 15, 2016. The ARB process provided DHS greater oversight of headquarters consolidation, and provided a forum for officials to consider a wide range of issues affecting consolidation efforts, such as funding and project scope. However, DHS and General Services Administration (GSA) were required to revise their cost and schedule estimates subsequent to the ARB's review. In addition, as of March 2017, DHS, in coordination with GSA, had not submitted the report to Congress on DHS Headquarters Consolidation mandated by Pub. L. No. 114-150. GAO will reassess the status of this recommendation after cost and schedule estimates are finalized and DHS and GSA submit the required report to Congress, i.e., when there is more certainty about the future direction of the project overall and DHS's funded portion in particular.
    Recommendation: In order to improve transparency and allow for more informed decision making by congressional leaders and DHS and GSA decision-makers, before requesting additional funding for the DHS headquarters consolidation project, the Secretary of Homeland Security and the Administrator of the General Services Administration should work jointly to conduct the following assessments and use the results to inform updated DHS headquarters consolidation plans: (1) a comprehensive needs assessment and gap analysis of current and needed capabilities that take into consideration changing conditions, and (2) an alternatives analysis that identifies the costs and benefits of leasing and construction alternatives for the remainder of the project and prioritizes options to account for funding instability.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: The Department of Homeland Security Headquarters Consolidation Accountability Act of 2015 (Pub. L. No. 114-150) was enacted on April 29, 2016. Among other things, the act requires DHS, in coordination with GSA, to submit information to Congress about DHS headquarters consolidation efforts not later than 120 days of enactment. As of March 2017, DHS and GSA had not submitted the information to Congress required by Pub. L. No. 114-150. Officials stated that the information would be submitted as soon as possible, but exact timeframes were uncertain given ongoing project deliberations and internal reviews. Required information includes a comprehensive assessment of property and facilities utilized by DHS in the National Capital Region, and an analysis that identifies the costs and benefits of leasing and construction alternatives for the remainder of the consolidation project. DHS and GSA have made significant progress in developing a revised plan for headquarters consolidation since 2014, including the completion of a business case analysis to support the new plan. GAO will review the latest information on DHS headquarters consolidation efforts when it is provided to Congress, and will assess the materials in the context of this recommendation at that time. Continued DHS and GSA attention to following leading capital planning practices is critical given the project's multi-billion dollar cost and impact on future departmental operations.
    Recommendation: In order to improve transparency and allow for more informed decision making by congressional leaders and DHS and GSA decision-makers, before requesting additional funding for the DHS headquarters consolidation project, the Secretary of Homeland Security and the Administrator of the General Services Administration should work jointly to conduct the following assessments and use the results to inform updated DHS headquarters consolidation plans: (1) a comprehensive needs assessment and gap analysis of current and needed capabilities that take into consideration changing conditions, and (2) an alternatives analysis that identifies the costs and benefits of leasing and construction alternatives for the remainder of the project and prioritizes options to account for funding instability.

    Agency: General Services Administration
    Status: Open
    Priority recommendation

    Comments: GSA agreed with both recommendations to conduct a comprehensive needs assessment and gap analysis and to update cost and schedule estimates. The Department of Homeland Security Headquarters Consolidation Accountability Act of 2015 (Pub. L. No. 114-150), enacted on April 29, 2016, mirrors GAO recommendations in this area. Among other things, the act requires DHS, in coordination with GSA, to submit information to Congress about DHS's headquarters consolidation efforts not later than 120 days of enactment. As of March 2017, DHS and GSA had not submitted the information to Congress required by Pub. L. No. 114-150. Officials stated that the information would be submitted as soon as possible, but exact timeframes were uncertain given ongoing project deliberations and internal reviews. Required information includes a comprehensive needs assessment, a costs and benefits analysis, and updated cost and schedule estimates. Furthermore, the act requires the Comptroller General to evaluate the cost and schedule estimates not later than 90 days after their submittal to Congress. DHS and GSA have made significant progress in developing an Enhanced Plan for headquarters consolidation since 2014, including the completion of a business case analysis to support the new plan. In addition, GSA is leading efforts to revise the project's cost and schedule estimates, and according to GSA officials, the revised figures will take into account GAO's leading cost-estimation practices. We will review the latest information on DHS's headquarters consolidation efforts when it is provided to Congress, and will assess the materials in the context of these recommendations at that time. Continued DHS and GSA attention to following leading practices for capital planning and cost and schedule estimation is critical given the project's multi-billion dollar cost and impact on future departmental operations.
    Recommendation: In order to improve transparency and allow for more informed decision making by congressional leaders and DHS and GSA decision-makers, before requesting additional funding for the DHS headquarters consolidation project, after revising the DHS headquarters consolidation plans, the Secretary of Homeland Security and the Administrator of the General Services Administration should work jointly to develop revised cost and schedule estimates for the remaining portions of the consolidation project that conform to GSA guidance and leading practices for cost and schedule estimation, including an independent evaluation of the estimates.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: The Department of Homeland Security Headquarters Consolidation Accountability Act of 2015 (Pub. L. No. 114-150) was enacted on April 29, 2016. Among other things, the act requires DHS, in coordination with GSA, to submit information to Congress about DHS headquarters consolidation efforts not later than 120 days of enactment. As of March 2017, DHS and GSA had not submitted the information to Congress required by Pub. L. No. 114-150. Officials stated that the information would be submitted as soon as possible, but exact timeframes were uncertain given ongoing project deliberations and internal reviews. Required information includes updated cost and schedule estimates for the consolidation project that are consistent with GAO's recommendations in GAO-14-648. Furthermore, the act requires the Comptroller General to evaluate the cost and schedule estimates not later than 90 days after their submittal to Congress. GSA is leading efforts to revise project cost and schedule estimates, and according to GSA officials, the revised figures will take into account GAO's leading estimation practices. GAO will review the latest DHS headquarters consolidation cost and schedule estimates when they are provided to Congress, and will assess the materials in the context of this recommendation at that time. Continued DHS and GSA attention to following leading cost and schedule estimation practices is critical given the project's multi-billion dollar cost and impact on future departmental operations.
    Recommendation: In order to improve transparency and allow for more informed decision making by congressional leaders and DHS and GSA decision-makers, before requesting additional funding for the DHS headquarters consolidation project, after revising the DHS headquarters consolidation plans, the Secretary of Homeland Security and the Administrator of the General Services Administration should work jointly to develop revised cost and schedule estimates for the remaining portions of the consolidation project that conform to GSA guidance and leading practices for cost and schedule estimation, including an independent evaluation of the estimates.

    Agency: General Services Administration
    Status: Open
    Priority recommendation

    Comments: The Department of Homeland Security Headquarters Consolidation Accountability Act of 2015 (Pub. L. No. 114-150) was enacted on April 29, 2016. Among other things, the act requires DHS, in coordination with GSA, to submit information to Congress about DHS headquarters consolidation efforts not later than 120 days of enactment. As of March 2017, DHS and GSA had not submitted the information to Congress required by Pub. L. No. 114-150. Officials stated that the information would be submitted as soon as possible, but exact timeframes were uncertain given ongoing project deliberations and internal reviews. Required information includes updated cost and schedule estimates for the consolidation project that are consistent with GAO's recommendations in GAO-14-648. Furthermore, the act requires the Comptroller General to evaluate the cost and schedule estimates not later than 90 days after their submittal to Congress. GSA is leading efforts to revise project cost and schedule estimates, and according to GSA officials, the revised figures will take into account GAO's leading estimation practices. GAO will review the latest DHS headquarters consolidation cost and schedule estimates when they are provided to Congress, and will assess the materials in the context of this recommendation at that time. Continued DHS and GSA attention to following leading cost and schedule estimation practices is critical given the project's multi-billion dollar cost and impact on future departmental operations.
    Recommendation: Congress should consider making future funding for the St. Elizabeths project contingent upon DHS and GSA developing a revised headquarters consolidation plan, for the remainder of the project, that conforms with leading practices and that (1) recognizes changes in workplace standards, (2) identifies which components are to be colocated at St. Elizabeths and in leased and owned space throughout the National Capital Region, and (3) develops and provides reliable cost and schedule estimates.

    Agency: Congress
    Status: Open

    Comments: The Department of Homeland Security Headquarters Consolidation Accountability Act of 2015 (Pub. L. No. 114-150) was enacted on April 29, 2016. Among other things, the act requires DHS, in coordination with GSA, to submit information to Congress about DHS headquarters consolidation efforts not later than 120 days of enactment. As of March 2017, DHS and GSA had not submitted the information to Congress required by Pub. L. No. 114-150. Officials stated that the information would be submitted as soon as possible, but exact timeframes were uncertain given ongoing project deliberations and internal reviews. Required information includes: a comprehensive assessment of property and facilities utilized by DHS in the National Capital Region; an analysis that identifies the costs and benefits of leasing and construction alternatives for the remainder of the consolidation project; and updated cost and schedule estimates for the project that are consistent with GAO's recommendations in GAO-14-648. Furthermore, the act requires the Comptroller General to evaluate the cost and schedule estimates not later than 90 days after their submittal to Congress. A comprehensive report to Congress on DHS headquarters consolidation, along with reliable project cost and schedule estimates, could inform Congress's funding decisions.
    Director: Stephen Caldwell
    Phone: (202) 512-8777

    4 open recommendations
    Recommendation: Within DHS, to promote efficiency and harmonize the various assessments to advance security and resilience across the spectrum of CI in a manner consistent with the Homeland Security Act of 2002, PPD-21, and the NIPP, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate work with other DHS offices and components to develop and implement ways that DHS can facilitate data sharing and coordination of vulnerability assessments to minimize the risk of potential duplication or gaps in coverage.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS has taken action in response to GAO's September 2014 recommendation to develop a department-wide process to facilitate data sharing and coordination among the various DHS components that conduct or require vulnerability assessments, but has not fully implemented the recommendation. DHS first reported to GAO in August 2015 that its Office of Infrastructure Protection (IP) and the Sector Outreach and Programs Division Innovation Center had formed a vulnerability assessment working group comprised of a variety of federal stakeholders, both within and outside DHS, to enhance overall integration and coordination of vulnerability assessment efforts. In December 2015, DHS stated that IP was conducting pilot projects to expand access to its IPGateway portal--IP's system that houses infrastructure data and identifies facilities that have been assessed by IP. In a July 2016 update, DHS reported that IP had reached agreement with DHS components to expand access to its IP Gateway portal to those partners as a means to share IP's vulnerability assessment information and help coordinate assessment visits and related activities. DHS also noted in its update that IP had begun providing access to IP Gateway to components within DHS but did not provide a date as to when that step would be complete. These are positive steps toward implementing a systematic and integrated approach for facilitating data sharing and coordination of vulnerability assessments throughout the department. However, developing a department-wide process to facilitate data sharing and coordination among the DHS offices and components that conduct or require vulnerability assessments would better enable DHS to minimize the risk of potential duplication and gaps by its offices and components in the vulnerability assessments they conduct. Because DHS is still in the process of completing these steps, the recommendation has not yet been fully implemented.
    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to identify key CI security-related assessment tools and methods used or offered by SSAs and other federal agencies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2016, DHS has established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and has designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, is collaborating to enhance the integration and coordination of vulnerability assessment efforts. This working group is intended to serve as an interagency forum to address several recommendations from GAO Report 14-507. However, the effort is ongoing and it is too early to determine if it will successfully address the recommendation.
    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to analyze the key CI security-related assessment tools and methods offered by sector-specific agencies (SSA) and other federal agencies to determine the areas they capture.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2016, DHS has established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and has designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, is collaborating to enhance the integration and coordination of vulnerability assessment efforts. This working group is intended to serve as an interagency forum to address several recommendations from GAO Report 14-507. However, the effort is ongoing and it is too early to determine if it will successfully address the recommendation.
    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to develop and provide guidance for what areas should be included in vulnerability assessments of CI that can be used by DHS, SSAs, and other CI partners in an integrated and coordinated manner, among and across sectors, where appropriate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2016, DHS has established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and has designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, is collaborating to enhance the integration and coordination of vulnerability assessment efforts. This working group is intended to serve as an interagency forum to address several recommendations from GAO Report 14-507. However, the effort is ongoing and it is too early to determine if it will successfully address the recommendation.
    Director: Jennifer A. Grover
    Phone: (202) 512-7141

    1 open recommendations
    Recommendation: To assess the progress of the Secure Flight program toward achieving its goals, the Transportation Security Administration's Administrator should develop additional measures to address key performance aspects related to each program goal, and ensure these measures clearly identify the activities necessary to achieve progress toward the goal.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions that DHS TSA has taken in response to this recommendation, we will provide updated information. Status last confirmed on 10/26/15.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal partners to ensure that the maritime risk assessment includes cyber-related threats, vulnerabilities, and potential consequences.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that the National Maritime Strategic Risk Assessment (NMSRA) was still being finalized. The agency stated that they expected this to be completed by July 2017. Once completed, we will analyze the results of the NMSRA in order to validate the extent to which its contents implement our recommendation.
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to use the results of the risk assessment to inform how guidance for area maritime security plans, facility security plans, and other securityrelated planning should address cyber-related risk for the maritime sector.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that it had developed a draft Navigation and Vessel Inspection Circular (NVIC) to provide guidance on assessment methods that assist vessel and facility owners and operators identify and address cybersecurity vulnerabilities. USCG stated that the draft NVIC would be published in the Federal Register for 60 days, to enable maritime stakeholders to review and provide comment. Once USCG provides us a final copy of the NVIC, we will analyze it to determine if it provides guidance for addressing cyber-related risk in the maritime sector.
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal stakeholders to determine if the Maritime Modal Sector Coordinating Council should be reestablished to better facilitate stakeholder coordination and information sharing across the maritime environment at the national level.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, the U.S. Coast Guard (USCG) stated that the tasking for the National Maritime Security Advisory Committee to explore the issue of information sharing mechanisms in regards to cyber information had been completed. However, USCG did not mention any decision related to the reestablishment of the sector coordinating council.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to develop procedures for officials at the field review level (i.e., captains of the port) and national review level (i.e., the National Review Panel and FEMA) to consult cybersecurity subject matter experts from the Coast Guard and other relevant DHS components, if applicable, during the review of cybersecurity grant proposals for funding.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information we receive and update status of implementation efforts.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to use any information on cyberrelated threats, vulnerabilities, and consequences identified in the maritime risk assessment to inform future versions of funding guidance for grant applicants and reviews at the field and national levels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information received and update status of implementation efforts.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    5 open recommendations
    including 3 priority recommendations
    Recommendation: To improve the acquisition management of the Plan and the reliability of its cost estimates and schedules, assess the effectiveness of deployed technologies, and better inform CBP's deployment decisions, when updating the schedules for the IFT, Remote Video Surveillance System (RVSS), and Mobile Surveillance Capability programs, the Commissioner of CBP should ensure that scheduling best practices, as outlined in our schedule assessment guide, are applied to the three programs' schedules.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open
    Priority recommendation

    Comments: In March 2014, CBP concurred with our recommendation and in response, stated it planned to ensure that scheduling best practices are applied as far as practical when updating the three program schedules. In May 2016 CBP provided us with complete schedules for the IFT and RVSS programs. In December 2016, we provided CBP our assessment of the updated schedules for the IFT and RVSS programs. In January 2017 CBP provided us with a complete schedule for the MSC program and in March 2017, we provided CBP with our assessment of the MSC schedule. In April 2017, CBP provided additional clarifying information in regards to the MSC schedule. As of May 2017, based on our assessment of the updated schedules for the IFT, RVSS, and MSC programs, CBP has made improvements in the quality of the schedules since our last report, but the program schedules have not met all characteristics of a reliable schedule.
    Recommendation: To improve the acquisition management of the Plan and the reliability of its cost estimates and schedules, assess the effectiveness of deployed technologies, and better inform CBP's deployment decisions, the Commissioner of CBP should develop and maintain an Integrated Master Schedule for the Plan that is consistent with scheduling best practices.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: In March 2014, CBP did not concur with this recommendation and maintained that an integrated master schedule for the Plan in one file undermines the DHS-approved implementation strategy for the individual programs making up the Plan, and that the implementation of this recommendation would essentially create a large, aggregated program, and effectively create an aggregated "system of systems". DHS further stated that a key element of the Plan has been the disaggregation of technology procurements. As of December 2016, CBP continues to non-concur with this recommendation and plans no further action. However, as we noted in the report, collectively these programs are intended to provide CBP with a combination of surveillance capabilities to be used along the Arizona border with Mexico. Moreover, while the programs themselves may be independent of one another, the Plan's resources are being shared among the programs. As such, we continue to believe that developing an integrated master schedule for the Plan is needed. Developing and maintaining an integrated master schedule for the Plan could allow CBP insight into current or programmed allocation of resources for all programs as opposed to attempting to resolve any resource constraints for each program individually.
    Recommendation: To improve the acquisition management of the Plan and the reliability of its cost estimates and schedules, assess the effectiveness of deployed technologies, and better inform CBP's deployment decisions, when updating Life-cycle Cost Estimates for the IFT and RVSS programs, the Commissioner of CBP should verify the Life-cycle Cost Estimates with independent cost estimates and reconcile any differences.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: In March 2014, DHS concurred with this recommendation. In May 2016 CBP provided us with updated life-cycle cost estimates for two of its highest-cost programs under the Plan--the Integrated Fixed Tower (IFT) and the Remote Video Surveillance (RVSS). Further, CBP officials stated that in fiscal year 2016, DHS's Cost Analysis Division started piloting DHS's independent cost estimate capability on the RVSS program. According to CBP officials, the pilot is an opportunity to assist DHS in developing its independent cost estimate capability and that CBP selected the RVSS program for the pilot because the program is at a point in its planning and execution process where it can benefit most from having an independent cost estimate performed as these technologies are being deployed along the southwest border, beyond Arizona. In August 2016, CBP officials provided an update stating that details for an estimated independent cost estimate schedule and analysis plan for the RVSS program had not yet been finalized. As of November 2016, CBP officials stated that the results of the independent cost estimate for the RVSS program are expected to be completed by January 31, 2017. Further, CBP officials have not detailed similar plans for the IFT. We continue to believe that independently verifying the life-cycle cost estimates for the IFT and RVSS programs and reconciling any differences, consistent with best practices, could help CBP better ensure the reliability of the estimates.
    Recommendation: To improve the acquisition management of the Plan and the reliability of its cost estimates and schedules, assess the effectiveness of deployed technologies, and better inform CBP's deployment decisions, the Commissioner of CBP should revise the IFT Test and Evaluation Master Plan to more fully test the IFT program, before beginning full production, in the various environmental conditions in which IFTs will be used to determine operational effectiveness and suitability, in accordance with DHS acquisition guidance.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open
    Priority recommendation

    Comments: In March 2014, DHS did not concur with this recommendation and stated that the Test and Evaluation Master Plan includes tailored testing and user assessments that will provide much, if not all, of the insight contemplated by the intent of the recommendation. According to CBP officials, acceptance testing was performed on the system in July 2015 and a limited user testing for the IFT system was conducted during October and November 2015. In May 2016, CBP reported that it had conditionally accepted seven out of 53 IFT systems in one area of responsibility. CBP also reported that it is working to deploy and test the remaining IFT unit systems to other areas of responsibility. In November 2016, CBP stated that they continue to non-concur with this recommendation and planned no further action. However, as we reported in March 2014, we continue to believe that revising the Test and Evaluation Master Plan to include more robust testing to determine operational effectiveness and suitability could better position CBP to (1) evaluate IFT capabilities before moving forward to full production for the system, (2) provide CBP with information on the extent to which the towers satisfy Border Patrol's user requirements, and (3) reduce potential program risks. Without conducting operational testing in accordance with DHS guidance, the IFT program may be at increased risk of not meeting Border Patrol operational needs.
    Recommendation: To improve the acquisition management of the Plan and the reliability of its cost estimates and schedules, assess the effectiveness of deployed technologies, and better inform CBP's deployment decisions, once data on asset assists are required to be recorded and tracked, the Commissioner of CBP should analyze available data on apprehensions and seizures and technological assists, in combination with other relevant performance metrics or indicators, as appropriate, to determine the contribution of surveillance technologies to CBP's border security efforts.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open
    Priority recommendation

    Comments: In February 2015, Border Patrol officials provided documentation stating that the agency has yet to analyze data on asset assists, in combination with other relevant performance metrics and indicators to determine the contributions of surveillance technologies to its mission. However, the Border Patrol plans to address this recommendation using the Capability Gap Analysis Process (CGAP) developed by Johns Hopkins University Applied Physics Lab specifically for the Border Patrol. According to Border Patrol officials, the CGAP will enable the agency to examine the effects of technology and other Border Patrol assets such as agents, infrastructure, in the context of everyday border patrol operations. The data generated by the CGAP along with e3 apprehension and seizure data will better inform the nature of the contributions and impacts of surveillance technology on enforcement efforts. Border Patrol officials explained that capturing data on asset assists within the in e3 Processing database was the first step to determine the contribution of technology to detect, identify, and classify activity along the border. Further, the Border Patrol identified individual types of technology such as Integrated Fixed Towers, Mobile Video Surveillance System, Underground Sensors, etc. and grouped them into classes such as Fixed, Mobile and Relocatable to better distinguish the contribution of each class of technology. As the Border Patrol gains a better understanding through analysis, the agency plans to continue to refine the measures and the collection of the metrics. In November 2014, the Border Patrol proposed a timeline highlighting the agency's future efforts to capture and document the contributions of the different classes of technology to the Border Patrol's mission. In our March 2016 update on the progress made by agencies to address our findings on duplication and cost savings across the federal government, we reported that CBP had modified its time frame for developing baselines for each performance measure and that additional time would be needed to implement and apply key attributes for metrics. In March 2016, according to CBP officials, the actual completion was being adjusted pending test and evaluation results for recently deployed technologies on the southwest border. In addition, Border Patrol officials told us that they planned to have various qualitative and quantitative performance measures of technology completed by the end of fiscal year 2016. These measures would help profile different levels of situational awareness in different areas of the border. In September 2016, Border Patrol provided a case study that assessed CGAP data with technology assist data and other measures to determine contributions of surveillance technologies to its mission. While this is a start to developing performance measures, the case study is limited to one location along the border and the analysis limited to select technologies. As of April 2017, CBP had not conducted assessments of the deployments to determine the contribution of surveillance technologies to the border security mission. Until CBP completes its efforts to fully develop and apply key attributes for performance metrics for all technologies to be deployed under the Plan, it will not be well positioned to fully assess its progress in implementing and determining the Plan and determine when mission benefits have been fully realized.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    1 open recommendations
    Recommendation: To better ensure DSOs' and students' compliance with OPT requirements, and strengthen efforts to identify and assess potential risks in OPT, the Director of ICE should direct SEVP to develop and distribute guidance to DSOs on how to determine whether a job is related to a student's area of study and require DSOs to provide information in SEVIS to show that they took steps, based on this guidance, to help ensure that the student's work is related to the area of study.

    Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
    Status: Open

    Comments: As of April 2015, SEVP has made progress in developing employment guidance to support DSOs in determining whether a job is related to a student's area of study and requiring DSOs to provide such information in SEVIS. SEVP stated that it has drafted such guidance and it is being reviewed by SEVP subject matter experts. In addition, SEVP stated that it is developing information requirements for DSOs to attest that they adhered to the new employment guidance document in SEVIS, which requires system enhancements. In May 2016, the new STEM OPT regulation went into effect and, among other things, SEVP officials stated that it requires much greater detail on the scope of the employment and how it is related to the earned degree. As of October 2016, SEVP expects that non-STEM guidance on field of study will be finalized by the second quarter of fiscal year 2017.
    Director: Rectanus, Lori
    Phone: (202) 512-2834

    4 open recommendations
    Recommendation: The Secretary of Transportation should direct the FHWA Administrator to collect data, on an ongoing basis, about which local public agencies are administering federal-aid projects.

    Agency: Department of Transportation
    Status: Open

    Comments: As of August 2017, FHWA informed us it had no plans to collect data about which local public agencies are administering federal-aid projects.
    Recommendation: The Secretary of Transportation should direct the FHWA Administrator to collect information, on an ongoing basis, from state DOTs on local public agencies' capabilities.

    Agency: Department of Transportation
    Status: Open

    Comments: As of August 2017, FHWA informed us that it did not plan collect information on the capabilities of local public agencies on an ongoing basis. In 2017 FHWA released the results of a compliance assessment review which assessed the capabilities of selected local public agencies. We are reviewing FHWA's efforts and the extent to which they address our recommendation.
    Recommendation: The Secretary of Transportation should direct the FHWA Administrator to identify and disseminate minimum and uniform qualification criteria for state DOTs to determine whether local public agencies are capable and equipped to administer federal-aid projects.

    Agency: Department of Transportation
    Status: Open

    Comments: As of August 2017, FHWA informed us it had no plans to identify and disseminate minimum and uniform qualification criteria for state DOTs to determine whether local public agencies are capable and equipped to administer federal-aid projects.
    Recommendation: The Secretary of Transportation should direct the FHWA Administrator to explore opportunities to make administration of federal-aid projects by local public agencies more efficient by examining: (a) the circumstances in which issuing guidance on administrative flexibilities targeted at local agencies would be appropriate, and (b) a potential dollar threshold under which the use of federal funds may no longer be cost-effective.

    Agency: Department of Transportation
    Status: Open

    Comments: As of August 2017, FHWA informed us that it did not plan to explore a dollar threshold under which the use of federal funds may no longer be cost-effective. However, FHWA told us it has provided guidance in this regard, and has continued disseminating guidance on administrative flexibilities beneficial to locally administered projects. We are reviewing FHWA's actions and the extent to which its these efforts address our recommendation.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    8 open recommendations
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require documentation of the reasoning behind risk determinations for breaches involving PII.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to document the number of affected individuals associated with each incident involving PII.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should document the number of affected individuals associated with each incident involving PII.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Director: Cha, Carol R
    Phone: (202) 512-4456

    2 open recommendations
    Recommendation: To improve planning and execution of the next telecommunications transition, the Administrator of General Services, in coordination with the Office of Personnel Management, should examine potential government-wide telecommunications expertise shortfalls and use the study to shape the NS2020 strategic approach.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration (GSA) has not addressed this recommendation. In June 2014, the agency reported that it had coordinated with OPM to incorporate key objectives in its NS2020 strategy to address and mitigate challenges with regards to government-wide expertise needed to execute the NS2020 program. However, as of May 2017, GSA had not demonstrated that it had studied potential government-wide telecommunications expertise shortfalls or used the study to shape the NS2020 strategic approach.
    Recommendation: To improve planning and execution of the next telecommunications transition, the Administrator of General Services should ensure that the lessons are applied, based on priority and available resources, to the next transition strategy.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration has not implemented this recommendation but has taken steps to address it. In April 2014, the agency developed a strategy for transitioning to the next telecommunications contract vehicle. The strategy described the lessons learned that contributed to the delay in the prior transition and identified approaches the agency planned to take to apply the lessons learned. For example, it identified high level plans for addressing the need for improved management of the complex acquisition process and the need for technical and contracting telecommunications expertise across the government. As of August 2016, GSA had prioritized the lessons learned and considered the resources needed to apply them. However, as of May 2017, the agency had not demonstrated that it had ensured that the lessons were applied, based on priority and available resources, to the next transition strategy. We will continue to monitor GSA's efforts to implement the recommendation.
    Director: Bertoni, Daniel
    Phone: (202) 512-7215

    2 open recommendations
    Recommendation: In order to enhance the accuracy of and ensure appropriate agency access to SSA's death data, and to clarify how SSA applies the eligibility requirements of the Social Security Act and enhance agencies' awareness of how to obtain access, the Social Security Administration's Acting Commissioner should direct the Deputy Commissioner of Operations to develop and publicize guidance it will use to determine whether agencies are eligible to receive SSA's full death file.

    Agency: Social Security Administration
    Status: Open

    Comments: The Social Security Administration (SSA) disagreed with this recommendation, stating that each request to obtain the full death file is unique, and that officials must review them on a case-by-case basis to ensure compliance with various legal requirements. It also expressed concern that developing this guidance as we recommended would require agency expenditures unrelated to its mission in an already fiscally constrained environment. SSA noted that any federal agency that would like to explore accessing the full death master file (which includes state death records) should submit a request to SSA. SSA will review the file and, if satisfactory, enter into an Information Exchange Agreement covering terms, conditions and reimbursement for the exchange. As of April 2017, SSA reports that it is continuing its efforts and there is no change in status. GAO appreciates that agencies may base their request for the full death file on different intended uses, and supports SSA's efforts to ensure compliance with all applicable legal requirements. However, developing such guidance could help to ensure consistency in SSA's future decision making by the new Office of Data Exchange, and enhance agencies' ability to obtain the data in a timely and efficient manner.
    Recommendation: In order to enhance the accuracy of and ensure appropriate agency access to SSA's death data, and to increase transparency among recipient agencies, the Social Security Administration's Acting Commissioner should direct the Deputy Commissioner of Operations to share a more detailed explanation of how it determines reimbursement amounts for providing agencies with death information.

    Agency: Social Security Administration
    Status: Open

    Comments: The Social Security Administration (SSA) reported that it has implemented improvements in its estimating procedures for future reimbursable agreements to ensure consistent estimates for all customers. It reviews all reimbursable requests on a case-by-case basis to determine full costs (including direct and indirect expenses) to provide goods, resources, or services. However, the agency stated that it is not a typical government business practice to share these detailed costs for reimbursable agreements. As of April 2017, SSA reports that it is continuing its efforts and there is no change in status. We are encouraged that SSA has made efforts to standardize the estimates it shares with its federal partners. While we recognize that there may be limitations on the type of cost details SSA can provide to recipient agencies, we continue to believe that more transparency in conveying the factors that lead to the estimated and final reimbursement amounts recipient agencies are charged could help them make more informed decisions.
    Director: Goldenkoff, Robert N
    Phone: (202) 512-2757

    4 open recommendations
    including 3 priority recommendations
    Recommendation: To help maintain a more thorough and insightful 2020 Census development schedule in order to better manage risks to a successful 2020 Census, the Secretary of Commerce and Undersecretary of Economic Affairs should direct the U.S. Census Bureau to improve the comprehensiveness of schedules, including ensuring that all relevant activities are included in the schedule.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: The Bureau agreed with this recommendation and stated that it is reviewing and refining project schedules to ensure that they include the full scope of work needed to reach operational decision points for the 2020 Census. The 2020 Research and Planning Office currently has 55 decennial project schedules, consisting of more than 3,700 activities. Several project schedules were re-baselined and pushed into production in January 2014. Focused integration sessions occurred in late January and February 2014, resulting in revised schedules. The Bureau released its operational plan and other documentation in November 2015, and announced in June 2016 that it would finalize and release its 2020 Census schedule in July 2016. To fully implement this recommendation, the Bureau needs to include within its integrated master activity schedule at lower levels the activities and milestones it has already identified as needed throughout the 2020 Census lifecycle. We are beginning an audit of the Bureau's scheduling practices this summer and will review actions the Bureau may have taken to address this recommendation.
    Recommendation: To help maintain a more thorough and insightful 2020 Census development schedule in order to better manage risks to a successful 2020 Census, the Secretary of Commerce and Undersecretary of Economic Affairs should direct the U.S. Census Bureau to improve the construction of schedules, including ensuring complete logic is in place to identify the preceding and subsequent activities as well as a critical path that can be used to make decisions.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: The Bureau agreed with this recommendation and stated that it has already begun maturing project schedules to ensure that the logical relationships between discrete schedules are put into place. Schedule integration sessions across projects and programs were held in late January 2014 and into February 2014 and periodically since then, where work is deconstructed into detailed schedules. As the Bureau continues to mature its schedule and scheduling process for the 2020 Census and related tests, its officials say they are taking care to ensure that logical linkages are in place within the schedule and that they are adding additional activities on a rolling basis. Bureau officials believe this ongoing work with the 2020 schedule will ensure they have a robust tool to help manage the 2020 program and make key decisions. The Bureau released its operational plan and other documentation in November 2015 and announced in June 2016 that it would finalize and release its 2020 Census schedule in July 2016. To fully implement this recommendation, the Bureau needs to ensure linkage between activities and the estimated resources needed to complete them. We are beginning an audit of the Bureau's scheduling practices this summer and will review actions the Bureau may have taken to address this recommendation.
    Recommendation: To help maintain a more thorough and insightful 2020 Census development schedule in order to better manage risks to a successful 2020 Census, the Secretary of Commerce and Undersecretary of Economic Affairs should direct the U.S. Census Bureau to improve the credibility of schedules, including conducting a quantitative risk assessment.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: The Bureau agreed with this recommendation and stated that it has already begun maturing project schedules to ensure that the logical relationships between discrete schedules are put into place. Schedule integration sessions across projects and programs were held in late January 2014 and into February 2014 and periodically since then, where work is deconstructed into detailed schedules. As the Bureau continues to mature its schedule and scheduling process for the 2020 Census and related tests, its officials say they are taking care to ensure that logical linkages are in place within the schedule and that they are adding additional activities on a rolling basis. Bureau officials believe this ongoing work with the 2020 schedule will ensure they have a robust tool to help manage the 2020 program and make key decisions. The Bureau released its operational plan and other documentation in November 2015 and announced in June 2016 that it would finalize and release its 2020 Census schedule in July 2016. As part of the maturation process, the Bureau expects to conduct a quantitative risk assessment of decennial project schedules. In 2015, the Bureau provided us with a preliminary output from its risk analysis software as a demonstration of the type of analysis it is committed to, but more recently its officials said that they may not be able to take all the steps needed to satisfy this recommendation. To fully implement this recommendation, the Bureau needs to conduct quantitative schedule risk analyses with the resulting schedule. We are beginning an audit of the Bureau's scheduling practices this summer and will review actions the Bureau may have taken to address this recommendation.
    Recommendation: The Director of the U.S. Census Bureau should initiate a robust workforce planning process for those working on schedules related to the Master Address File, including actions such as an analysis of skills needed, to identify and address gaps in scheduling skills.

    Agency: Department of Commerce: Bureau of the Census
    Status: Open

    Comments: The Census Bureau agreed with this recommendation and states it is taking steps to improve its scheduling practices and to initiate a comprehensive workforce planning process for those working on decennial project schedules. Bureau officials state they are currently evaluating the skills needed for scheduling support of the 2020 Census and will take the appropriate steps to acquire and develop the appropriate mix of skill sets, including but not limited to developing certified scheduling staff, hiring expert contractors to assist with periodic training, and scheduling standards implementation. They also state that the Bureau is committed to continuing to strengthen the schedule management plan, practices, and methods in place for the 2020 Census. The Bureau has experienced turnover in the leadership of the team responsible for 2020 scheduling, and, as of July 2017, Bureau officials have said they are working to collect artifacts that may demonstrate how this recommendation was addressed.
    Director: Goldstein, Mark L
    Phone: (202) 512-2834

    4 open recommendations
    Recommendation: To ensure that the increasing risks of GPS disruptions to the nation's critical infrastructure are effectively managed, the Secretary of Homeland Security should increase the reliability and usefulness of the GPS risk assessment by developing a plan and time frame to collect relevant threat, vulnerability, and consequence data for the various critical infrastructure sectors, and periodically review the readiness of data to conduct a more data-driven risk assessment while ensuring that DHS's assessment approach is more consistent with the National Infrastructure Protection Plan (NIPP).

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS officials had previously indicated that DHS's Office of Infrastructure Protection (IP) and Office of Cyber and Infrastructure Analysis (OCIA) have discussed an update of the GPS risk assessment, noting that such an update may be included in fiscal year 2017 planning documents. However, as of February 2017, no documentation had been provided that demonstrates such plans. Additionally, information from DHS shows that DHS has continued other efforts to collect potentially relevant threat, vulnerability, and consequence data for various GPS equipment in use. For example, according to DHS officials, DHS has conducted visits to major maritime, finance, wireless communications, and electricity firms to gauge their understanding of GPS vulnerabilities and of technology- and strategy-based efforts to improve GPS resilience, and DHS documentation shows that DHS has held events to test GPS receivers as part of assessing vulnerabilities. We will update the status of this recommendation after we receive additional information from DHS.
    Recommendation: To ensure that the increasing risks of GPS disruptions to the nation's critical infrastructure are effectively managed, the Secretary of Homeland Security should, as part of current critical infrastructure protection planning with Sector-Specific Agencys (SSAs) and sector partners, develop and issue a plan and metrics to measure the effectiveness of GPS risk mitigation efforts on critical infrastructure resiliency.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of February 2017, DHS documentation shows that DHS has worked with Sector Specific Agencies (SSAs) and other interagency partners to help manage GPS risks and continues to communicate information on risks to critical infrastructure partners. For example, according to DHS officials, this included briefing field staff and developing questions for infrastructure surveys to gather information on GPS resilience at the facility level. According to DHS officials, at the national level DHS included GPS in discussions with SSAs on topics they could include in their Sector-Specific Plans (each SSA develops a Sector-Specific Plan to detail risk management in its critical infrastructure sector), but DHS has also indicated that sector-oriented metrics are not a viable means of assessing risk management actions. We will update the status of this recommendation after we receive additional information from DHS.
    Recommendation: To improve collaboration and address uncertainties in fulfilling the National Security Presidential Directive 39 (NSPD-39) backup-capabilities requirement, the Secretaries of Transportation and Homeland Security should establish a formal, written agreement that details how the agencies plan to address their shared responsibility. This agreement should address uncertainties, including clarifying and defining DOT's and DHS's respective roles, responsibilities, and authorities; establishing clear, agreed-upon outcomes; establishing how the agencies will monitor and report on progress toward those outcomes; and setting forth the agencies' plans for examining relevant issues, such as the roles of SSAs and industry, how NSPD-39 fits into the NIPP risk management framework, whether an update to the NSPD-39 is needed, or other issues as deemed necessary by the agencies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of February 2017, the National Executive Committee for Space-Based Positioning, Navigation, and Timing (PNT) Executive Steering group had established an interagency team called the "Complementary PNT Tiger Team" co-chaired by DHS, DOT, and DOD. This team was formed to manage the federal government's efforts to establish a national backup system to GPS. According to DHS officials, this organizational structure obviates the need for a formal, written agreement between DOT and DHS specific to GPS backup responsibilities. They also stated that, in a separate but related effort, DHS, DOT, and DOD are discussing a tri-lateral agreement that covers a broad spectrum of PNT-related responsibilities and activities. We will update the status of this recommendation after we receive additional information from DHS.
    Recommendation: To improve collaboration and address uncertainties in fulfilling the National Security Presidential Directive 39 (NSPD-39) backup-capabilities requirement, the Secretaries of Transportation and Homeland Security should establish a formal, written agreement that details how the agencies plan to address their shared responsibility. This agreement should address uncertainties, including clarifying and defining DOT's and DHS's respective roles, responsibilities, and authorities; establishing clear, agreed-upon outcomes; establishing how the agencies will monitor and report on progress toward those outcomes; and setting forth the agencies' plans for examining relevant issues, such as the roles of SSAs and industry, how NSPD-39 fits into the NIPP risk management framework, whether an update to the NSPD-39 is needed, or other issues as deemed necessary by the agencies.

    Agency: Department of Transportation
    Status: Open

    Comments: As of February 2017, the National Executive Committee for Space-Based Positioning, Navigation, and Timing (PNT) Executive Steering group had established an interagency team--called the "Complementary PNT Tiger Team"--co-chaired by DHS, DOT, and DOD. This team was formed to manage the federal government's efforts to establish a national backup system to GPS. According to DHS officials, this organizational structure obviates the need for a formal, written agreement between DOT and DHS specific to GPS backup responsibilities. They also stated that, in a separate but related effort, DHS, DOT, and DOD are discussing a tri-lateral agreement that covers a broad spectrum of PNT-related responsibilities and activities. We will update the status of this recommendation after we receive additional information from DOT.
    Director: Farrell, Brenda S
    Phone: (202)512-3604

    2 open recommendations
    Recommendation: To provide decision makers with more-complete information on the planned implementation, management, and oversight of DOD's newly created DHA, the Secretary of Defense should direct the Assistant Secretary of Defense (Health Affairs) to develop and present to Congress a comprehensive timeline that includes interim milestones for all reform goals that could be used to show implementation progress.

    Agency: Department of Defense
    Status: Open

    Comments: As of September 2015, DOD has not submitted a comprehensive timeline that includes interim milestones for all reform goals. Further, as we reported in September 2015, DOD's plan for assessing the personnel requirements of the DHA lacks a detailed timeline with milestones and interim steps. Until DOD develops a comprehensive timeline for its reform, this recommendation should remain open. June 2017 Update: The DHA strategic plan/CONOPS showing a comprehensive timeline for all of its reform goals has yet to be released.
    Recommendation: To provide decision makers with more-complete information on the planned implementation, management, and oversight of DOD's newly created DHA, the Secretary of Defense should direct the Assistant Secretary of Defense (Health Affairs) to monitor implementation costs to assess whether the shared-services projects are on track to achieve projected net cost savings or if corrective actions are needed.

    Agency: Department of Defense
    Status: Open

    Comments: As we reported in September 2015, DOD has taken some action on this recommendation for 8 of its 10 shared services. The DHA's internal leadership briefings now identify the major types of implementation costs where relevant, or otherwise address their potential impact. For example, information technology costs are identified as one primary type of costs for the Health Information Technology and Medial Logistics shared services, while contract costs are identified for the Budget and Resource Management, Medical Logistics, and Health Information Technology shared services. By identifying the major types of implementation costs, decision makers are better able to gauge the sensitivity of areas of uncertainty as they make decisions concerning future investments in shared services. MAY 2016 UPDATE: DHA reported and we verified financial savings of $722 million for FY14 and FY15 due to shared services implementation. June 2017 Update: DHA reported and we verified financial savings of $686.6 million for FY 16 due to shared services implementation.
    Director: Gootnick, David B
    Phone: (202) 512-3149

    2 open recommendations
    Recommendation: In order to improve the ability of the U.S. agencies participating in the Joint Economic Management Committee (JEMCO) and Joint Economic Management and Financial Accountability Committee (JEMFAC) to conduct required oversight of compact funds, the Secretary of the Interior should direct the Director of Insular Affairs, as Chairman of JEMCO, to coordinate with other JEMCO-member U.S. agencies to have JEMCO take all necessary steps, or, as the administrator of compact grants, to directly take all necessary steps, to ensure that the FSM (1) completes satisfactory plans to address annual decrements in compact funds, (2) produces reliable indicator data used to track progress in education and health, and (3) addresses all single audit findings in a timely manner.

    Agency: Department of the Interior
    Status: Open

    Comments: JEMCO accepted decrement plans from the FSM which addressed one element of the recommendation. However, as of June 16th, 2017 the other parts of the recommendation have not been addressed.
    Recommendation: In order to improve the ability of the U.S. agencies participating in the JEMCO and JEMFAC committees to conduct required oversight of compact funds, the Secretary of the Interior should direct the Director of Insular Affairs, as Chairman of the JEMFAC, to coordinate with other JEMFAC-member U.S. agencies to have JEMFAC take all necessary steps, or, as the administrator of compact grants, to directly take all necessary steps, to ensure that the RMI (1) completes satisfactory plans to address annual decrements in compact funds, (2) produces reliable indicator data used to track progress in education and health, and (3) addresses all single audit findings in a timely manner.

    Agency: Department of the Interior
    Status: Open

    Comments: JEMFAC accepted decrement plans from the RMI, which addressed one element of the recommendation. However, as of June 16th, 2017 the other parts of the recommendation have not been addressed.
    Director: Khan, Asif A
    Phone: (202) 512-9869

    2 open recommendations
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense, in his capacity as the Chief Management Officer and in consultation with the Under Secretary of Defense (Comptroller), to design and implement department-level policies and detailed procedures for FIAR Plan risk management that incorporate the five guiding principles for effective risk management. The following are examples of key features of each of the guiding principles that DOD should, at a minimum, address in its policies and procedures. (1) Identify risks. Generate a comprehensive and continuously updated list of risks that includes the root cause of each risk, audit area(s) each risk will affect, and the potential consequences if a risk is not effectively mitigated. (2) Analyze risks. Consult with key stakeholders, including program managers; use analytical techniques, such as risk categorization, risk urgency assessment, or sensitivity analysis; and determine the impact of the identified risks on individual DOD components' abilities to achieve audit readiness. (3) Plan for risk mitigation. Assign responsibility or ownership of the risk mitigation actions, define roles and responsibilities in executing mitigation plans, establish deadlines or milestones for individual mitigation actions, and estimate resource needs. (4) Implement risk mitigation plan. Document the implementation of mitigation actions, develop appropriate metrics that allow for tracking of progress, and validate reported metrics. (5) Monitor risks. Track identified risks and assess the effectiveness of implemented mitigation actions on a continuous basis, including identifying and planning for new risks.

    Agency: Department of Defense
    Status: Open

    Comments: DOD partially concurred with our recommendation. While DOD did concur with our assessment that they did not have a risk management policy and procedures related to implementing the FIAR guidance. They did not concur with our assessment of the overall environment of DOD's risk management of the FIAR initiative. DOD has taken steps to address our recommendation including implementing an NFR tracker and standard operating procedures designed to track DOD component material weaknesses. DOD has also documented a critical path and milestones in Appendix F of their FIAR Guidance; military component tasks and milestones in appendix G of the FIAR Guidance; and audit readiness deal breakers, now referred to as critical capabilities. However, while these are positive actions, they do not address our recommendation for DOD to implement risk management policies and procedures for FIAR implementation. Further, DOD has not provided GAO with evidence of planned actions it summarized in its agency comments. Specifically, DOD has not provided documentation related to (1) improving risk management documentation, (2) reinstating the DOD probability and impact matrix, and (3) re-evaluation of metrics to monitor progress and risk of audit readiness. Lastly, DOD's tracking of military component material weaknesses does not identify risks to audit readiness, or the agencies capabilities to manage risks to audit readiness. According to the May 2017 FIAR Status Update for the HASC Panel Recommendations, DOD has reinforced the importance of internal controls over areas of significant risk by updating the FIAR Guidance with a new chapter dedicated to internal controls. DOD has also changed how they respond to recommendation follow-up by way of the Washington Headquarters Service (WHS). We are currently waiting for a POC to be assigned. We will continue to evaluate the status of actions to address this recommendation.
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense, in his capacity as the Chief Management Officer and in consultation with the Under Secretary of Defense (Comptroller), to consider and incorporate, as appropriate, the Navy's and DLA's risk management practices in department-level policies and procedures.

    Agency: Department of Defense
    Status: Open

    Comments: DOD has changed how they respond to recommendation follow-up by way of the Washington Headquarters Service (WHS). We are currently waiting for a POC to be assigned. We will continue to evaluate the status of actions to address this recommendation.
    Director: Cackley, Alicia P
    Phone: (202) 512-8678

    1 open recommendations
    Recommendation: To establish full-risk rates for properties with previously subsidized rates that reflect their risk for flooding, the Secretary of the Department of Homeland Security (DHS) should direct the FEMA Administrator to develop and implement a plan, including a timeline, to obtain needed elevation information as soon as practicable.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As we reported in February 2016 in GAO-16-190, FEMA has taken limited action to implement this recommendation. For example, FEMA noted that the agency would evaluate the appropriate approach for obtaining or requiring the submittal of information needed to determine full-risk rates for subsidized properties. FEMA also said it would explore technological advancements and engage with industry to determine the availability of technology, building information data, readily available elevation data, and current flood hazard data that could be used to implement the recommendation. However, FEMA officials also said that the agency faced a cost challenge with respect to elevation certificates and that obtaining these certificates could take considerable time and cost. They noted that requiring policyholders to incur the cost of obtaining elevation certificates would not be consistent with NFIP's policy objective to promote affordability. The officials added that the agency encourages subsidized policyholders who seek to ensure the appropriateness of their NFIP rates to voluntarily submit elevation documentation.
    Director: Khan, Asif A
    Phone: (202)512-9869

    9 open recommendations
    including 9 priority recommendations
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense (Comptroller), with regard to estimating improper payments, to establish and implement key quality assurance procedures, such as reconciliations, to ensure the completeness and accuracy of the sampled populations.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: The Department of Defense (DOD), in concurring with this recommendation, stated that the Department will work with the Defense Finance and Accounting Service (DFAS) to implement key quality assurance procedures, such as reconciliations, to ensure the completeness and accuracy of sampled populations. In June 2016, DOD officials stated that while the department is moving toward full auditability of its financial statements, the capability to ensure the completeness and accuracy of the sampled populations is still under development. As of August 31, 2017, DOD's efforts in this area were ongoing.
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense (Comptroller), with regard to estimating improper payments, to revise the procedures documented in DOD's sampling methodologies so that they (1) are in accordance with OMB guidance and generally accepted statistical standards and (2) produce statistically valid improper payment error rates, statistically valid improper payment dollar estimates, and appropriate confidence intervals for both. At a minimum, such procedures should take into account the size and complexity of the transactions being sampled.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: The Department of Defense (DOD) partially concurred with this recommendation, stating that sampling methodologies would be reviewed for all payment types and would be modified as appropriate to produce valid improper payment estimates and appropriate confidence intervals for them. In its May 2016 FIAR Plan Status Report, DOD officials stated that the department is reviewing the methodologies associated with identifying improper payments for seven improper payment programs, and if warranted, will change their sampling plans (methodologies). These seven programs are: Defense Finance and Accounting Service's Military Pay, Civilian Pay, Military Retirement, and Travel Pay; U.S. Corps of Engineers' Commercial Pay and Travel Pay; and Navy ERP commercial payments. In June 2016, DOD officials stated that the Office of the Under Secretary of Defense (Comptroller) will continue to coordinate with those DOD components currently using simple random sample designs, to develop methodologies that are stratified by an appropriate variable, such as an invoice or payment amount based on appropriate confidence intervals. As of August 31, 2017, this recommendation was still open.
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense (Comptroller), with regard to identifying programs susceptible to significant improper payments, to conduct a risk assessment that is in compliance with IPERA.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: The Department of Defense (DOD), in concurring with this recommendation, stated that it would work collaboratively with the applicable Defense components to develop a framework to conduct a risk assessment that is in compliance with the Improper Payments Elimination and Recovery Act (IPERA). Risk assessments for six DOD programs (military health benefits, military pay, civilian pay, Defense Finance and Accounting Service (DFAS) travel pay, retiree & annuitant pay, and DFAS commercial pay) complied with IPERA requirements based on documentation provided to support them. However, based on our review of documentation provided by the U.S. Army Corps of Engineers (USACE), risk assessments for the two programs it administers (USACE travel pay and USACE commercial pay) have not been performed. DOD officials stated that the risk assessment documentation for the two USACE programs is under development. In October 2016, DOD issued a remediation plan for travel pay improper payments and recovery. As of August 31 2017, this recommendation was still open.
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense (Comptroller), with regard to reducing improper payments, to establish procedures that produce corrective action plans that comply fully with IPERA and OMB implementation guidance, including at a minimum, holding individuals responsible for implementing corrective actions and monitoring the status of the corrective actions.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: The Department of Defense, in concurring with this recommendation, stated that it would work collaboratively with applicable components to establish procedures that produce corrective action plans that fully comply with the Improper Payment Elimination and Recovery Act and Office of Management and Budget (OMB) guidance. According to DOD officials, these established procedures will include individual accountability for implementing corrective actions and monitoring the status of corrective actions. As of June 2016, DOD officials told us that department enters corrective actions plans associated with audit findings into a notice of findings and recommendations (NFR) database developed to track their status and progress. The database was deployed in May 2016. According to DOD's fiscal year 2015 Agency Financial Report, DOD's travel pay had the highest error rate among all DOD-reported improper payment programs, and therefore DOD would place its initial focus to achieve measurable progress more quickly in this area. In June 2016, DOD officials stated that the Office of the Under Secretary of Defense (Comptroller) (OUSD(C)) would revise and expand the DOD Travel Remediation Plan into a more comprehensive plan which includes establishing Senior Accountable Officials (SAOs) within each military service. OUSD(C) will collaborate with each SAO to ensure the development of standardized procedures and corrective action plans to include training, root cause identification, and quality assurance goals that comply with improper payment law and regulatory guidance. On October 7, 2016, DOD issued its remediation plan entitled "Preventing Travel Pay Improper Payments and Recovery." The remediation plan notes two primary causes of improper travel payments; each of which highlights the need for increased detail (documentation), attention to detail (accuracy), and a more regular and effective training regimen. The remediation plan includes several requirements that must be met to reinforce internal controls and accountability. Beginning in fiscal year 2017, the DOD Comptroller and component SAOs are to receive travel pay metrics reports to measure progress. The first report is intended to establish a baseline. As of April 2017, DOD officials stated that there are corrective action plans, but the implementation of these plans needs to be assigned to the individual level components. As of August 31, 2017, this recommendation was still open.
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense (Comptroller), with regard to reducing improper payments, to establish procedures that produce corrective action plans that are in accordance with best practices, such as those recommended by the Chief Financial Officers Council (CFOC), and include (1) measuring the progress made toward remediating root causes and (2) communicating to agency leaders and key stakeholders the progress made toward remediating the root causes of improper payments.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: The Department of Defense (DOD), in concurring with this recommendation, stated that it would work collaboratively with the applicable components to establish procedures that produce corrective action plans that incorporate best practices, including those recommended by the Chief Financial Officers Council. DOD's corrective action plans would include information on (1) measuring the progress made toward remediating root causes and (2) communicating to agency leaders and key stakeholders the progress made toward remediating the root causes of improper payments. In June 2016, DOD officials told us that department enters corrective actions plans associated with audit findings into a notice of findings and recommendations (NFR) database developed to track their status and progress. The database was deployed in May 2016. According to DOD's fiscal year 2015 Agency Financial Report, DOD's travel pay had the highest error rate among all DOD-reported improper payment programs, and therefore DOD would place its initial focus to achieve measurable progress more quickly in this area. In June 2016, DOD officials stated that the Office of the Under Secretary of Defense (Comptroller) (OUSD(C)) will revise and expand the DOD Travel Remediation Plan into a more comprehensive plan which will include establishing Senior Accountable Officials (SAOs) within each military service. OUSD(C) will collaborate with each SAO to ensure the development of standardized procedures and corrective action plans to include training, root cause identification, and quality assurance goals that comply with improper payment law and regulatory guidance. On October 7, 2016, DOD issued its corrective/remediation plan entitled "Preventing Travel Pay Improper Payments and Recovery." We plan to review this plan for consistency with OMB and IPERA guidelines. In April 2017, we learned that the Office of Management and Budget had done an assessment of this plan and provided helpful suggestions. As of August 31, 2017, this recommendation was still open.
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense (Comptroller), with regard to implementing recovery audits, to develop and implement procedures to (1) identify costs related to the department's recovery audits and existing recovery efforts and (2) evaluate existing improper payment recovery efforts to ensure that they are cost effective.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: Department of Defense (DOD) officials concurred with this recommendation, stating that the DOD would review its procedures for improper payment recovery activities to ensure currency and accuracy and that it would also perform analyses to ensure that its recovery efforts are cost-effective. In July 2015, DOD reported that the development of cost estimates for recovery auditing was ongoing. In addition, DOD officials indicated that only the United States Army Corps of Engineers (USACE) has developed an analysis to evaluate the cost effectiveness of performing recovery audits. As of April 2017, DOD's efforts to develop cost-estimates for recovery audits were still under way. As of August 31, 2017, this recommendation was still open.
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense (Comptroller), with regard to implementing recovery audits, to monitor the implementation of the revised FMR chapter on recovery audits to ensure that the components either develop recovery audits or demonstrate that it is not cost effective to do so.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: Department of Defense (DOD) officials, in concurring with this recommendation, stated that DOD would work with the applicable components to monitor the implementation of the revised Financial Management Regulation (FMR) chapter on recovery audits. According to DOD officials, this action would help to ensure that recovery audits are developed, or will demonstrate that it is not cost-effective to do these audits. In July 2015, DOD was working to update the FMR chapter on recovery audits to reflect revised Office of Management and Budget (OMB) guidance issued in October 2014. DOD issued its revised FMR chapter in November 2015. This chapter requires components to develop cost-effective payment recapture audits or to submit a quantitative justification to the Office of the Under Secretary (Comptroller) for approval. However, we consider this recommendation to be open because DOD did not provide documentation demonstrating that the Office of the Under Secretary of Defense (Comptroller) is monitoring component implementation of recovery auditing. Further, as of April 2017, DOD's efforts to develop cost-estimates for recovery audits were still under way. As of August 31, 2017, this recommendation was still open.
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense (Comptroller), with regard to implementing recovery audits, to develop and submit to OMB for approval a payment recapture audit plan that fully complies with OMB guidance.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: Department of Defense (DOD) officials, in concurring with this recommendation, stated that DOD would develop and submit to the Office of Management and Budget (OMB) a payment recapture plan that fully complies with OMB guidance and is informed by a cost-effectiveness analysis. In July 2015, DOD's Office of the Under Secretary of Defense (Comptroller) efforts to develop a payment recapture audit plan to ensure cost-effectiveness were ongoing and these efforts must be completed before a plan can be submitted to the OMB. In June 2016, DOD officials stated that the Comptroller's efforts to develop a payment recapture audit plan to ensure cost-effectiveness were ongoing. As of August 31,2017, the department's efforts to implement this recommendation are continuing.
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense (Comptroller), with regard to reporting, to design and implement procedures to ensure that the department's annual improper payment and recovery audit reporting is complete, accurate, and in compliance with IPERA and OMB guidance.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: Department of Defense (DOD) officials, in concurring with this recommendation, stated that DOD would design and implement procedures to further ensure that its annual improper payment and recovery audit reporting is complete, accurate, and in compliance with the Improper Payments Elimination and Recovery Act (IPERA) requirements and Office of Management and Budget (OMB) guidance. In June 2015, DOD revised its FMR chapter on improper payments to require components to provide information needed to report on improper payment and recovery audit activities in its annual financial report (AFR) in accordance with IPERA requirements and OMB guidance. DOD's fiscal year 2015 AFR reflected its implementation of the revised FMR. We found that DOD's improper payment reporting in its fiscal year 2015 AFR had improved. However, we were not provided with evidence that Office of the Under Secretary of Defense (Comptroller) is performing oversight and monitoring activities to ensure the accuracy and completeness of the improper payment and recovery audit data submitted by DOD components for inclusion in the AFR. As of April 2017, DOD is continuing to work on procedures for ensuring that its reporting on improper payment and recovery audits is accurate, complete, and in compliance with IPERA and OMB guidance. As of August 31, 2017, this recommendation was still open.
    Director: Gomez, Jose A
    Phone: (202) 512-3841

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that EPA maximizes its limited resources and addresses the statutory, regulatory, and programmatic needs of EPA program offices and regions when IRIS toxicity assessments are not available, and once demand for the IRIS Program is determined, the EPA Administrator should direct the Deputy Administrator, in coordination with EPA's Science Advisor, to develop an agencywide strategy to address the unmet needs of EPA program offices and regions that includes, at a minimum: (1) coordination across EPA offices and with other federal research agencies to help identify and fill data gaps that preclude the agency from conducting IRIS toxicity assessments, and (2) guidance that describes alternative sources of toxicity information and when it would be appropriate to use them when IRIS values are not available, applicable, or current.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of October 2016, EPA indicated that the agency evaluated user needs for toxicity assessments as part of its process for developing the Multi-Year Agenda it issued in December 2015. We will continue to review additional information and documentation on EPA's agencywide strategy to address the unmet needs of EPA program offices and regions, and will update status comments as appropriate.
    Director: Chaplain, Cristina T
    Phone: (202) 512-4841

    3 open recommendations
    including 2 priority recommendations
    Recommendation: In order to strengthen investment decisions, place the chosen investments on a sound acquisition footing, provide a better means of tracking investment progress, and improve the management and transparency of the U.S. missile defense approach in Europe, the Secretary of Defense should direct MDA's new Director to add risk reduction non-intercept flight tests for each new type of target missiles developed.

    Agency: Department of Defense
    Status: Open

    Comments: Despite partially concurring with our recommendation in 2013, MDA has not adjusted its test plans to include risk-reduction (i.e., non-intercept) flight tests for new target types prior to their inclusion in an intercept flight test. MDA officials have not done so because such decisions must be balanced against potential cost, schedule, and programmatic impacts and flight test preparation processes, like dry-runs and quality control checks, are sufficient to discover issues prior to an intercept test. While test preparation processes are valuable, they are not a substitute for risk reduction flight tests. This was proven in June 2015 when MDA launched a new intermediate-range target that had 6 different test preparation processes but not a risk-reduction flight test and the target failed, which resulted in significant cost, schedule, and programmatic impacts. Moving forward, despite the impacts from its recent target failure, MDA plans to use a new medium-range target during its third, and most complex operational test in the second quarter of fiscal year 2019. We maintain our stance that risk reduction flight tests would reduce the risk for the associated test and the overall flight test plan; however, MDA's action to-date suggest that it has no intention of including risk-reduction flight tests for new targets. However, we will continue to monitor its progress in this regard.
    Recommendation: In order to strengthen investment decisions, place the chosen investments on a sound acquisition footing, provide a better means of tracking investment progress, and improve the management and transparency of the U.S. missile defense approach in Europe, the Secretary of Defense should direct MDA's new Director to include in its resource baseline cost estimates all life cycle costs, specifically the operations and support costs, from the military services in order to provide decision makers with the full costs of ballistic missile defense systems.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: DOD partially concurred with our recommendation that decisionmakers should have insight into the full lifecycle costs of MDA's programs. However, as of August 2017, MDA is still not including the military services' operations and sustainment costs--which are a part of the full lifecycle costs--in the resource baselines it reports in the Ballistic Missile Defense System Accountability Report. MDA is trying to determine how to report the full lifecycle costs to decisionmakers, but has indicated that the Ballistic Missile Defense System Accountability Report is not the appropriate forum for reporting the military services' operation and support costs. We continue to believe that including the full lifecycle costs of MDA's programs enables decisionmakers to make funding determinations that are based on a comprehensive understanding of the depth and breadth of each program's costs.
    Recommendation: In order to strengthen investment decisions, place the chosen investments on a sound acquisition footing, provide a better means of tracking investment progress, and improve the management and transparency of the U.S. missile defense approach in Europe, the Secretary of Defense should direct MDA's new Director to stabilize the acquisition baselines, so that meaningful comparisons can be made over time that support oversight of those acquisitions.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: DOD concurred with our recommendation regarding the need for MDA to stabilize its acquisition baselines, but also noted MDA's need to adjust its baselines to remain responsive to evolving requirements and threats; both of which are beyond MDA's control. Further, DOD highlighted the MDA Director's authority to make adjustments to the agency's programmatic baselines, within departmental guidelines. Our recommendation, however, is not designed to limit the Director's authority to adjust baselines or to prevent adjusting baselines as appropriate. Rather, our recommendation is designed to address traceability issues we have found with MDA's baselines, which are within its control. Specifically, for MDA to be able to effectively report longer-term progress of its acquisitions and provide the necessary transparency to Congress, it is critical that the agency stabilize its baselines so that once set, any revisions can be tracked over time. At this point we have not seen any indication that MDA is working to implement this recommendation. For example, in 2016, MDA's Director made changes to the Targets and Countermeasures program's baseline that omit the costs of some targets and may make tracking progress against prior years and the original baseline very difficult, and in some instances, impossible. We will continue to monitor MDA's baselines to determine any progress in this area or implementation of this recommendation.
    Director: Caldwell, Stephen L
    Phone: (202) 512-9610

    2 open recommendations
    Recommendation: To better assess risk associated with facilities that use, process, or store chemicals of interest consistent with the NIPP and the CFATS rule, the Secretary of Homeland Security should direct the Under Secretary for National Protection and Programs Directorate (NPPD), the Assistant Secretary for NIPP's Office of Infrastructure Protection (IP), and Director of ISCD to develop a plan, with timeframes and milestones, that incorporates the results of the various efforts to fully address each of the components of risk and take associated actions where appropriate to enhance ISCD's risk assessment approach consistent with the NIPP and the CFATS rule.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to Infrastructure Security Compliance Division (ISCD) officials, they completed development of an updated tiering methodology, which incorporates improvements based on recommendations from both the external peer review of the tiering methodology and a Sandia National Laboratory (Sandia) report on economic consequences, which was submitted to the Department in the first quarter of fiscal year (FY) 2015. Additionally, according to the officials, DHS continued hosting meetings of an external experts panel consisting of representatives from other Federal agencies and the chemical and oil and natural gas industries, who have met repeatedly to review and provide input on the proposed improvements to the Chemical Facility Anti-Terrorism Standards (CFATS) tiering methodology. As noted in the tiering methodology improvement plan previously provided by the Department to GAO, the ISCD is having external entities validate and verify the updated methodology before deployment. To that end, the Homeland Security Studies and Analysis Institute (HSSAI) has reviewed and provided findings and recommendations on all parts of the updated tiering engine. Additionally, Sandia has been conducting component testing of the tiering engine as it is being updated and, beginning in January 2016, Sandia will conduct end-to-end testing of the engine. Concurrent with these efforts, ISCD has been updating the Chemical Security Assessment Tool (CSAT) applications which currently support the collection of the data used by the CFATS tiering methodology (i.e., Top-Screen, Security Vulnerability Assessment). According to the officials, deployment of these new applications cannot occur until the DHS's Information Collection Request (ICR) is approved by the White House's Office of Management and Budget (OMB), which the Department anticipates submitting to OMB in the third quarter of fiscal year 2016. We will update the status of this recommendation after additional information is received from DHS. Status as of January 20, 2016.
    Recommendation: To better assess risk associated with facilities that use, process, or store chemicals of interest consistent with the NIPP and the CFATS rule, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for IP, and Director of ISCD to conduct an independent peer review, after ISCD completes enhancements to its risk assessment approach, that fully validates and verifies ISCD's risk assessment approach consistent with the recommendations of the National Research Council of the National Academies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to Infrastructure Security Compliance Division (ISCD) officials, the updated CFATS risk-based tiering methodology has been developed and portions of it are undergoing independent review from both HSSAI and Sandia. An independent verification and validation of the updated tiering methodology is scheduled to be conducted by Sandia beginning in January 2016. We will update the status of this recommendation after additional information is received from DHS. Status as of January 20, 2016.
    Director: Maurer, Diana C
    Phone: (202) 512-9627

    3 open recommendations
    including 2 priority recommendations
    Recommendation: To promote coordination as a practice to help avoid overlap, the Secretary of Homeland Security, the Attorney General, and the Director of ONDCP should work through the Information Sharing and Access Interagency Policy Committee (ISA IPC) or otherwise collaborate to develop a mechanism, such as performance metrics related to coordination, that will allow them to hold field-based information-sharing entities accountable for coordinating with each other and monitor and evaluate the coordination results achieved.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: The Department of Justice (DOJ), in coordination with the Department of Homeland Security (DHS) and the Office of National Drug Control Policy (ONDCP), has made progress toward addressing GAO's April 2013 recommendation but has not included all of the relevant field-based information sharing entities in its efforts. Through their involvement in an interagency policy committee within the Executive Office of the President, DHS, DOJ, and ONDCP have developed a mechanism to hold state and urban area fusion centers, Regional Information Sharing System (RISS) centers, and High Intensity Drug Trafficking Area (HIDTA) Investigative Support Centers accountable for coordinating their analytical and investigative activities. However, the agencies have not fully addressed the action because DOJ's Federal Bureau of Investigation's (FBI) Joint Terrorism Task Forces (JTTF) and Field Intelligence Groups (FIG), two of the five field-based entities included in GAO's April 2013 report, have not participated in the assessment on which the mechanism is based. In December 2015, DHS developed a field-based partners report in which DHS, DOJ and ONDCP reported data for state and urban area fusion centers, RISS centers, and HIDTA Investigative Support Centers. These data were focused on field-based collaboration, including governance, colocation, and other information sharing, analytic, and deconfliction-focused topics. However, the report did not include data for DOJ's JTTFs or FIGs. DOJ has noted that JTTFs and FIGs are different from the other entities because JTTFs are operational law enforcement investigative entities and FIGs provide intelligence support to FBI Field Offices. However, GAO's April 2013 report identified areas in which the missions and activities of JTTFs and FIGs overlapped with those of the other entities and that coordination with other field based entities was important to prevent unnecessary overlap and potential duplication. Considering the exclusion of two of the five entities, the agencies do not have a collective mechanism that can hold FIGS and JTTFs accountable for coordinating with the other field-based information sharing entities and allow the agencies to monitor progress and evaluate results across entities. Such a mechanism can help entities maintain effective relationships when new leadership is assigned and avoid unnecessary overlap in activities, which in turn can help entities to leverage scarce resources. As of March 2017, DOJ had provided no new updates. GAO will continue to monitor DOJ's progress in this area.
    Recommendation: To help identify where agencies and the field-based entities they support could apply coordination mechanisms to enhance information sharing and reduce inefficiencies resulting from overlap, the Secretary of Homeland Security, the Attorney General, and the Director of ONDCP should work through the ISA IPC or otherwise collaborate to identify characteristics of entities and assess specific geographic areas in which practices that could enhance coordination and reduce unnecessary overlap, such as cross-entity participation on governance boards and colocation of entities, could be further applied. The results of this assessment could be used by the agencies to provide recommendations or guidance to the entities to create coordinated governance boards or colocate entities, which can result in increased efficiencies through shared facilities and resources and reduced overlap through coordinated or collaborative products, activities, and services.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: The Department of Justice (DOJ), in coordination with the Department of Homeland Security (DHS) and the Office of National Drug Control Policy (ONDCP), has made progress toward addressing GAO's April 2013 recommendation but has not included all of the relevant field-based information sharing entities in its efforts. The three agencies have taken the necessary steps to assess the extent to which practices that can enhance coordination are being implemented at state and urban area fusion centers, Regional Information Sharing System (RISS) centers, and High Intensity Drug Trafficking Area (HIDTA) Investigative Support Centers through their involvement in an interagency policy committee within the Executive Office of the President. However, the assessment did not include DOJ's Federal Bureau of Investigation's (FBI) Joint Terrorism Task Forces (JTTF) or Field Intelligence Groups (FIG), two of the five field-based entities included in GAO's April 2013 report. In December 2015, DHS, DOJ, and ONDCP developed a field-based partners report in which DOJ and ONDCP collected and reported data elements for RISS centers and HIDTA Investigative Support Centers similar to those DHS uses in its annual fusion center assessment. These data were focused on field-based collaboration, including governance, colocation, and other information sharing, analytic, and deconfliction-focused topics. However, the report did not include data for DOJ's FBI JTTFs or FIGs. A collaborative assessment of where practices that enhance coordination can be applied to reduce overlap, collaborate, and leverage resources for all five field-based information-sharing entities would allow the agencies to provide recommendations or guidance to the entities on implementing these practices. As of March 2017, DOJ had provided no new updates. GAO will continue to monitor DOJ's progress in this area.
    Recommendation: To help ensure that an assessment of practices that could enhance coordination and reduce unnecessary overlap is shared and used to further enhance collaboration and efficiencies across agencies, the Program Manager, with input from the ISA IPC collaborating agencies, should report in the Information Sharing Environment (ISE) annual report to Congress the results of the assessment, including any additional coordination practices identified, efficiencies realized, or actions planned.

    Agency: Office of the Director of National Intelligence: Office of the Program Manager--Information Sharing Environment
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information. Status last updated August 31, 2017.
    Director: Trimble, David C
    Phone: (202) 512-3841

    3 open recommendations
    including 3 priority recommendations
    Recommendation: To better position EPA to collect chemical toxicity and exposure-related data and ensure chemical safety under existing TSCA authority, while balancing its workload, the Administrator of EPA should consider promulgating a rule under TSCA section 8, or take action under another section, as appropriate, to require chemical companies to report chemical toxicity and exposure-related data they have submitted to the European Chemicals Agency.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of July 2017, EPA is better positioned to take action to require chemical companies to report chemical toxicity and exposure-related data submitted to the European Chemicals Agency due to passage of the new TSCA law, the Frank R. Lautenberg Chemical Safety for the 21st Century Act. Since the law was signed by the President on June 22, 2016, EPA finalized a rule to establish the agency's process for evaluating high priority chemicals to determine whether or not they present an unreasonable risk to health or the environment and finalized a rule to require industry reporting of chemicals manufactured or processed in the US over the past 10 years. However, EPA has not yet carried out actions consistent with the substance of our recommendation. Once EPA has carried out such actions, we will reassess the status of this open recommendation.
    Recommendation: To better position EPA to collect chemical toxicity and exposure-related data and ensure chemical safety under existing TSCA authority, while balancing its workload, the Administrator of EPA should consider promulgating a rule under TSCA section 8, or take action under another section, as appropriate, to require chemical companies to report exposure-related data from processors to EPA.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of July 2017, EPA is better positioned to take action to require chemical companies to report exposure-related data from processors to EPA due to passage of the new TSCA law, the Frank R. Lautenberg Chemical Safety for the 21st Century Act. Since the law was signed by the President on June 22, 2016, EPA has completed some implementation activities, including finalizing a rule to require industry reporting of chemicals manufactured or processed in the US over the past 10 years. However, EPA has not yet carried out actions consistent with the substance of our open recommendation. Once EPA has carried out such actions, we will reassess the status of this open recommendation.
    Recommendation: To better position EPA to collect chemical toxicity and exposure-related data and ensure chemical safety under existing TSCA authority, while balancing its workload, and to better position EPA to ensure chemical safety under existing TSCA authority, the Administrator of EPA should direct the appropriate offices to develop strategies for addressing challenges that impede the agency's ability to meet its goal of ensuring chemical safety. At a minimum, the strategies should address challenges associated with: (1) obtaining toxicity and exposure data needed to conduct ongoing and future TSCA Work Plan risk assessments, (2) gaining access to toxicity and exposure data provided to the European Chemicals Agency, (3) working with processors and processor associations to obtain exposure-related data, (4) banning or limiting the use of chemicals under section 6 of TSCA and planned actions for overcoming these challenges--including a description of other actions the agency plans to pursue in lieu of banning or limiting the use of chemicals, and (5) identifying the resources needed to conduct risk assessments and implement risk management decisions in order to meet its goal of ensuring chemical safety.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of July 2017, EPA is better positioned to take action to require chemical companies to report chemical toxicity and exposure data, analyze the data, take necessary actions, and identify the resources needed for evaluating and managing risk to ensure chemical safety due to passage of the new TSCA law, the Frank R. Lautenberg Chemical Safety for the 21st Century Act. Since the new law was signed by the President on June 22, 2016, EPA finalized a rule to establish the agency's process for evaluating high priority chemicals to determine whether or not they present an unreasonable risk to health or the environment and finalized a rule to require industry reporting of chemicals manufactured or processed in the U.S. over the past 10 years. However, EPA has not yet carried out actions consistent with the substance of our recommendation, including actually obtaining the data necessary to make risk-informed regulatory decisions, and then making those decisions as appropriate. Once EPA has carried out such actions, we will reassess the status of this open recommendation.
    Director: Woods, William T
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To ensure that DOD organizations fully comply with interagency acquisition regulations, the Secretary of Defense should direct the Office of Defense Procurement and Acquisition Policy, as part of its ongoing interagency acquisition policy review, to ensure that its acquisition regulations, policies, and guidance on interagency contracting are updated to reflect new Federal Acquisition Regulation (FAR) rules, including those related to a best procurement approach determination.

    Agency: Department of Defense
    Status: Open

    Comments: In September 2014, DOD revised its acquisition regulations to incorporate additional guidance to ensure awareness of the total cost of interagency acquisitions, including fees, as part of making a determination that use of another agency's contract is in the best interest of DOD. However, DOD's regulations and guidance still do not reflect all of the factors described in the FAR which should be considered in making these determinations. In particular, DOD's regulations still do not mention assessing whether the requesting agency has the expertise to place orders and administer them against the selected contract vehicle throughout the acquisition lifecycle. In September 2017, DOD policy officials drafted new guidance to ensure that contracting officers document these factors, but this draft guidance is in the process of being reviewed and is not yet final.
    Director: Martin, Belva M
    Phone: (202) 512-4841

    2 open recommendations
    Recommendation: Recognizing that there are widespread requirements to know what is militarily critical, the Secretary of Defense should determine the best approach to meeting users' needs for a technical reference, whether it be MCTL, other alternatives being used, or some combination thereof.

    Agency: Department of Defense
    Status: Open

    Comments: In commenting on this report, the agency concurred with this recommendation but has not yet implemented it. As of August 2017, multiple approaches to maintaining a technical reference are still being considered.
    Recommendation: Recognizing that there are widespread requirements to know what is militarily critical, the Secretary of Defense should ensure that resources are coordinated and efficiently devoted to sustain the approach chosen.

    Agency: Department of Defense
    Status: Open

    Comments: As of August 2017, multiple approaches to maintaining a technical reference are still being considered.
    Director: Cackley, Alicia P
    Phone: (202) 512-8678

    1 open recommendations
    Recommendation: To better enable CPSC to target unsafe consumer products, Congress may wish to amend section 29(f) of CPSA to allow CPSC greater ability to enter into information-sharing agreements with its foreign counterparts that permit reciprocal terms on disclosure of nonpublic information.

    Agency: Congress
    Status: Open

    Comments: As of July 31, 2017, Section 29 of CPSA had not been amended since 2008. In 2013, a bill was introduced (S.1887) but not passed. That bill would have allowed "the Commission, when sharing information under the federal-state cooperation program with a foreign government agency for official law enforcement or consumer protection purposes, to authorize a foreign government agency to make that information available to another agency of the same foreign government (including a political subdivision of that foreign government that is located within the same territory or administrative area as the agency disclosing the information) if an appropriate official of the foreign government agency disclosing the information certifies (by prior agreement, memorandum of understanding with the CPSC, or other written certification) that it will establish and apply specified confidentiality restrictions under the Consumer Product Safety Act."
    Director: Caldwell, Stephen L
    Phone: (202)512-9610

    1 open recommendations
    Recommendation: To better ensure consistent implementation of and accountability for DHS's resilience policy, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to develop an implementation strategy for this new policy that identifies the following characteristics and others that may be deemed appropriate: (1) steps needed to achieve results, by developing priorities, milestones, and performance measures; (2) responsible entities, their roles compared with those of others, and mechanisms needed for successful coordination; and (3) sources and types of resources and investments associated with the strategy, and where those resources and investments should be targeted.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In the 60-day letter provided in January 2013, DHS indicated that the Resilience Integration Team (RIT) was developing a draft implementation plan to be circulated among relevant stakeholders for review. On 10/30/13, we notified DHS that we would like to see a copy of the resilience policy implementation plan (if developed), or any other related documentation if the plan is still in development. We were informed later that day that a draft plan had been developed, and DHS needed to confirm its status. In May of 2015, we were told again that a draft plan had been developed but never finalized. As of August 2015, DHS's Policy Office is looking into the status of plan development. We await their response. DHS response still pending as of 10/4/16.
    Director: Goldstein, Mark L
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: Given the challenges that FPS faces in assessing risks to federal facilities and managing its contract guard workforce, the Secretary of Homeland Security should develop and implement a new comprehensive and reliable system for contract guard oversight.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to FPS officials, as of September 2017, FPS is currently reviewing proposals and preparing to make a decision for the final contract award for a Post Tracking System (PTS). According to FPS, this PTS will allow FPS to comprehensively and reliability mange its contract guards. Once the contract is awarded in late 2017 FPS will begin to implement the PTS system. GAO is keeping this recommendation open pending successful implementation of this system.
    Recommendation: Given the challenges that FPS faces in assessing risks to federal facilities and managing its contract guard workforce, the Secretary of Homeland Security should verify independently that FPS's contract guards are current on all training and certification requirements.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to FPS officials, as of September 2017, FPS plans to address this recommendation through the implementation of FPS?s Training Academy and Management System (TAMS). FPS reported that this system should allow it to verify independently that FPS's contract guards are current on all training and certification requirements. FPS is currently taking various steps to finalize the system and anticipates full implementation of TAMS by August 2018. GAO is leaving this recommendation open pending successful implementation of TAMS.
    Director: Shames, Lisa R
    Phone:

    1 open recommendations
    Recommendation: To enhance the effectiveness of the food safety system for catfish and avoid duplication of effort and cost, Congress should consider repealing provisions of the Farm Bill that assigned USDA responsibility for examining and inspecting catfish and for creating a catfish inspection program.

    Agency: Congress
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Martin, Belva M
    Phone: (202) 512-4841

    2 open recommendations
    Recommendation: To better inform management and resource allocation decisions, effectively manage limited export control enforcement resources, and improve the license determination process, the Secretary of Homeland Security and the Attorney General, as they implement efforts to track resources expended on export control enforcement activities, should use such data to make resource allocation decisions.

    Agency: Department of Justice
    Status: Open

    Comments: DOJ had identified plans to make continual improvements to the investigative and prosecutorial data to allow better tracking and refined resource allocation decisions going forward. However, we have not been able to obtain status information from Justice despite our attempts.
    Recommendation: To better inform management and resource allocation decisions, effectively manage limited export control enforcement resources, and improve the license determination process, the Secretary of Homeland Security, in consultation with the departmental representatives of the Export Enforcement Coordination Center, including Commerce, Justice, State, and the Treasury should (1) leverage export control enforcement resources across agencies by building on existing agency efforts to track resources expended, as well as existing agency coordination at the local level; (2) establish procedures to facilitate data sharing between the enforcement agencies and intelligence community to measure illicit transshipment activity; and (3) develop qualitative and quantitative measures of effectiveness for the entire enforcement community to baseline and trend this data.

    Agency: Department of Homeland Security
    Status: Open

    Comments: To help track resources expended and coordination of enforcement resources, the E2C2 has ratified and implemented the investigative deconfliction protocol. The Export Enforcement Coordination Center (E2C2) has also ratified and implemented the dispute resolution protocol and it is being used by all E2C2 partners. These are two of seven standard operating procedures planned to be in use by the E2C2. The Intelligence Community engagement/information protocols are being addressed through the E2C2 Export Enforcement Intelligence Working Group to help facilitate data sharing, and ICE, through the E2C2, is still in the process of establishing interagency agreement on procedures to facilitate data sharing between the enforcement agencies and intelligence community to assist in measuring illicit transshipment activity. The E2C2 Intel Cell White Paper is complete, but the Cell is not staffed or operational. This Cell is to serve as the primary interagency conduit for defining, establishing, and implementing protocols and facilitating information sharing between the IC and export enforcement community. The white paper outlines the E2C2 Intel Cell's mission, general roles and functions, recommended tasks and structure to facilitate enhanced coordination and intelligence sharing. When established, the Cell will develop standard operating procedures but this has not yet occurred. In late August 2016, the Department of Commerce assigned a new Assistant Director and one analyst to the E2C2. Efforts to formalize an intelligence analytical unit and draft a corresponding SOP are ongoing as of the summer of 2017.
    Director: Trimble, David C
    Phone: 202-512-9338

    5 open recommendations
    including 4 priority recommendations
    Recommendation: To better ensure the credibility of IRIS assessments by enhancing their timeliness and certainty, the EPA Administrator should require the Office of Research and Development to assess the feasibility and appropriateness of the established time frames for each step in the IRIS assessment process and determine whether different time frames should be established, based on complexity or other criteria, for different types of IRIS assessments.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: In October 2016 we reviewed information provided by EPA related to this recommendation. While in July 2013, the EPA issued "enhancements" to the IRIS process and throughout 2016, EPA provided us with details on its online chemical information. EPA stated that the Program introduced the idea that different timelines are needed for different types of assessments based on criteria such as complexity (i.e., large database, many endpoints, complex questions about dose-response, multiple science issues, and novel approaches), potential public health impact, and the amount of new research that needs to be considered. Consequently, two sets of timelines for the IRIS assessment process were developed, one set for "standard" assessments and one set for "complex" assessments. GAO believes that this is important progress but that EPA needs to continue to determine whether different time frames should be established.
    Recommendation: To better ensure the credibility of IRIS assessments by enhancing their timeliness and certainty, the EPA Administrator should require the Office of Research and Development, should different time frames be necessary, to establish a written policy that clearly describes the applicability of the time frames for each type of IRIS assessment and ensures that the time frames are realistic and provide greater predictability to stakeholders.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: In October 2016 we reviewed information provided by EPA related to this recommendation. While in July 2013, EPA issued "enhancements" to the IRIS process and provided us with details on the online information available for each chemical, a written policy that is publicly available is still needed. EPA stated that the Program introduced the idea that different timelines are needed for different types of assessments based on criteria such as complexity (i.e., large database, many endpoints, complex questions about dose-response, multiple science issues, and novel approaches), potential public health impact, and the amount of new research that needs to be considered. Consequently, two sets of timelines for the IRIS assessment process were developed, one set for "standard" assessments and one set for "complex" assessments. GAO believes that EPA has made progress and we will continue to review information provided by EPA as they work to ensure that the time frames are realistic and provide greater predictability to stakeholders.
    Recommendation: To ensure that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users--including stakeholders such as EPA program and regional offices, other federal agencies, and the public--the EPA Administrator should direct the Office of Research and Development to annually publish the IRIS agenda in the Federal Register each fiscal year.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In October 2016, EPA provided an update to GAO and said they believe they have met the intent of this GAO recommendation by publishing an IRIS Multi-Year Agenda in December 2015. According to EPA, the Multi-Year Agenda provides detailed information on near-term agency priorities including IRIS assessments that are ongoing and those that will be initiated over the next few years. EPA also told GAO that they are working to update the information provided on the status of each ongoing IRIS assessment. As this important work continues, GAO will monitor EPA's progress and determine if the information provides IRIS users with transparent information about assessments.
    Recommendation: To ensure that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users--including stakeholders such as EPA program and regional offices, other federal agencies, and the public--the EPA Administrator should direct the Office of Research and Development to indicate in published IRIS agendas which chemicals EPA is actively assessing and when EPA plans to start assessments of the other listed chemicals.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: In October 2016, EPA provided an update to GAO and said they believe they have met the intent of this GAO recommendation by publishing an IRIS Multi-Year Agenda in December 2015. According to EPA, the Multi-Year Agenda provides detailed information on near-term agency priorities including IRIS assessments that are ongoing and those that will be initiated over the next few years. GAO still believes that annually providing current and accurate information on chemicals that EPA plans to assess through the IRIS program is critical for IRIS users and specifically which chemicals EPA is actively assessing and when EPA plans to start assessments of the other listed chemicals.
    Recommendation: To ensure that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users--including stakeholders such as EPA program and regional offices, other federal agencies, and the public--the EPA Administrator should direct the Office of Research and Development to update the IRIS Substance Assessment Tracking System (IRISTrack) to display all current information on the status of assessments of chemicals on the IRIS agenda, including projected and actual start dates, and projected and actual dates for completion of steps in the IRIS process, and keep this information current.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: In October 2016, EPA provided an update to GAO and said they believe they have met the intent of this GAO recommendation by publishing an IRIS Multi-Year Agenda in December 2015. According to EPA, the Multi-Year Agenda provides detailed information on near-term agency priorities including IRIS assessments that are ongoing and those that will be initiated over the next few years. GAO still believes that annually providing current and accurate information on chemicals that EPA plans to assess through the IRIS program is critical for IRIS users. In addition, The Agenda does not identify projected start dates for new assessments, and therefore is not ensuring that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users.
    Director: Chaplain, Cristina T
    Phone: (202)512-3000

    1 open recommendations
    Recommendation: To continue to ensure funded Space Act agreements are used and managed appropriately, the Administrator of NASA should direct the appropriate offices to update the agency's policies and guidance to incorporate controls for documenting, at a minimum, the agency's decision to use a funded Space Act agreement and its analysis supporting the determination that no other instrument is feasible, as well as the agency's assessment of the fairness and reasonableness of the costs it is contributing to an effort conducted using a funded Space Act agreement.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: NASA updated its acquisition policy directive (NPD 1000.5), which outlines its strategic acquisition planning process, in 2013. Although this document only obliquely refers to NASA's other transaction authority (of which funded Space Act agreements (SAAs) are a part), it does link the use of Space Act agreements to NASA's strategic acquisition planning process. Additionally, in August 2017 NASA issued a memo implementing interim guidance for new procedural requirements for Space Act agreements pursuant to Section 841 of the NASA Authorization Act of 2017. This guidance specifies the applicability of requirements to document decisions to use funded SAAs, including a specific determination that other instruments are not feasible, which meets the intent of part of this recommendation. However, guidance relating to NASA's assessment of the fairness and reasonableness of the costs it is contributing under a funded SAA is forthcoming as an update to the Space Act Agreements Guide, expected in mid-September 2017. As such this recommendation will remain open until that document is updated.
    Director: Caldwell, Stephen L
    Phone: (202)512-3000

    1 open recommendations
    Recommendation: To strengthen the Coast Guard's efforts to ensure the security of OCS facilities and deepwater ports, the Commandant of the Coast Guard should make improvements to the Marine Information for Safety and Law Enforcement (MISLE) database or MISLE guidance to better ensure that all OCS facilities, both fixed and floating, are accurately and consistently identified and that the results of security inspections are consistently recorded to allow for better data analyses and management of the security inspections process.

    Agency: Department of Homeland Security: United States Coast Guard
    Status: Open

    Comments: In June 2015, the Coast Guard updated its Marine Information for Safety and Law Enforcement (MISLE) Facilities User Guide to reflect an added feature to MISLE that allows users to identify if a vessel or facility is an OCS facility regulated under the Maritime Transportation Security Act (MTSA), 33 CFR 106. To ensure that this added feature is used in a consistent manner to accurately classify facilities that are regulated under 33 CFR 106, the Coast Guard is in the process of updating Navigation and Vessel Inspection Circular 05-03. In mid-November 2016, the Coast Guard liaison noted that the Coast Guard expects to issue the updated circular and complete related activities by the end of October 2017. On March 24, 2017, the Coast Guard liaison sent an email to notify GAO that the Coast Guard is still awaiting final decision on deployment of Homeport 2.0, prior to finalizing NVIC 5-03 and that the MISLE User Guide remains under development, with the estimated completion date (ECD) remaining as 10/31/17.
    Director: St James, Lorelei
    Phone: (214)777-5719

    1 open recommendations
    Recommendation: To know whether its data on committed spending can be relied on to determine state DOTs' progress in meeting goals, to enhance FHWA's ability to know whether state DOTs meet their DBE goals, and to help increase transparency in the reporting of spending on DBEs, the Secretary of Transportation should direct the FHWA Administrator, in the information it provides to decision makers, including Congress, to include statements about potential limitations of the data it uses to determine state DOTs' progress towards goals.

    Agency: Department of Transportation
    Status: Open

    Comments: An official from the Department of Transportation said that the agency expects the recommendation to be met with a final rule regarding disadvantaged business enterprises, which will be signed by the Secretary of the Department of Transportation by the end of the calendar year.
    Director: Goldstein, Mark L
    Phone: (202)512-6670

    2 open recommendations
    Recommendation: The Secretary of Homeland Security and Attorney General should instruct the Director of FPS, and the Director of the Marshals Service, respectively, to jointly lead an effort, in consultation and agreement with the judiciary and GSA, to update the MOA on courthouse security to address the challenges discussed in this report. Specifically, in this update to the MOA stakeholders should: (1) clarify federal stakeholders' roles and responsibilities including, but not limited to, the conditions under which stakeholders may assume each other's responsibilities and whether such agreements should be documented; and define GSA's responsibilities and determine whether GSA should be included as a signatory to the updated MOA; (2) outline how they will ensure greater participation of relevant stakeholders in court or facility security committees; and (3) specify how they will complete required risk assessments for courthouses, referred to by the Marshals Service as court security facility surveys and by FPS as facility security assessments (FSA), and ensure that the results of those assessments are shared with relevant stakeholders, as appropriate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of April 2017, The Federal Protective Service, U.S. Marshals Service, Administrative Office of the U.S. Courts, and General Services Administration were working to update the memorandum of agreement on courthouse security. An updated memorandum has been drafted, but it has yet to be signed by all parties. Consequently, resolution of this recommendation is pending until further action is taken.
    Recommendation: The Secretary of Homeland Security and Attorney General should instruct the Director of FPS, and the Director of the Marshals Service, respectively, to jointly lead an effort, in consultation and agreement with the judiciary and GSA, to update the MOA on courthouse security to address the challenges discussed in this report. Specifically, in this update to the MOA stakeholders should: (1) clarify federal stakeholders' roles and responsibilities including, but not limited to, the conditions under which stakeholders may assume each other's responsibilities and whether such agreements should be documented; and define GSA's responsibilities and determine whether GSA should be included as a signatory to the updated MOA; (2) outline how they will ensure greater participation of relevant stakeholders in court or facility security committees; and (3) specify how they will complete required risk assessments for courthouses, referred to by the Marshals Service as court security facility surveys and by FPS as facility security assessments (FSA), and ensure that the results of those assessments are shared with relevant stakeholders, as appropriate.

    Agency: Department of Justice
    Status: Open

    Comments: As of April 2017, The Federal Protective Service, U.S. Marshals Service, Administrative Office of the U.S. Courts, and General Services Administration were working to update the memorandum of agreement on courthouse security. An updated memorandum has been drafted, but it has yet to be signed by all parties. Consequently, resolution of this recommendation is pending until further action is taken.
    Director: Caldwell, Stephen L
    Phone: (202) 512-9610

    1 open recommendations
    Recommendation: To facilitate better agency understanding of the potential need and feasibility of expanding electronic verification of seafarers, to improve data collection and sharing, and to comply with the Inflation Adjustment Act, the Secretary of Homeland Security should direct the Commandant of the Coast Guard and Commissioner of CBP to jointly establish an interagency process for sharing and reconciling records of absconder and deserter incidents occurring at U.S. seaports.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security (DHS) concurred and stated that U.S. Customs and Border Protection (CBP) and the Coast Guard would begin to assess the appropriate offices within each component involved in the review and to establish a working group to evaluate the current reporting process within each component, and between CBP and Coast Guard. Further, DHS noted that it was working to co-locate the Coast Guard's ICC Coastwatch and CBP's National Targeting Center-Passenger and that this would help to eliminate many of the absconder-and deserter- reporting inconsistencies GAO identified between Coast Guard and CBP. In January 2013, CBP and Coast Guard officials reported that they had studied the CBP and Coast Guard data and found that multiple factors had likely contributed to the data variances, including differences in definitions for absconders/deserters among CBP and Coast Guard field units, and the method in which field units had recorded and reported absconder and deserter incidents. Officials reported that the two agencies were planning to develop an interagency memorandum of agreement (MOA) with field guidance for reporting absconder and deserter incidents. Officials reported that they expected to finalize and implement the MOA and field guidance by November 30, 2013. In July 2014, CBP described a new process in place for interagency data reconciliation, reporting that this action was taken in lieu of previously discussed plans to develop an interagency MOU. In December 2015, CBP reported that it expected to complete the effort by March 2016. In March 2016, CBP report that it expected to complete the effort by September 2016. CBP officials reported that the Coast Guard and CBP determined that the absconder data variances were caused by the agencies using different reporting criteria. Officials reported that the two agencies were preparing a memo and guidance to issue to field units by August 31, 2016. Officials reported that the recommendation would be fully implemented by September 30, 2016. In September 2016, CBP reported that it expected to implement the effort by December 31, 2016. In December 2016, CBP reported that the agency had drafted a memo to coincide with new Coast Guard procedure for conducting asymmetric migration vetting and deconfliction. CBP was also working to require all ports of entry to report all maritime asymmetric migration events directly to Coastwatch or a Targeting Framework event. However, on October 18, 2016, the DHS Deputy Secretary issued Department Policy Regarding Investigative Data and Event Deconfliction Policy Directive 045-04 that sets forth DHS policy for investigative data and event deconfliction and the use of related deconfliction systems in the course of certain law enforcement activity. As a result of the newly published Directive, DHS requires that CBP develop and implement related policy, by January 17, 2017. The policy directive requires DHS components to develop a policy applicable to components having equities in Investigative Data and Event Deconfliction. The policy will focus on more effective coordination of investigative activity to ensure officer safety by identifying links between ongoing criminal investigations. The Policy also requires that CBP components, at a minimum, conduct deconfliction thru the Deconfliction and Information Coordination Endeavor, Regional Information Sharing Systems Officer Safety Event Deconfliction System, Secure Automated Fast Event Tracking Network or Case Explorer systems. CBP and Coast Guard are now looking at a directive which makes it a port responsibility to deconflict case related information. The timeline for drafting and finalizing that directive is January 2017. Because of this change in direction, CBP and Coast Guard are requesting an extension to March 31, 2017 to finalize and disseminate the new policy.
    Director: St James, Lorelei
    Phone: (214)777-5719

    1 open recommendations
    Recommendation: To improve the management and oversight of the Low-Income Program, the Chairman of the FCC should conduct a robust risk assessment of the Low-Income Program.

    Agency: Federal Communications Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Goldstein, Mark L
    Phone: (202)512-3000

    3 open recommendations
    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should, based on the findings of the risk assessment, conduct a thorough examination of the overall design of E-rate's internal control structure to ensure that the procedures and administrative resources related to internal controls are aligned to provide reasonable assurance that program risks are appropriately targeted and addressed.

    Agency: Federal Communications Commission
    Status: Open

    Comments: In April 2014, FCC approved USAC's hiring of a contractor to conduct a risk assessment of the E-rate program. FCC plans to implement this recommendation after the risk assessment is completed and the results of the risk assessment can be used to inform the examination of the internal control structure.
    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should implement a systematic approach to assess internal controls that appropriately considers the results of beneficiary audits and that is supported by a documented and approved set of policies and procedures.

    Agency: Federal Communications Commission
    Status: Open

    Comments: In April 2014, FCC approved the hiring of a contractor to conduct a risk assessment of the E-rate program. In July 2014, an FCC official said that the agency planning to take action on this recommendation before the risk assessment is completed.
    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should develop policies and procedures to periodically monitor the internal control structure of the E-rate program, including evaluating the costs and benefits of internal controls, to provide continued reasonable assurance that program risks are targeted and addressed.

    Agency: Federal Communications Commission
    Status: Open

    Comments: In April 2014, FCC approved the hiring of a contractor to conduct a risk assessment of the E-rate program. In July 2014, an FCC official said that the agency planning to take action on this recommendation before the risk assessment is completed.
    Director: Melvin, Valerie C
    Phone: (202)512-6304

    3 open recommendations
    Recommendation: To enhance VA's effort to successfully fulfill its forthcoming plans for the outpatient scheduling system replacement project and the HealtheVet program, the Secretary of Veterans Affairs should direct the CIO to ensure implementation of a requirements management plan that reflects leading practices for requirements development and management. Specifically, implementation of the plan should include analyzing requirements to ensure they are complete, verifiable, and sufficiently detailed to guide development, and maintaining requirements traceability from high-level operational requirements through detailed low-level requirements to test cases.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In written comments on our report, VA concurred with this recommendation and in August 2014, identified initial actions the department had taken in response. Specifically, as part of its plans to issue a request for proposals to acquire a replacement scheduling system under its Medical Appointment Scheduling System (MASS) project, VA developed a Business Requirements Document that defines its specific business needs, capabilities, features, and constraints. Additionally, the department reported that it intends to manage and document requirements using processes supported by a Web-based tool called Rational Doors. In August 2015, VA's Office of Acquisition, Logistics, and Construction awarded a contract for the MASS project. However, in April 2016, the department paused MASS to evaluate an alternative project to enhance its legacy scheduling system. Subsequently, in early 2017, the department restarted the MASS project. Nevertheless, as of June 2017, the department had not developed a requirements management plan for MASS. Thus, the MASS project has not yet reached the point where the effectiveness of the requirements management activities we recommended can be assessed.
    Recommendation: To enhance VA's effort to successfully fulfill its forthcoming plans for the outpatient scheduling system replacement project and the HealtheVet program, the Secretary of Veterans Affairs should direct the CIO to adhere to the department's guidance for system testing including (1) performing testing incrementally and (2) resolving defects of average and above severity prior to proceeding to subsequent stages of testing.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In written comments on our report, VA concurred with this recommendation and stated that testing was managed using documented, repeatable processes that are included in the department's ProPath Web-based tool. According to the Acting Deputy Chief Information Officer for Product Development, the Medical Appointment Scheduling System (MASS) project is expected to incorporate Agile software development practices, including the use of incremental testing. In August 2015, the department awarded a contract for the MASS project that included task orders for the development of test plans. However, in April 2016, the department paused MASS to evaluate an alternative to enhance its legacy scheduling system. In early 2017, the department restarted the MASS project, but as of June 2017, had not developed a test plan for MASS. Thus, the project has not yet reached the point where adherence to the department's system testing guidance can be assessed.
    Recommendation: To enhance VA's effort to successfully fulfill its forthcoming plans for the outpatient scheduling system replacement project and the HealtheVet program, the Secretary of Veterans Affairs should direct the CIO to ensure that the policies and procedures VA is establishing to provide meaningful program oversight are effectively executed and that they include (1) robust collection methods for information on project costs, benefits, schedule, risk assessments, performance metrics, and system functionality to support executive decision making; (2) the establishment of reporting mechanisms to provide this information in a timely manner to department IT oversight control boards; and (3) defined criteria and documented policies on actions the department will take when development deficiencies for a project are identified.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs concurred with this recommendation and identified various actions it has taken in response. Specifically, the department awarded a contract for its Medical Appointment Scheduling System (MASS) project in August 2015. However, in April 2016, it paused MASS to evaluate an alternative to enhance its legacy scheduling system. In June 2017, VA reported that the MASS project had been resumed and indicated that it would adhere to the department's Veteran-focused Intake Process (VIP), which is intended to ensure oversight, accountability, and traceability of all program activity. Also, the department reported that MASS had met its first VIP milestone, Critical Decision 1, in January 2017. However, key future activities, including product development and testing, have not yet been demonstrated, while VIP milestones (e.g., Critical Decision 2), have not yet been met. Thus, MASS has not reached the point where the effectiveness of project oversight can be fully assessed.
    Director: Stephenson, John B
    Phone: (202)512-6225

    1 open recommendations
    Recommendation: Because EPA alone cannot address the complexities of the nation's challenges in addressing environmental health risks for children, Congress may wish to consider re-establishing a government-wide task force on children's environmental health risks, similar to the one previously established by Executive Order 13045 and co-chaired by the Administrator of EPA and the Secretary of Health and Human Services. Congress may wish to consider charging it with identifying the principal environmental health threats to children and developing national strategies for addressing them. Congress may also wish to consider establishing in law the Executive Order's requirement for periodic reports about federal research findings and research needs regarding children's environmental health.

    Agency: Congress
    Status: Open

    Comments: As of December 2016, we have not identified actions by the Congress to establish in law requirements such as those in EO 13025.
    Director: Dinapoli, Timothy J
    Phone: (202)512-3000

    2 open recommendations
    Recommendation: To better inform acquisition decisions, assist DOD personnel in performing their management oversight responsibilities, and improve DOD's surveillance of services contracts, the Secretary of Defense should require before the award of any contract or issuance of task order for services closely supporting inherently governmental functions that program and contracting officials consider and document their assessment of the unique risks of these services and the steps that have been taken to mitigate such risks.

    Agency: Department of Defense
    Status: Open

    Comments: In providing comments on this report, DOD concurred with this recommendation and had initiated actions to provide additional guidance. As of September 2017, however, DOD has not provided additional guidance to its contracting officers on considering, documenting, and mitigating the risks associated when obtaining services closely associated with inherently governmental functions.
    Recommendation: To better inform acquisition decisions, assist DOD personnel in performing their management oversight responsibilities, and improve DOD's surveillance of services contracts, the Secretary of Defense should develop guidance to identify approaches that DOD should take to enhance management oversight when contractors provide services that closely support inherently governmental functions.

    Agency: Department of Defense
    Status: Open

    Comments: In providing comments on this report, DOD concurred with this recommendation and had initiated actions to provide additional guidance. As of September 2017, however, DOD has not provided additional guidance to its contracting officers on the steps they should take to enhance oversight of contractors providing services closely associated with inherently governmental functions.
    Director: Gambler, Rebecca S
    Phone: (202)512-8816

    4 open recommendations
    Recommendation: To improve the reliability and accountability of checkpoint performance results to the Congress and the public, the Commissioner of Customs and Border Protection should establish internal controls for management oversight of the accuracy, consistency, and completeness of checkpoint performance data.

    Agency: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection
    Status: Open

    Comments: In our review of Border Patrol traffic checkpoints, we found inconsistencies in the way field agents collected and entered performance data into the checkpoint information system. As a result, data reported in the system were unreliable. We recommended that Border Patrol establish internal controls to ensure the accuracy, consistency, and completeness of checkpoint performance data. In October 2009, the Border Patrol reported internal control solutions were underway, which would primarily involve upgrading its existing checkpoint data systems and creating a checkpoint data oversight protocol. In June 2013, Border Patrol reported that it was developing a redesigned checkpoint information system that should address the data errors and issues identified by our report. The agency also noted that it was exploring ways to implement a data oversight procedure and training on the importance of accurate data collection. In October 2014, the Border Patrol reported that the recommendation was being addressed in various phases, with a new expected completion date of March 2015. In June 2015, Border Patrol revised the expected completion date to September 2015. In September 2016, Border Patrol officials stated that the agency had not yet updated its checkpoint data system or created a data oversight protocol. Without established internal controls, the integrity of Border Patrol's performance and accountability system with regard to checkpoint operations remains uncertain.
    Recommendation: To improve the reliability and accountability of checkpoint performance results to the Congress and the public, the Commissioner of Customs and Border Protection should implement the quality of life measures that have already been identified by the Border Patrol to evaluate the impact that checkpoints have on local communities. Implementing these measures would include identifying appropriate data sources available at the local, state, or federal level, and developing guidance for how data should be collected and used in support of these measures.

    Agency: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection
    Status: Open

    Comments: In our review of Border Patrol traffic checkpoints, we found that the Border Patrol had identified some measures to evaluate the impact that checkpoints have on local communities in terms of quality of life, but Border Patrol had not implemented the measures. As a result, the Border Patrol lacked information on how checkpoint operations could affect nearby communities. In October 2009, the Border Patrol reported that it was reevaluating its checkpoint performance measures, including quality of life measures. In June 2012, Border Patrol reported that the University of Arizona and the University of Texas, El Paso had completed a study for CBP on checkpoints. This study made several recommendations to Border Patrol on evaluating the impact of checkpoints on local communities using quantitative measures and with maintaining regular contact with the public to elicit opinions on experiences with the checkpoint, both positive and negative. At the time, the Border Patrol noted it intended to develop quantitative measures on community impact, such as on public safety and quality of life, using information collected in the new checkpoint information system it was planning. Border Patrol also noted that it was considering the budgetary feasibility of (1) conducting a survey of checkpoint travelers to gather detailed information about the community and impact metrics that are of highest importance to the public and (2) implementing an expedited lane for regular and pre-approved travelers. In July 2014, the Border Patrol revised the expected completion date for this recommendation to March 2015, noting that it planned to request ideas from the field commanders on what the agency could measure that would accurately depict the impact of checkpoints on the community. In June 2015, Border Patrol revised the expected completion date to September 2015. In September 2016, officials from Border Patrol's Checkpoint Program Management Office said quality of life measures had not been implemented and they were not aware of any plans to develop and implement such measures.
    Recommendation: To improve the reliability and accountability of checkpoint performance results to the Congress and the public, the Commissioner of Customs and Border Protection should use the information generated from the quality of life measures in conjunction with other relevant factors to inform resource allocations and address identified impacts.

    Agency: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection
    Status: Open

    Comments: In our review of Border Patrol traffic checkpoints, we found that while the Border Patrol's national strategy cites the importance of assessing the community impact of Border Patrol operations, the implementation of such measures was lacking in terms of checkpoint operations. We recommended that Border Patrol implement such measures in areas of community concern to provide greater attention and priority in Border Patrol operational and staffing decisions to address any existing issues. In October 2009, the Border Patrol reported that once it had completed an upgrade of its existing checkpoint data systems and had reevaluated its checkpoint performance measures, the agency would begin using information garnered by these performance measures to inform future resource allocation decisions. This was originally expected to be completed by September 30, 2010, but due to budgetary and other issues, the checkpoint system upgrades were not yet completed as of June 2013. Border Patrol reported to us in June 2013 that the redesigned and upgraded checkpoint information system was expected to be implemented in September 2014. In July 2014, however, Border Patrol revised its expected completion date to March 2016. In June 2015, Border Patrol reported that it was on target to meet this March 2016 completion date. However, in September 2016, officials from Border Patrol's Checkpoint Program Management Office stated that they were not aware of any planned or completed actions to address this recommendation.
    Recommendation: To ensure that the checkpoint design process results in checkpoints that are sized and resourced to meet operational and community needs, the Commissioner of Customs and Border Protection should, in connection with planning for new or upgraded checkpoints, conduct a workforce planning needs assessment for checkpoint staffing allocations to determine the resources needed to address anticipated levels of illegal activity around the checkpoint.

    Agency: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection
    Status: Open

    Comments: In our review of Border Patrol traffic checkpoints, we found that Border Patrol's checkpoint strategy to push illegal aliens and smugglers to areas around checkpoints-which could include nearby communities-underscores the need for the Border Patrol to ensure that it deploys sufficient resources and staff to these areas. We recommended that Border Patrol conduct a needs assessment when planning for a new or upgraded checkpoint in order to better ensure that officials consider the potential impact of the checkpoint on the community and plan for a sufficient number of agents and resources. In October 2009, Border Patrol reported that the agency was evaluating its checkpoint policy regarding the establishment of a new checkpoint or the upgrade of an old checkpoint, and checkpoint policy changes would be finalized by September 30, 2010. Border Patrol also reported that checkpoint system upgrades that capture data on checkpoint performance would help management determine future resource needs at checkpoints. In June 2013, Border Patrol reported that due to budget and other issues, the checkpoint system upgrade had not been completed, and the rewritten checkpoint data protocol had not been approved. In June 2013, Border Patrol reported that as part of the checkpoint study conducted by the DHS Centers of Excellence, the Centers created checkpoint simulation tools that would help inform resource allocations when determining the number of inspection lanes on current or new checkpoints. The Border Patrol agreed with the utility of such a model, but noted that the Border Patrol would need to purchase modeling software--a cost-prohibitive measure in the current budget environment. In the interim, Border Patrol is developing a formal workforce staffing model to identify staffing strategies for all Border Patrol duties. Border Patrol expected to implement this model for checkpoint staffing assignments in fiscal year 2014. However, in July 2014, Border Patrol reported that the Border Patrol Personnel Requirements Determination project was still being developed and would not be complete until 2015. That process will inform staffing at checkpoints. As a result, Border Patrol revised its expected implementation date to September 2015. In June 2015, Border Patrol reported that it was on target to implement this recommendation by September 2015. In September 2016, Border Patrol officials reported that the agency's Personnel Requirements Determination process would not provide information on staffing needs until fiscal year 2017 or 2018, and also noted that this effort is not specifically examining staffing needs at checkpoints. Officials said there could be additional ways to address the recommendation, but that there were no ongoing efforts to do so apart from any information that may be available from the Personnel Requirements Determination process.
    Director: Brown, Orice Williams
    Phone: (202) 512-3000

    5 open recommendations
    Recommendation: To provide transparency and accountability over the payments FEMA makes to WYOs for expenses and profits, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to determine in advance the amounts built into the payment rates for estimated expenses and profit.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA is continuing (as of 08/29/2014) to analyze Write-Your-Own (WYO) payments and related flood expenses for selected companies and is evaluating the reliability (accuracy, consistency, etc.) of the National Association of Insurance Commissioners (NAIC) data for purposes of performing the analysis we had recommended.
    Recommendation: To provide transparency and accountability over the payments FEMA makes to WYOs for expenses and profits, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to annually analyze the amounts of actual expenses and profit in relation to the estimated amounts used in setting payment rates.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In its initial response to this report, FEMA did not concur with this recommendation. In November 2016, FEMA restated its position and concurs with this recommendation, and is in the process of implementing it.
    Recommendation: To provide transparency and accountability over the payments FEMA makes to WYOs for expenses and profits, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to consider the results of the analysis of payments, actual expenses, and profit in evaluating the methods for paying WYOs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA is continuing (as of 08/29/2014) to analyze WYO payments and related flood expenses for selected companies and is evaluating the reliability (accuracy, consistency, etc.) of the National Association of Insurance Commissioners (NAIC) data for purposes of performing the analysis we had recommended.
    Recommendation: To increase the usefulness of the data reported by WYOs to the National Association of Insurance Commissioners (NAIC) and to institutionalize FEMA's use of such data, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to take actions to obtain reasonable assurance that NAIC flood insurance expense data can be considered in setting payment rates that are appropriate, including identifying affiliated company profits in reported flood insurance expenses.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA continues (as of 08/29/2014) to work with the National Association of Insurance Commissioners (NAIC) to improve the consistency with which commission, operating, and loss adjustment expenses are reported by insurance companies that participate in the National Flood Insurance Program.
    Recommendation: To increase the usefulness of the data reported by WYOs to the National Association NAIC and to institutionalize FEMA's use of such data, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to develop comprehensive data analysis strategies to annually test the quality of flood insurance data that WYOs report to NAIC.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA continues (as of 08/29/2014) to work with the National Association of Insurance Commissioners (NAIC) to improve the consistency with which commission, operating, and loss adjustment expenses are reported by insurance companies that participate in the National Flood Insurance Program.
    Director: Dillingham, Gerald L
    Phone: (202)512-4803

    1 open recommendations
    Recommendation: To help FAA improve the data on and the safety of air cargo operations, the Secretary of Transportation should direct the FAA Administrator to gather comprehensive and accurate data on all part 135 cargo operations to gain a better understanding of air cargo accident rates and better target safety initiatives. This can be done by separating out cargo activity in FAA's annual survey of aircraft owners or by requiring all part 135 cargo carriers to report operational data as part 121 carriers currently do.

    Agency: Department of Transportation
    Status: Open

    Comments: In 2017, FAA reported that the agency has determined that a redesign of the General Aviation and Part 135 Activity Survey (GA Survey) is not required to address the recommendation, as originally considered. Beginning with the GA survey for year 2016--survey results are being processed--FAA will identify aircraft certified for cargo operations and use the certificate type to break out operational data for cargo operations. FAA also discussed this plan with stakeholders, including the Regional Air Cargo Carriers Association, and believe this new approach will meet the recommendation for gathering comprehensive and accurate data on all part 135 cargo operations. In June 2017, FAA informed us that the agency expects to release the 2016 GA survey by October 31, 2017.
    Director: Trimble, David
    Phone: (202) 512-3000

    3 open recommendations
    Recommendation: To improve the management of the stockpile life extension program, the Administrator of NNSA should direct the Deputy Administrator for Defense Programs to develop a realistic schedule for the W76 warhead and future life extension programs that allows NNSA to (1) address technical challenges while meeting all military requirements and (2) build in time for unexpected technical challenges that may delay the program.

    Agency: Department of Energy: National Nuclear Security Administration
    Status: Open

    Comments: In past and ongoing work, GAO has identified areas where NNSA's modernization plans may not align with planned funding requests over the Future Years Nuclear Security Plan (FYNSP) and post-FYNSP periods. Based on the FY 2014 Stockpile Stewardship and Management Plan (SSMP), (GAO-14-45) NNSA plans to work on five LEPs or major alterations through 2038. The FY 2014 SSMP states that the LEP workload represents a resource and production throughput challenge that requires improvements in LEP planning and execution. GAO's analysis indicates there is limited contingency time built into the LEP schedules, all of which are technically ambitious. Any delays in schedules could lead to an increase in program costs or a reduction in the number built for any of the LEPs, both of which have occurred in prior and ongoing LEPs. While NNSA has acknowledged issues and identified some steps to improve the LEP process, this recommendation will remain open and unimplemented until NNSA demonstrates successful LEP and refurbishment execution. We recently reconfirmed this finding in GAO-17-341 where we found the following: In some cases, NNSA's fiscal year 2017 nuclear security budget materials do not align with the agency's modernization plans, both within the 5-year Future-Years Nuclear Security Program (FYNSP)for fiscal years 2017 through 2021 and beyond, raising concerns about the affordability of NNSA's planned portfolio of modernization programs.
    Recommendation: To improve the management of the stockpile life extension program, the Administrator of NNSA should direct the Deputy Administrator for Defense Programs to ensure that the program managers responsible for overseeing the construction of new facilities directly related to future life extension programs coordinate with the program managers of such future programs to avoid the types of delays and problems faced with the construction and operation of the Fogbank manufacturing facility for the W76 program.

    Agency: Department of Energy: National Nuclear Security Administration
    Status: Open

    Comments: A number of Stockpile Stewardship and Management Plans (SSMP) states that the life extension program (LEP) workload represents a resource and production throughput challenge that requires improvements in LEP planning and execution. The officials elaborated that the main area that will be strained is pit production. The alternate plutonium strategy needs to be resourced fully to support the W78/88-1 LEP. Additionally, the officials said that the UPF transition needs to go as planned or there will be challenges in completing all of the planned LEPs. As such, this recommendation will remain open.
    Recommendation: To improve the management of the stockpile life extension program, the Administrator of NNSA should direct the Deputy Administrator for Defense Programs to ensure that program managers for the construction of new facilities for future life extensions base their schedule for the construction and start-up of a facility on the life extension program managers' needs identified in their risk mitigation strategies.

    Agency: Department of Energy: National Nuclear Security Administration
    Status: Open

    Comments: NNSA has generally improved its management of construction projects, to include requirements setting, Analysis of Alternatives, independent cost estimates, etc. However, it is too soon to tell if these positive developments will help-or hinder-LEPs that are underway or are being conducted. Key uranium activities, to include construction and operating funds will not be complete until 2025; key plutonium activities are underway as well, but will not be complete until the late 2020s. As a result, this recommendation will need to remain open.
    Director: Crosse, Marcia G
    Phone: (202)512-3407

    1 open recommendations
    Recommendation: The Secretary of Health and Human Services should direct the FDA Commissioner to expeditiously take steps to issue regulations for each class III device type currently allowed to enter the market through the 510(k) process. These steps should include issuing regulations to (1) reclassify each device type into class I or class II, or requiring it to remain in class III, and (2) for those device types remaining in class III, require approval for marketing through the PMA process.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA has taken steps to respond to this recommendation; however we are leaving the recommendation open because the agency has not yet taken final steps to reclassify or require premarket approval (PMA) for two class III device types allowed to enter the market through the less stringent 510(k) process. In 2009, FDA began a 5-step process to reclassify or to require PMAs for 26 class III device types. This process was modified by the Food and Drug Administration Safety and Innovation Act (FDASIA)--instead of issuing regulations as the final step, FDA issues an administrative order to reclassify or require PMAs for the device types. In 2014, the agency reported it had set a goal to have all remaining devices finalized by the second quarter of 2015; however, as of August 2017, FDA had not finished the process of reclassifying or requiring PMAs for 2 of 26 devices types. The agency reported completing the process for 24 device types, and provided new planned milestones to complete the process for the remaining device types by the middle of 2018. We will leave this recommendation open until FDA makes progress in reclassifying or requiring PMAs for the remaining device types.
    Director: Williams, Orice M
    Phone: (202)512-5837

    2 open recommendations
    Recommendation: The Secretary of the Department of Homeland Security should direct FEMA to take steps to ensure that its rate-setting methods and the data it uses to set rates result in full-risk premiums rates that accurately reflect the risk of losses from flooding. These steps should include, for example, verifying the accuracy of flood probabilities, damage estimates, and flood maps; ensuring that the effects of long-term planned and ongoing development, as well as climate change, are reflected in the flood probabilities used; and reevaluating the practice of aggregating risks across zones.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of January 2017, FEMA is taking steps to verify the accuracy of flood probabilities by collecting and analyzing data from flood insurance studies. FEMA is also continuing to monitor the completion of these studies to determine when a statistically valid amount of data is available so that it can better assess flood risk. To verify the accuracy of damage estimates, FEMA is collecting data required to revise its estimates of flood damage and is undertaking studies to determine factors beyond flood water depth that contribute to flood damage. FEMA will incorporate that information into its rate-setting methodology as the necessary data becomes available. To verify the accuracy of flood maps, FEMA continues to reassess flood risk, evaluate coastal flood maps, and update its overall map inventory. To ensure that flood probabilities reflect long-term and ongoing planned development and climate change, FEMA is working with the Technical Mapping Advisory Committee to ensure the best available information on flood probabilities is used for rate-setting. In addition, as FEMA collects information on flood probabilities, it will conduct analyses to evaluate the practice of classifying risk across zones.
    Recommendation: The Secretary of the Department of Homeland Security should direct FEMA to ensure that information is collected on the location, number, and losses associated with existing and newly created grandfathered properties in NFIP and to analyze the financial impact of these properties on the flood insurance program.

    Agency: Department of Homeland Security
    Status: Open

    Comments: To assess the impact of grandfathered properties on the NFIP, as of January 2017, FEMA has begun to develop a process to obtain current zone designations for all existing policyholders. In addition, FEMA is requiring zone determination data to be updated as flood maps change. According to FEMA, this will allow officials to determine which policyholders are grandfathered but will not allow the determination of a property-specific rate in all circumstances.
    Director: Kingsbury, Nancy R
    Phone: (202)512-6570

    4 open recommendations
    Recommendation: In order to improve the information available to the Congress for reauthorization, the Secretary of Transportation should analyze and report on trends currently anticipated to affect highway safety through 2020 and beyond in a systematic fashion--including information on high-clockspeed trends, discussion of evidence about these and other individual trends, their implications and potential interactions, and DOT responses.

    Agency: Department of Transportation
    Status: Open

    Comments: DOT has not responded to this recommendation, but DOT announced a distracted driving summit September 30-October 1, 2009, with a limited number of invitees, and invited the GAO Assistant Director on this report to participate. U.S. Transportation Secretary Ray LaHood stated that the purpose of the summit is to "to address the dangers of text-messaging and other distractions behind the wheel." The summit will include "senior transportation officials, elected officials, safety advocates, law enforcement representatives and academics" who will convene in Washington, DC "to discuss ideas about how to combat distracted driving."
    Recommendation: The Secretary of Transportation should evaluate whether or not new approaches to data collection are needed to better track new trends related to highway safety.

    Agency: Department of Transportation
    Status: Open

    Comments: DOT has not responded to this recommendation.
    Recommendation: In order to develop an approach to decision making and the development of evidence on high-clockspeed trends affecting highway safety that are characterized by uncertainty, the Secretary of Transportation should consider and evaluate practices and principles for making decisions under conditions of uncertainty and for using data in such decision making and, on that basis, develop an approach to guide decision making on high-clockspeed trends that, although somewhat uncertain, may affect highway safety.

    Agency: Department of Transportation
    Status: Open

    Comments: In GAO-09-56, GAO recommended the Secretary of Transportation consider and evaluate practices and principles for making conditions under uncertainty and for using data in light of issues encountered in developing evidence on high-clockspeed trends affecting highway safety that are characterized by uncertainty. GAO had studied driver distraction involving electronic devices, in particular cell phones with texting capability and identified these evolving electronic devices as a high clockspeed trend. DOT reports several actions on distracted driving, specifically: (1) an Executive Order to federal employees not to engage in text messaging while driving government-owned vehicles; when using electronic equipment supplied by the government while driving; or while driving privately owned vehicles when they are on official business; (2) the Secretary called on state and local governments to (a) make distracted driving part of their state highway plans, (b) pass state and local laws against distracted driving in all types of vehicles, (c) back up public awareness campaigns with high-visibility enforcement actions; (3) the Secretary directed the Department to establish an on-line clearinghouse on the risks of distracted driving and also (4) pledged to continue the Department's research on how to best combat distracted driving. DOT also notes that the Department's www.distraction.gov website provides information on the latest data on distracted driving and that 34 states have passed laws against texting and driving since the 2009 announcement by the Secretary of DOT.
    Recommendation: In order to improve the information available to the Congress for reauthorization, the Secretary of Transportation should determine, in consultation with relevant congressional committees, schedules for periodic reporting that will be sufficiently frequent to update the Congress on fast-changing trends.

    Agency: Department of Transportation
    Status: Open

    Comments: DOT has not responded to this recommendation.
    Director: Clark, Cheryl E
    Phone: (202) 512-3000

    1 open recommendations
    Recommendation: To address other issues that may exist in IRS's master files that affect penalty calculations, the Commissioner of Internal Revenue should direct appropriate IRS officials to, in instances where programs are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: According to IRS, it had substantially completed its corrective actions to address 19 penalty programming issues it had identified from its internal assessment of penalty computation programs. However, as of September 30, 2016, IRS had not provided us with supporting documentation to validate that it completed the corrective actions. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 financial statement audit.
    Director: Dicken, John E
    Phone: (202)512-7043

    1 open recommendations
    Recommendation: To help states identify and address quality-of-care concerns among individuals with developmental disabilities receiving Medicaid HCBS waiver services, the Administrator of CMS should encourage states to (1) include death as a critical incident and conduct mortality reviews if they do not already do so and (2) broaden their mortality review processes if they already include death as a critical incident and conduct mortality reviews.

    Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
    Status: Open

    Comments: In August 2009, CMS stated that it anticipated adding a question about mortality reviews to its next web-based version of the Home and Community-Based Services waiver application. CMS also indicated at that time that the next application version (i.e., Version 3.6) would be released in 2010. However, in July 2010, CMS indicated that this version would not be produced until 2011. In its 2011 update, CMS indicated that the version 3.6 online application had not yet been operationalized and therefore the recommendation should be left open until next year. In July 2013, CMS stated that version 3.6 remains on hold and that the agency is exploring other options for addressing this recommendation, with a target completion date of 12/31/2014.
    Director: Trimble, David C
    Phone: (202)512-6225

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To develop timely chemical risk information that EPA needs to effectively conduct its mission, the Administrator, EPA, should require the Office of Research and Development to re-evaluate its draft proposed changes to the IRIS assessment process in light of the issues raised in this report and ensure that any revised process periodically assesses the level of resources that should be dedicated to this significant program to meet user needs and maintain a viable IRIS database.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: In October 2016 we reviewed information provided by EPA related to this recommendation. The issuance of the Integrated Risk Information System (IRIS) Program Multi-Year Agenda in December 2015 demonstrated progress in responding to this recommendation. While we are currently reviewing additional documentation on how the agenda development process assessed the level of resources needed to meet user demand and to maintain a viable IRIS database, we will reevaluate how EPA continues to document the level of resources dedicated to this program to determine whether updates are occurring periodically.
    Director: Herr, Phillip R
    Phone: 2025128984

    3 open recommendations
    Recommendation: In order to improve freight mobility by more clearly defining the federal role in the freight transportation network and to begin to align federal investments with economically significant national benefits, the Secretary of Transportation should develop with Congress and public and private sector stakeholders a comprehensive national strategy for freight transportation. This national strategy should include defining the federal role and national interests in freight transportation, including economically-based and objective criteria to identify areas of national significance for freight transportation and to determine whether federal funds are required in those areas.

    Agency: Department of Transportation
    Status: Open

    Comments: GAO contacted DOT on various occasions about the status of this recommendation, and a DOT official noted that the recommendation was receiving active consideration in the Administration's thinking on the next surface transportation authorization bill. Once Congress passes a surface transportation authorization bill, GAO will review the bill and determine if the recommendation was addressed.
    Recommendation: In order to improve freight mobility by more clearly defining the federal role in the freight transportation network and to begin to align federal investments with economically significant national benefits, the Secretary of Transportation should develop with Congress and public and private sector stakeholders a comprehensive national strategy for freight transportation. This national strategy should include establishing the roles of regional, state, and local governments, as well as the private sector.

    Agency: Department of Transportation
    Status: Open

    Comments: GAO contacted DOT on various occasions about the status of this recommendation, and a DOT official noted that the recommendation was receiving active consideration in the Administration's thinking on the next surface transportation authorization bill. Once Congress passes a surface transportation authorization bill, GAO will review the bill and determine if the recommendation was addressed.
    Recommendation: In order to improve freight mobility by more clearly defining the federal role in the freight transportation network and to begin to align federal investments with economically significant national benefits, the Secretary of Transportation should develop with Congress and public and private sector stakeholders a comprehensive national strategy for freight transportation. This national strategy should include using new or existing federal funding sources and mechanisms to support a targeted, cost-effective, and sustainable federal role in freight transportation.

    Agency: Department of Transportation
    Status: Open

    Comments: GAO contacted DOT on various occasions about the status of this recommendation, and a DOT official noted that the recommendation was receiving active consideration in the Administration's thinking on the next surface transportation authorization bill. Once Congress passes a surface transportation authorization bill, GAO will review the bill and determine if the recommendation was addressed.
    Director: Trimble, David C
    Phone: (202)512-6225

    1 open recommendations
    Recommendation: To better enable EPA and its partner agencies to minimize the environmental risks resulting from future disasters, the EPA Administrator should work with potentially affected federal land management agencies, the Coast Guard, DHS, and FEMA to determine what actions are needed to ensure that environmental contamination on federal lands, such as national wildlife refuges, can be expeditiously and efficiently addressed in future disasters. Potential actions include the development of protocols or memorandums of understanding or amendments to the Stafford Act if the agencies determine that amendments are needed to achieve the timely availability of such funding when responding to disasters involving federal lands.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In July 2016, EPA reported that the National Response Team considered this issue but decided that it was addressed by the Major Disasters, Section 405 of the Stafford Act and that no further action was needed. We will update the status of this recommendation when we complete our review of Section 405 and determine whether additional actions by EPA are needed to respond to disasters involving federal lands.
    Director: Ragland, Susan
    Phone: (202)512-9471

    1 open recommendations
    Recommendation: The Secretary of the Interior should direct the Deputy Assistant Secretary for Insular Affairs to develop a framework for OIA employees to use in conducting site visits to help ensure objectives are achieved, to assure that relevant information is shared with responsible officials, and to allow more efficient and effective monitoring of issues.

    Agency: Department of the Interior
    Status: Open

    Comments: On May 24, 2017, the Department of Interior (DOI) sent out an email to its staff showing the dissemination of the new format required for completing trip reports by the staff of the Office of Insular Affairs (OIA). The new format requires staff to include travel justification (i.e., purpose/objective, location, and travel period) and trip report (i.e., meetings, site visits, results, and next steps, as applicable.) The intent of the recommendation is for DOI to have a framework that includes (1) status of required single audit reports; (2) the progress of actions to resolve reported internal control weaknesses; and (3) current needs for technical assistance, capacity building, and staff level expertise. Further, the intent of GAO's recommendation is that this information be integrated into a comprehensive monitoring process. We did not see these elements included in DOI's new format. We will continue to monitor the agency's actions to address this recommendation.