Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Risk management"

    173 publications with a total of 608 open recommendations including 67 priority recommendations
    Director: Carol Harris
    Phone: (202) 512-4456

    14 open recommendations
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes and implements specific time frames for determining key strategic implementation details, including how the program will transition from the current state to the final TIM state. (Recommendation 1)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes a schedule that provides planned completion dates based on realistic estimates of how long it will take to deliver capabilities. (Recommendation 2)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes new time frames for implementing the actions identified in the organizational change management strategy and effectively executes against these time frames. (Recommendation 3)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office defines and documents the roles and responsibilities among product owners, the solution team, and any other relevant stakeholders for prioritizing and approving Agile software development work. (Recommendation 4)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes specific prioritization levels for current and future features and user stories. (Recommendation 5)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office implements automated Agile management testing and deployment tools, as soon as possible. (Recommendation 6)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office updates the Systems Engineering Life Cycle Tailoring Plan to reflect the current governance framework and milestone review processes. (Recommendation 7)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes thresholds or targets for acceptable performance-levels. (Recommendation 8)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office begins collecting and reporting on Agile-related cost metrics. (Recommendation 9)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office ensures that program velocity is measured and reported consistently. (Recommendation 10)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office ensures that unit test coverage for software releases is measured and reported accurately. (Recommendation 11)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Homeland Security should direct the Under Secretary for Management to ensure that appropriate DHS leadership reaches consensus on needed oversight and governance changes related to the frequency of reviewing Agile programs, and then documents and implements associated changes. (Recommendation 12)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Homeland Security should direct the Under Secretary for Management to ensure that the Office of the Chief Technology Officer completes guidance for Agile programs to use for collecting and reporting on performance metrics. (Recommendation 13)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Homeland Security should direct the Under Secretary for Management to ensure that DHS-level oversight bodies review key Agile performance and cost metrics for the TIM program and use them to inform management oversight decisions. (Recommendation 14)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Seto J. Bagdoyan
    Phone: (202) 512-6722

    4 open recommendations
    Recommendation: The NIST Director should incorporate elements of key practices into the implementation of the Security Sprint action plans, by establishing a comprehensive communication strategy for employees; interim milestone dates; and measures to assess effectiveness. (Recommendation 1)

    Agency: Department of Commerce: National Institute of Standards and Technology
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the Office of Security (OSY), in coordination with the NIST Director, should conduct an evaluation of the effectiveness of the current security management structure as compared to a consolidated security structure, centrally managed by OSY, to identify the most effective and feasible approach to physical security at NIST. (Recommendation 2)

    Agency: Department of Commerce: Office of Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of OSY should ensure that the draft Commerce risk management policy is finalized and implemented in accordance with the ISC's RMP Standard, by requiring the following: (1) Use and documentation of a sound risk assessment methodology that assesses the threats, vulnerabilities, and consequences for each of the undesirable events required by the RMP Standard, and use of these three factors to measure risk. (2) Documentation of key risk management decisions, such as justification and tenants' approval for facility security level (FSL) determinations, justification for deviation from baseline levels of risk or protection, as well as risk acceptance and consideration of alternative countermeasures. (3) Establishment of a facility security committee (FSC) at multitenant facilities and campuses, including locations such as the NIST Boulder campus. (4) ISC training for all OSY assessors and the individuals responsible for deciding to implement countermeasures and accepting risk. (Recommendation 3)

    Agency: Department of Commerce: Office of Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The NIST Director should finalize and implement risk management policies and procedures, ensuring that they contain a formal coordination mechanism between OSY and NIST and are aligned with Commerce's revised risk management policy, particularly with regard to establishing FSCs. (Recommendation 4)

    Agency: Department of Commerce: National Institute of Standards and Technology
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Joseph W. Kirschbaum
    Phone: (202) 512-9971

    2 open recommendations
    Recommendation: CAPE, in coordination with the military departments and other DOD entities serving as offices of primary responsibility for implementing the recommendations, should develop additional guidance for these offices to identify associated risks and document information about these risks in the centralized tracking tool. (Recommendation 1)

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: DOD CIO--in coordination with CAPE, the military departments, Joint Staff, and U.S. Strategic Command--as the draft template and any other additional tools to aid in their approach are finalized, should identify and communicate to NC3 stakeholders performance measures and milestones to assist in tracking the progress of implementation of the recommendations from the 2015 NC3 report and evaluating the outcomes of implementation actions, and risks associated with the implementation of the recommendations from the 2015 NC3 report. (Recommendation 2)

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Zina D. Merritt
    Phone: (202) 512-5257

    6 open recommendations
    Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with the Defense Contract Management Agency (DCMA) and the military departments, should assess whether risk mitigation actions have been identified in the event of a loss of each task critical assets (TCA) facility in the defense industrial base and, based on this assessment, develop risk mitigation actions with associated implementation plans and time lines, and provide this information to congressional and DOD decision makers. (Recommendation 1)

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with DCMA and the military departments, should provide congressional and DOD decision makers with information on potential effects on defense capabilities in the event of a loss of each TCA facility in the defense industrial base. (Recommendation 2)

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with DCMA and the military departments, should provide congressional and DOD decision makers with information on DOD organic facilities that have been identified as TCAs, similar to the information provided previously on commercial facilities. This information also should include (1) the potential effects on defense capabilities in the event of a loss of the facility and (2) risk mitigation actions and associated implementation plans with time lines. (Recommendation 3)

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with DCMA and the military departments, should take steps to share information on risks identified through the annual Critical Asset Identification Process with relevant program managers or other designated service or program officials. At a minimum, relevant officials should receive information on the most critical facilities (such as TCAs) that produce parts supporting their programs. This information-sharing could occur through service-specific channels of communication or another method of internal communication deemed appropriate by DOD. (Recommendation 4)

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with the military departments, should develop a mechanism to ensure that program offices obtain information from contractors on single source of supply risks. (Recommendation 5)

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with the military departments, should issue department-wide DMSMS policy, such as an instruction, that clearly defines requirements of DMSMS management and details responsibilities and procedures to be followed by program offices to implement the policy. (Recommendation 6)

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Jessica Farb
    Phone: (202) 512-6991

    2 open recommendations
    Recommendation: The Assistant Secretary of State for Diplomatic Security should take steps to ensure the implementation of revised standard operating procedures for collecting electronic ATA course and participant data. (Recommendation 1)

    Agency: Department of State
    Status: Open

    Comments: On August 28, 2017, having reviewed a draft version of GAO-17-704, State concurred with this recommendation and noted that ATA had revised its standard operating procedures for collecting data and shared the document with us. We will follow-up with ATA regarding steps taken to ensure the implementation of those procedures.
    Recommendation: The Assistant Secretary of State for Diplomatic Security should develop and implement a process to confirm and document whether future ATA participants return to their home countries following the completion of ATA training and, for any participants trained in the United States who do not, share relevant information with the Department of Homeland Security. (Recommendation 2)

    Agency: Department of State
    Status: Open

    Comments: On August 28, 2017, having reviewed a draft version of GAO-17-704, State concurred with this recommendation and stated that, by the end of the year, it will implement a process to ensure that participants sent to ATA training in the United States return to their home countries. We will follow-up with ATA regarding the implementation of such a process for participants sent to ATA training in the United States or other locations outside of their home countries.
    Director: Asif A. Khan
    Phone: (202) 512-9869

    2 open recommendations
    Recommendation: The DHS Under Secretary for Management should develop and implement effective processes and improve guidance to reasonably assure that future AAs fully follow AOA process best practices and reflect the four characteristics of a reliable, high-quality AOA process. (Recommendation 1)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The DHS Under Secretary for Management should improve the Risk Management Planning Handbook and other relevant guidance for managing risks associated with financial management system modernization projects to fully incorporate risk management best practices, including (1) defining thresholds to facilitate review of performance metrics to determine when risks become unacceptable; (2) identifying and analyzing risks to include periodically reconsidering risk sources, documenting risks specifically related to the lack of sufficient, reliable cost and schedule information needed to help properly manage and oversee the project, and timely disposition of IV&V contractor-identified risks; (3) developing risk mitigation plans with specific risk-handling activities, the costs and benefits of implementing them, and contingency plans for selected critical risks; and (4) implementing risk mitigation plans to include establishing periods of performance for risk-handling activities and defining time intervals for updating and certifying the accuracy and completeness of information on risks in DHS's risk register. (Recommendation 2)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Jennifer Grover
    Phone: (202) 512-7141

    2 open recommendations
    Recommendation: The Administrator of TSA should explore and pursue methods to assess the deterrent effect of TSA's passenger aviation security countermeasures; such an effort should identify FAMS—a countermeasure with a focus on deterring threats—as a top priority to address. (Recommendation 1)

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: DHS concurred with this recommendation and said it would take steps to implement it. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of TSA should systematically evaluate the potential cost and effectiveness tradeoffs across countermeasures, as TSA improves the reliability and extent of its information on the effectiveness of aviation security countermeasures. (Recommendation 2)

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: DHS concurred with this recommendation and in its September 2017 response to our report, DHS stated that TSA will continue efforts to improve both its analysis of information related to security effectiveness and its cost information, leading to better informed cost-benefit decisions for individual countermeasures. To address the intent of our recommendation, TSA will need to evaluate the costs and effectiveness of individual aviation security countermeasures and then use this information to systematically evaluate the potential cost and effectiveness tradeoffs across countermeasures. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.
    Director: Shelby S. Oakley
    Phone: (202) 512-3841

    3 open recommendations
    Recommendation: To help ensure the availability of Pu-238 and RPS for space exploration, the Secretary of Energy should develop an implementation plan with milestones and interim steps for the department's management approach for Pu-238 and RPS production.

    Agency: Department of Energy
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure the availability of Pu-238 and RPS for space exploration, the Secretary of Energy should assess the long-term effects that known challenges may have on production quantities, time frames, or required funding, and communicate these potential effects to NASA.

    Agency: Department of Energy
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure the availability of Pu-238 and RPS for space exploration, the Secretary of Energy should develop a more comprehensive system to track more systemic risks, beyond the specific technical risks identified by individual laboratories.

    Agency: Department of Energy
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    3 open recommendations
    Recommendation: The Chief Executive Officer should direct the Chief Information Officer to take steps needed to ensure that system requirements are defined to align with the business needs of CNCS's future risk-based grants monitoring process (Recommendation 1).

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that the system development project schedule identifies in the baseline both planned and actual dates for completing all project-level activities, and can be used to monitor and measure progress of the grant monitoring system project (Recommendation 2).

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that test plans are defined and implemented to include the second version of the grant monitoring system in all stages of testing during development, and results of initial stages are approved before conducting subsequent test stages (Recommendation 3).

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    6 open recommendations
    Recommendation: To better assess whether RSCs are meeting USRAP objectives, the Assistant Secretary of State for Population, Refugees, and Migration should develop outcome-based indicators, as required by State policy.

    Agency: Department of State: Bureau of Population, Refugees and Migration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To better assess whether RSCs are meeting USRAP objectives, the Assistant Secretary of State for Population, Refugees, and Migration should monitor RSC performance against such indicators on a regular basis.

    Agency: Department of State: Bureau of Population, Refugees and Migration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To better ensure that USCIS officers effectively adjudicate applications for refugee status, the Director of USCIS should develop and implement a plan to deploy officers with national security expertise on circuit rides.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To better ensure that USCIS officers effectively adjudicate applications for refugee status, the Director of USCIS should conduct regular quality assurance assessments of refugee application adjudications across USCIS's Refugee Affairs Division and International Operations Division.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: USCIS provided documentation that U.S. Citizenship and Immigration Services (USCIS) officials conducted a quality assurance assessment of refugee adjudications in July 2017 and has plans to conduct an additional quality assurance assessment in January or February 2018. To fully address this recommendation, USCIS should demonstrate a continued commitment to conducting regular quality assurance assessments of refugee application adjudications.
    Recommendation: To provide reasonable assurance that USRAP applicant fraud prevention and detection controls are adequate and effectively implemented, the Secretaries of Homeland Security and State should conduct regular joint assessments of applicant fraud risk across USRAP.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To provide reasonable assurance that USRAP applicant fraud prevention and detection controls are adequate and effectively implemented, the Secretaries of Homeland Security and State should conduct regular joint assessments of applicant fraud risk across USRAP.

    Agency: Department of State
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Melito, Thomas
    Phone: (202) 512-9601

    3 open recommendations
    Recommendation: To support efforts to reduce staff fraud at RSCs, the Secretary of State should direct the Bureau of Population, Refugees, and Migration to actively pursue efforts to ensure that RSCs comply with required, applicable measures in the Program Integrity Guidelines.

    Agency: Department of State
    Status: Open

    Comments: The State Department concurred with our recommendation and agreed with GAO's assessment that these measures will support efforts to reduce staff fraud at Resettlement Support Centers (RSC). According to State officials, the Bureau of Population, Refugees, and Migration (PRM) has developed new guidance to enhance monitoring of RSCs. They explained that a new monitoring and evaluation framework serves as the foundational document for this guidance, which has incorporated and formalized PRM's existing RSC monitoring practices and established further requirements to address gaps identified by internal and external evaluative processes. According to the officials, the framework outlines roles, responsibilities, and tools for program officers and refugee coordinators. These responsibilities include formalizing and expanding monitoring of RSC compliance with the Program Integrity Guidelines. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To better identify risks from RSC staff fraud, the Secretary of State should direct the Bureau of Population, Refugees, and Migration to update guidance, such as the Program Integrity Guidelines, to require each RSC to conduct regular staff fraud risk assessments that are tailored to each RSC's specific operations.

    Agency: Department of State
    Status: Open

    Comments: The State Department concurred with our recommendation and agreed with GAO's assessment that this requirement would strengthen Resettlement Support Centers' (RSCs) ability to identify risks of staff fraud. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure that control activities are designed to mitigate identified RSC staff fraud risks, the Secretary of State should direct the Bureau of Population, Refugees, and Migration to regularly review RSC staff fraud risk assessments and use them to examine the suitability of existing staff fraud controls and revise controls as appropriate.

    Agency: Department of State
    Status: Open

    Comments: The State Department concurred with our recommendation and agreed with GAO's assessment that this would help ensure that control activities are designed to mitigate identified Resettlement Support Centers (RSC) staff fraud risks. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Kirschbaum, Joseph W
    Phone: (202) 512-9971

    2 open recommendations
    Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

    Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

    Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Lori Rectanus
    Phone: (202) 512-2834

    7 open recommendations
    Recommendation: The Secretary of the Interior should direct the Director of the National Park Service to direct the U.S. Park Police to ensure that performance measures linked to program goals are included as part of its updated strategic plan and direct it to develop a timeline for completion of this plan.

    Agency: Department of the Interior
    Status: Open

    Comments: Interior concurred with this recommendation and said it would take steps to implement it. When we confirm what actions Interior has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of the Interior should direct the Director of the National Park Service to direct the U.S. Park Police to seek additional input from federal entities with expertise regarding ways to enhance testing of its physical security program.

    Agency: Department of the Interior
    Status: Open

    Comments: Interior concurred with this recommendation and said it would take steps to implement it. When we confirm what actions Interior has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of the Smithsonian Institution should direct the Office of Protection Services to develop program goals and ensure that performance measures linked to those goals are included as part of the strategic plan for security and develop a timeline for completion of this plan.

    Agency: Smithsonian Institution
    Status: Open

    Comments: The Smithsonian concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the Smithsonian has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of the Smithsonian Institution should direct the Office of Protection Services to seek additional input from federal entities with expertise regarding ways to enhance testing of the physical security program.

    Agency: Smithsonian Institution
    Status: Open

    Comments: The Smithsonian concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the Smithsonian has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to develop a process for documenting risk management decisions.

    Agency: National Gallery of Art
    Status: Open

    Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the National Gallery has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to ensure that program goals and performance measures linked to those goals are included as part of the master security plan and develop a timeline for completion of this plan.

    Agency: National Gallery of Art
    Status: Open

    Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the National Gallery has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to seek additional input from federal entities with expertise regarding ways to enhance testing of the physical security program.

    Agency: National Gallery of Art
    Status: Open

    Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the National Gallery has taken in response to this recommendation, we will provide updated information.
    Director: Steve Morris
    Phone: (202) 512-3841

    2 open recommendations
    Recommendation: To reduce the cost of delivering the crop insurance program, Congress should consider repealing the 2014 farm bill requirement that any revision to the standard reinsurance agreement not reduce insurance companies' expected underwriting gains, and directing the Risk Management Agency to, during the next renegotiation of the agreement, (1) adjust the participating insurance companies' target rate of return to reflect market conditions and (2) assess the portion of premiums that participating insurance companies retain and, if warranted, adjust it.

    Agency: Congress
    Status: Open

    Comments: When we determine what steps the Congress has taken, we will provide updated information.
    Recommendation: To reduce year-to-year fluctuations in the administrative and operating expense subsidies that companies receive at the crop, state, and county levels, the Secretary of Agriculture should direct the Administrator of the Risk Management Agency to consider adjusting the administrative and operating expense subsidy calculation method in a way that reduces the effects of changes in premiums caused by changes in crop prices or other factors when it renegotiates the standard reinsurance agreement.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Jennifer Grover
    Phone: (202) 512-7141

    3 open recommendations
    Recommendation: To enhance CBP's identification of high-risk cargo shipments and its enforcement of the ISF rule, the Commissioner of CBP should enforce the ISF rule requirement that carriers provide CSMs to CBP when targeters identify CSM noncompliance.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: CBP's Office of Field Operations is developing an enforcement strategy for container status messages (CSM) that it plans to complete by August 31, 2017. Once the strategy is completed, OFO plans to provide CSM enforcement guidance to the Advance Targeting Units. This recommendation will remain open until CBP's planned actions are completed and meet the intent of GAO's recommendation.
    Recommendation: To enhance CBP's identification of high-risk cargo shipments and its enforcement of the ISF rule, the Commissioner of CBP should evaluate the ISF enforcement strategies used by ATUs to assess whether particular enforcement methods could be applied to ports with relatively low submission rates.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: CBP plans to discuss enforcement strategies during monthly conference calls held by the National Targeting Center-Cargo with all Advance Targeting Units (ATU) in order to identify the factors that are impacting ports with lower Importer Security Filing (ISF) compliance rates. In addition, CBP plans to leverage the strategies employed by ATUs overseeing ports with higher ISF compliance rates in order to increase the ISF submission rates at the ports with lower compliance rates. This recommendation will remain open until CBP's planned actions are completed and meet the intent of GAO's recommendation.
    Recommendation: The Commissioner of CBP should identify and collect additional performance information on the impact of the ISF rule data, such as the identification of shipments containing contraband, to better evaluate the effectiveness of the ISF program.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: CBP is developing a plan (by August 31, 2017) to assess additional performance metrics to evaluate the effectiveness of the Importer Security Filing Program. After the plan has been developed, CBP will extract the performance data for analysis and, if needed, take actions to implement changes to the Program. This recommendation will remain open until CBP's planned actions are completed and meet the intent of GAO's recommendation.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To more fully address stakeholder concerns and help ensure FirstNet's resources reflect expected changes in responsibilities, FirstNet should assess the long-term staffing needs in the Network Program Office prior to requesting to assume full responsibility from Interior for administering the network contract.

    Agency: Department of Commerce: National Telecommunications and Information Administration: First Responder Network Authority
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To more fully address stakeholder concerns and help ensure FirstNet's resources reflect expected changes in responsibilities, FirstNet should request that the Public Safety Advisory Committee's Tribal Working Group fully explore tribal concerns and propose actions, as needed, to address those concerns.

    Agency: Department of Commerce: National Telecommunications and Information Administration: First Responder Network Authority
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Nick Marinos
    Phone: (202) 512-9342

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer to update the procedure for granting access to the key financial application, to include responsibilities and steps for ensuring that the access privileges granted have been approved by the users' supervisor.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    6 open recommendations
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to update the department's IT Acquisition Review governance process to increase the number of contracts and agreements (associated with both major and non-major investments) that are reviewed by the CIO and appropriate delegates.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the specific staff or positions currently within the department's IT acquisition cadre; and (2) assessing whether these staff and positions address all of the specialized skills and knowledge needed, as outlined in OMB's Office of Federal Procurement Policy's guidance for developing an IT acquisition cadre.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Director: Anne-Marie Fennell
    Phone: (202) 512-3841

    2 open recommendations
    Recommendation: To help determine the extent to which the goals of the Cohesive Strategy are being met, the Secretaries of Agriculture and the Interior should direct the Chief of the Forest Service and the Director of the Office of Wildland Fire, respectively, to work with WFLC to develop measures to assess national progress toward achieving the strategy's goals.

    Agency: Department of Agriculture
    Status: Open

    Comments: In its April 2017 agency comments and a May 2017 follow up discussion, the Forest Service generally agreed with our recommendation. In August 2017, the Forest Service stated that it is working with partners to develop a framework for reporting progress toward the goals of the Cohesive Strategy, based on its own and other potential measures. The agency stated that the framework will be shared with the Wildland Fire Leadership Coalition for input and feedback and that initial meetings with partners were to occur in July 2017, with a proposal to be shared with WFLC in early fall 2017. The final framework is planned for spring of 2018.
    Recommendation: To help determine the extent to which the goals of the Cohesive Strategy are being met, the Secretaries of Agriculture and the Interior should direct the Chief of the Forest Service and the Director of the Office of Wildland Fire, respectively, to work with WFLC to develop measures to assess national progress toward achieving the strategy's goals.

    Agency: Department of the Interior
    Status: Open

    Comments: In its April 2017 agency comments, the Department of the Interior stated that it did not concur with our recommendation. In a letter dated August 2, 2017, Interior stated that it nevertheless will work with its federal and nonfederal partners, with input from the Wildland Fire Leadership Council, to propose a framework using existing measures to assess national progress toward achieving the goals of the Cohesive Strategy. Interior expects initial meetings with partners to occur in the summer of 2017 with a proposal to be shared with WFLC by the fall of 2017 and final framework to be completed in the spring of 2018.
    Director: David C. Trimble
    Phone: (202) 512-3841

    3 open recommendations
    Recommendation: To enhance DOE's ability to make risk-based decisions for the treatment of Hanford supplemental LAW, Congress should consider clarifying, in a manner that does not impair the regulatory authorities of EPA and the state of Washington, DOE's authority at Hanford to determine, in consultation with NRC, whether portions of the supplemental LAW can be managed as a waste type other than high-level waste.

    Agency: Congress
    Status: Open

    Comments: According to staff with the reports' addressees, Congress is considering whether to implement this Matter.
    Recommendation: To help ensure that DOE's treatment of Hanford's supplemental LAW is risk based and cost effective, the Secretary of Energy should develop updated information on the effectiveness of treating and disposing of all the different portions of Hanford's supplemental LAW with alternate methods or at alternate disposal sites, and based on this information, identify potential treatment and disposal pathways for different portions of Hanford's supplemental LAW, considering the risks posed by the LAW. In implementing this recommendation, DOE should take into account the results of the analysis required by Section 3134 of the National Defense Authorization Act for Fiscal Year 2017.

    Agency: Department of Energy
    Status: Open

    Comments: In July 2017, DOE told GAO that it has commissioned a team of National Laboratory experts that has begun working on an independent review of supplemental low-activity waste treatment options. DOE noted that this review will address the effectiveness of treating and disposing of Hanford's supplemental low-activity waste with alternate methods or at alternate disposal sites.
    Recommendation: To help ensure that DOE's treatment of Hanford's supplemental LAW is risk based and cost effective, the Secretary of Energy should have an independent entity develop updated information on the lifecycle costs of treating and disposing of Hanford's supplemental LAW with alternate methods or at alternate disposal sites. In implementing this recommendation, DOE should take into account the results of the analysis required by Section 3134 of the National Defense Authorization Act for Fiscal Year 2017.

    Agency: Department of Energy
    Status: Open

    Comments: In July 2017, DOE told GAO that it has commissioned a team of National Laboratory experts that has begun working on an independent review of supplemental low-activity waste treatment options. DOE noted that this review will include a cost benefit analysis for treatment and disposal alternatives.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    5 open recommendations
    Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP to assess and document how the alternative technological solutions being considered will fully meet operational needs related to ultralight aircraft.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation and stated that it plans to assess and document requirements related to ultralight aircraft threats and how technological solutions will address these requirements as part of U.S. Customs and Border Protection Air and Marine Operations air domain awareness efforts. DHS plans to complete these efforts by July 2018.
    Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP and the Director of ICE to jointly establish and monitor performance measures and targets related to cross-border tunnels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation and stated that U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement will review available information and develop performance measures and targets as deemed appropriate by February 2018.
    Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP to establish and monitor performance targets related to ultralight aircraft.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred and stated that within U.S. Customs and Border Protection, Air and Marine Operations and the U.S. Border Patrol are developing a joint performance measure and targets for interdicting ultralight aircraft. DHS plans to complete these efforts by October 2017.
    Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the U.S. Customs and Border Protection (CBP)-U.S. Immigration and Customs Enforcement (ICE) tunnel committee to convene and establish standard operating procedures for addressing cross-border tunnels, including procedures for sharing information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS did not concur with this recommendation. However, CBP and ICE agreed that strengthening operational procedures may be beneficial and stated that they will jointly review procedures and discuss revising and/or consolidating the procedures. We continue to believe that the recommendation is valid and will monitor DHS's efforts to address it.
    Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commandant of the Coast Guard, Commissioner of CBP, and the Director of ICE to establish and monitor Regional Coordinating Mechanisms performance measures and targets related to panga boat and recreational vessel smuggling.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS did not concur with this recommendation. DHS stated that that it believes that by establishing common terminology to address our first recommendation, the RECOMs will have more reliable, usable analyses to inform their maritime interdiction efforts. However, DHS did not believe that performance measures and targets related to smuggling by panga boats would provide the most useful strategic assessment of operations to prevent all illicit trafficking, regardless of area of operations or mode of transportation. DHS also cited the recent creation of the DHS Office of Policy, Strategy, and Plans that is to work with U.S. Coast Guard, U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, and other components and offices to better evaluate the effectiveness of all operations that work to prevent the illegal entry of goods and people into the country, as appropriate. We continue to believe that the recommendation is valid and will monitor DHS's efforts to address it.
    Director: Alicia Puente Cackley
    Phone: (202) 512-8678

    1 open recommendations
    Recommendation: As Congress considers reauthorizing NFIP, it should consider comprehensive reform to improve the program's solvency and enhance the nation's resilience to flood risk, which could include actions in six areas: (1) addressing the current debt, (2) removing existing legislative barriers to FEMA's revising premium rates to reflect the full risk of loss, (3) addressing affordability, (4) increasing consumer participation, (5) removing barriers to private-sector involvement, and (6) protecting NFIP flood resilience efforts. In implementing these reforms, Congress should consider the sequence of the actions and their interaction with each other.

    Agency: Congress
    Status: Open

    Comments: When we determine what steps the Congress has taken, we will provide updated information.
    Director: Seto Bagdoyan
    Phone: (202) 512-6722

    4 open recommendations
    Recommendation: The Commissioner (or Acting Commissioner) of SSA should direct the OAFP to lead a comprehensive fraud risk assessment that is consistent with leading practices, and develop a plan for regularly updating the assessment.

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner (or Acting Commissioner) of SSA should direct the OAFP to develop, document, and implement an antifraud strategy that is aligned to its assessed fraud risks.

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner (or Acting Commissioner) of SSA should direct the OAFP to work with components responsible for implementing antifraud initiatives to develop outcome-oriented metrics, including baselines and goals, where appropriate for antifraud activities.

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner (or Acting Commissioner) of SSA should direct the OAFP to review progress toward meeting goals on a regular basis, and recommend that the NAFC make changes to control activities or take other corrective actions on any initiatives that are not meeting goals.

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Maurer, Diana C
    Phone: (202) 512-8777

    4 open recommendations
    Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to develop a cohesive strategy that includes measurable outcomes for CVE activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of May 2017, CVE Task Force officials stated that they are identifying concrete outputs and outcomes for CVE efforts outlined in the 2016 Strategic Implementation Plan. CVE Task Force officials also stated that they plan to develop short-term, medium-term, and long-term outcomes for these efforts. The Task Force plans to report to the White House Homeland Security Advisor on their implementation progress in January 2018. GAO will continue to monitor the CVE Task Force's progress in this area.
    Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to develop a cohesive strategy that includes measurable outcomes for CVE activities.

    Agency: Department of Justice
    Status: Open

    Comments: As of May 2017, CVE Task Force officials stated that they are identifying concrete outputs and outcomes for CVE efforts outlined in the 2016 Strategic Implementation Plan. CVE Task Force officials also stated that they plan to develop short-term, medium-term, and long-term outcomes for these efforts. The Task Force plans to report to the White House Homeland Security Advisor on their implementation progress in January 2018. GAO will continue to monitor the CVE Task Force's progress in this area.
    Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to establish and implement a process to assess overall progress in CVE, including its effectiveness.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of May 2017, CVE Task Force officials stated that they have begun consulting with departments and agencies that have already invested in CVE program assessment and are developing a research-based framework for designing and assessing CVE metrics. The CVE Task Force plans to report to the White House Homeland Security Advisor on their implementation progress in January 2018. GAO will continue to monitor the CVE Task Force's progress in this area.
    Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to establish and implement a process to assess overall progress in CVE, including its effectiveness.

    Agency: Department of Justice
    Status: Open

    Comments: As of May 2017, CVE Task Force officials stated that they have begun consulting with departments and agencies that have already invested in CVE program assessment and are developing a research-based framework for designing and assessing CVE metrics. The CVE Task Force plans to report to the White House Homeland Security Advisor on their implementation progress in January 2018. GAO will continue to monitor the CVE Task Force's progress in this area.
    Director: Brian Lepore
    Phone: (202) 512-4523

    9 open recommendations
    Recommendation: To improve the Department of Defense's ability to maintain its capability in the Asia-Pacific region, the Secretary of Defense should direct the appropriate entities to resolve selected identified capability deficiencies associated with the relocation in the movement of Marine Corps units by, for example, reconsidering when units should move to Guam to minimize leaving facilities vacant.

    Agency: Department of Defense
    Status: Open

    Comments: DOD partially concurred with this recommendation and stated that the Marine Corps' plans for movement of units from Okinawa to Guam has considered many factors, including, among others, the capabilities required to support Pacific Command and the logistical requirements associated with the movement of forces. In its response, DOD stated that the Marine Corps is already working to ensure that its plan is continually refined to balance fiscal and construction realities with operational risk, capability requirements, and readiness. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Department of Defense's ability to maintain its capability in the Asia-Pacific region, the Secretary of Defense should direct the appropriate entities to resolve selected identified capability deficiencies associated with the relocation in training needs in Iwakuni, Hawaii, and CNMI by, for example, identifying other suitable training areas.

    Agency: Department of Defense
    Status: Open

    Comments: DOD partially concurred with this recommendation and stated that it has already conducted an extensive analysis of training needs. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Department of Defense's ability to maintain its capability in the Asia-Pacific region, the Secretary of Defense should direct the appropriate entities to resolve selected identified capability deficiencies associated with the relocation in reduction in runway length at the Futenma Replacement Facility by, for example, selecting other runways that would support mission requirements.

    Agency: Department of Defense
    Status: Open

    Comments: DOD partially concurred with this recommendation and stated that it disagreed that the length of the runway planned at the Futenma Replacement Facility is a capability deficiency for the Marine Corps. DOD stated that, at the time of its agreement with Japan, it understood that the Futenma Replacement Facility would not possess a long runway and that the Marine Corps drove the final requirements to support the capabilities required for their missions at the Futenma Replacement Facility. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Department of Defense's ability to maintain its capability in the Asia-Pacific region, the Secretary of Defense should direct the appropriate entities to resolve selected identified capability deficiencies associated with the relocation in challenges in Australia regarding seasonal changes and biosecurity requirements that affect equipment downtime by, for example, deciding on a location for the wet season and identifying a solution for biosecurity requirements.

    Agency: Department of Defense
    Status: Open

    Comments: DOD partially concurred with this recommendation and stated that these factors are not capability deficiencies but rather real-world constraints around which DOD and Australia are working to develop the most bilaterally beneficial annual program possible. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To provide DOD with reliable information on potential sources of delays for the design and construction of infrastructure in Guam, the Secretary of Defense should direct the appropriate entities to update the Marine Corps' integrated master schedule for Guam so that it meets the comprehensive, well-constructed, and credible characteristics for a reliable schedule. For example, the update to the schedule should include resources for nonconstruction activities.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with this recommendation and stated it has begun updating its integrated master schedule based on our review to conform to the GAO Schedule Assessment Guide and plans to adopt the best practices of assigning resources and establishing activity durations to ensure the schedule is comprehensive. In its response, DOD also stated it plans to continue to work to verify that the schedule can be traced horizontally and vertically and conduct a schedule risk analysis. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To provide DOD and Congress with sufficient information to mitigate risks for infrastructure construction and sustainment, the Secretary of Defense should direct the appropriate entities to complete a Risk Management Plan for Guam, and include, at a minimum, plans to address: (1) construction labor shortages, (2) explosive--ordnance detection, (3) cultural-artifact discovery and preservation, and (4) protection of endangered species.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with this recommendation and identified plans to mitigate risks for infrastructure construction and sustainment, such as coordinating with the U.S. Citizenship and Immigration Services to address foreign-worker visas, approving an explosive-safety exemption for construction projects in Guam and CNMI, and developing a monitoring and mitigation tracking plan to ensure Navy compliance and execution of environmental requirements. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To provide DOD and Congress with more-reliable information to inform funding decisions associated with the relocation of Marines to Guam, the Secretary of Defense should direct the appropriate entities to revise the cost estimates for Guam to address all best practices established by GAO's cost estimating guide. Specifically, the revisions to the cost estimates should include: a unifying Work Breakdown Structure, risk and sensitivity analyses, and an independent cost estimate.

    Agency: Department of Defense
    Status: Open

    Comments: DOD nonconcurred with this recommendation and stated that the department does not accept the assertion that GAO's best practices are universally applicable to a wide range of activities that includes military construction, acquisition, or basing. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To provide DOD and Congress with more-reliable information to inform funding decisions associated with the relocation of Marines to Hawaii and the establishment of a rotational presence in Australia, the Secretary of Defense should direct the appropriate entities to revise the DOD cost estimates for Hawaii to address all best practices for the comprehensive characteristic established by the GAO cost estimating guide, specifically to capture entire life-cycle costs and develop a Work Breakdown Structure.

    Agency: Department of Defense
    Status: Open

    Comments: DOD partially concurred with this recommendation. In its response, the department agreed that good cost estimating practices are prudent for good decision making but did not agree that it should expend effort to update its cost estimates for the Hawaii program due to reasons of timing. Specifically, DOD stated that, for Hawaii, high-level cost estimates are sufficient at this early planning stage and a detailed Work Breakdown Structure is not needed. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To provide DOD and Congress with more-reliable information to inform funding decisions associated with the relocation of Marines to Hawaii and the establishment of a rotational presence in Australia, the Secretary of Defense should revise the DOD cost estimates for Australia to address all best practices for the comprehensive characteristic established by the GAO cost estimating guide, specifically to capture entire life-cycle costs and develop a Work Breakdown Structure.

    Agency: Department of Defense
    Status: Open

    Comments: DOD partially concurred with this recommendation. In its response, the department agreed that good cost estimating practices are prudent for good decision making but did not agree that it should expend effort to update its cost estimates for the Australia program due to reasons of international agreements. Specifically, DOD stated in its response that, for Australia, the costs borne by DOD under this program will be subject to international agreement rather than the GAO cost estimating guide. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    3 open recommendations
    Recommendation: To help improve the management of DOD's MAIS programs, the Secretary of Defense should direct the Secretary of the Army to direct the program manager for Global Combat Support System-Army Increment 1 to establish standard operating procedures for managing risks that include guidance for establishing thresholds and bounds for key risk areas.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the management of DOD's MAIS programs, the Secretary of Defense should direct the Secretary of the Air Force to direct the program manager for Air and Space Operations Center-Weapon System Increment 10.2 to develop an overall risk mitigation plan to guide the implementation of individual risk mitigation and contingency plan activities.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the management of DOD's MAIS programs, the Secretary of Defense should direct the Secretary of the Air Force to direct the program manager for Joint Space Operations Center, Mission System Increment 2 to appoint a chief developmental tester to oversee systems testing and integration activities.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David C. Trimble
    Phone: (202) 512-3841

    6 open recommendations
    Recommendation: To allow DOE management to effectively monitor invoice reviews and have assurance that this control activity is operating as intended, the Secretary of Energy should establish a DOE-wide invoice review policy that includes requirements for sites to establish well-documented invoice review operating procedures.

    Agency: Department of Energy
    Status: Open

    Comments: DOE stated that it already has an established, detailed DOE-wide invoice review policy provided in DOE's Financial Management Handbook and in the DOE Acquisition Guide, and that they are updating the Financial Management Handbook to include additional procedures to address intra-governmental payment and collection transactions that they believe will allow the recommendation to be closed by September 30, 2017. However, DOE officials with the office of the CFO at DOE headquarters previously told us that they do not have department-wide invoice review policies and procedures, and that CFOs and contracting officials in DOE field offices are responsible to develop their own invoice review policies and procedures. In addition, we reviewed the Financial Management Handbook and the Acquisition Guide and found that these documents do not contain the detail necessary to serve as an invoice review policy. We will continue to review DOE's implementation of this recommendation to determine whether its actions meet the intent of the recommendation.
    Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including creating a structure with a dedicated entity within DOE to design and oversee fraud risk management activities.

    Agency: Department of Energy
    Status: Open

    Comments: DOE considers this recommendation to be closed without corrective action. Instead of establishing a dedicated entity within DOE to design and oversee fraud risk management activities, DOE will rely on the existing Office of Financial Policy and Internal Controls and on the DOE Office of Inspector General (OIG)to design and oversee financial fraud risk management activities. We disagree that reliance on these offices meets best practices because neither office is solely dedicated to designing or overseeing fraud risk management activities. Furthermore, according the best practices in GAO's Fraud Risk Framework, the dedicated entity should not be the OIG.
    Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including conducting fraud risk assessments that are tailored to each program and use the assessments to develop a fraud risk profile

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the substance of the recommendation; however they consider the recommendation to be closed without corrective action because its risk assessments meet the requirements of the Improper Payments Elimination and Recovery Improvement Act of 2012, as reported by the Office of Inspector General (OIG), and because it has implemented updates to OMB Circular A-123 that added requirements related to managing fraud risk and adherence to GAO's Fraud Risk Framework. However, we found that DOE has not conducted fraud risk assessments that are tailored to its programs and therefore do not allow the department to create a fraud risk profile. We also found that, although DOE updated its internal control assessment tools with a list of fraud risks as required by OMB Circular A-123, the list of risks were the same for all DOE sites and were not tailored to the sites' different programs.
    Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including developing and documenting an antifraud strategy that describes the programs' approaches for addressing the prioritized fraud risks identified during the fraud risk assessment.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with this recommendation but considers the recommendation closed without corrective action because DOE has implemented the updated OMB Circular A-123 and because DOE's anti-fraud strategy is imbedded in the DOE internal control program. However, DOE officials told us that they have not developed or documented a DOE-wide antifraud strategy or directed individual programs to develop program-specific strategies. Furthermore, DOE's implementation of OMB Circular A-123 included adding a list of potential risks to their internal control assessment tool that were the same for all DOE sites and were not tailored to the sites' different programs.
    Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including designing and implementing specific control activities, including fraud awareness training and data analytics, to prevent and detect fraud and other improper payments.

    Agency: Department of Energy
    Status: Open

    Comments: DOE believes that they are either implementing or have already implemented this recommendation and considers the recommendation closed without additional action. Specifically, DOE stated that the Office of Inspector General (OIG) already provides fraud awareness training and that the OIG provided expanded fraud risk training on June 12, 2017 through a CFO-hosted webinar. However, of the 10 field offices responsible for overseeing contractor costs, none required employees responsible for overseeing contractor costs to attend fraud awareness training.
    Recommendation: To help ensure that necessary data are available to employ data analytics as a tool to perform contractor cost-surveillance activities, the Secretary of Energy should require contractors to maintain sufficiently detailed transaction-level cost data that are reconcilable with amounts charged to the government, including (1) cost data that, at a minimum, represent a full data population and (2) the details necessary to determine the nature of each cost transaction, with such identifiers as transaction date, dollar amount, item or service description, and transaction codes to indicate the type of cost represented (e.g., construction materials, property lease, and office supplies).

    Agency: Department of Energy
    Status: Open

    Comments: DOE did not agree to implement this recommendation because they believe that the recommendation establishes agency-specific requirements for DOE contractors that are more prescriptive than current federal requirements. DOE states that they plan to evaluate the merits of government-wide guidance for applying data-analytics to contract costs only if an OMB working group--established as a requirement of the Fraud Reduction and Data Analytics Act of 2015 to promote interagency coordination on fraud reduction and data analytics--requires them to do so. However, the purpose of the working group is to share fraud management best practices. It is not an implementing body and agencies do not need its permission before proceeding with fraud risk reduction efforts.
    Director: Gambler, Rebecca S
    Phone: (202) 512-6912

    9 open recommendations
    Recommendation: To improve management and oversight of the SAVE program, the director of USCIS should ensure SAVE guidance, including written materials and instructional videos, clearly and accurately reflects user agencies' responsibilities for completing each step of a SAVE check, as outlined in each agency's memorandum of agreement.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management and oversight of the SAVE program, the director of USCIS should develop and implement a mechanism to oversee agencies' completion of training on additional verification in accordance with SAVE MOA provisions and program policies.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management and oversight of the SAVE program, the director of USCIS should provide notifications to user agencies when a case is ready for the user agency to review.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management and oversight of the SAVE program, the director of USCIS should develop and implement a more effective method for ensuring that individuals are aware of how they can access and correct their immigration records, such as by updating and improving the Fact Sheet for Benefit Applicants.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management and oversight of the SAVE program, the director of USCIS should develop and implement a documented, risk-based approach to monitoring and compliance, including (1) a risk-based approach to selecting behaviors to monitor; (2) standards for what triggers compliance actions for the selected behaviors; and (3) a risk-based process for how USCIS will prioritize and select agencies for compliance actions.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management and oversight of the SAVE program, the director of USCIS should develop and communicate a process for user agencies to update contact information.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management and oversight of the SAVE program, the director of USCIS should ensure that user agencies participate in compliance reviews when selected, in accordance with SAVE MOA provisions and USCIS policy.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management and oversight of the SAVE program, the director of USCIS should identify the root causes of agencies' noncompliance with SAVE MOA provisions and program policies and tailor agency recommendations to those identified causes.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management and oversight of the SAVE program, the director of USCIS should develop and implement a process for ensuring user agencies implement corrective actions such as through a system of escalating compliance assistance actions and follow-up.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Alicia Puente Cackley
    Phone: (202) 512-8678

    1 open recommendations
    Recommendation: To help ensure that the government is not exposed to more liability risk than intended, the Secretary of Transportation should ensure that the FAA Administrator prioritizes the development of a plan to address the identified weakness in the cost-of-casualty amount, including setting time frames for action, and update the amount based on current information.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with the recommendation. As of May 2017, the Federal Aviation Administration (FAA) plans to seek feedback from the commercial space and insurance industries to obtain views on an appropriate cost-of-casualty amount and implications of any changes. After receiving this input, FAA will determine whether to modify the cost-of-casualty amount and initiate action. We will continue to monitor FAA's actions in response to this recommendation.
    Director: Frank Rusco
    Phone: (202) 512-3841

    4 open recommendations
    including 1 priority recommendation
    Recommendation: The Secretary of the Interior should direct the Assistant Secretary for Land and Minerals Management, who oversees BSEE, to establish a mechanism for BSEE management to obtain and incorporate input from bureau personnel and any external parties, such as Argonne, that can affect the bureau's ability to achieve its objectives.

    Agency: Department of the Interior
    Status: Open
    Priority recommendation

    Comments: In its June 9, 2017 response to our report, Interior indicated that BSEE is developing new strategies to improve trust and foster greater collaboration for consideration by the new Director. Interior anticipates BSEE taking action by April 30, 2018.
    Recommendation: The Secretary of the Interior should direct the Assistant Secretary for Land and Minerals Management, who oversees BSEE, to address leadership commitment deficiencies within BSEE, including by implementing internal management initiatives and ongoing strategic initiatives (e.g., Enterprise Risk Management and performance measure initiatives) in a timely manner.

    Agency: Department of the Interior
    Status: Open

    Comments: In its June 9, 2017 response to our report, Interior indicated that BSEE will incorporate lessons learned from its first ERM cycle in future cycles and that BSEE will incorporate a performance management dashboard in fiscal year 2018. Specific completion dates were not provided.
    Recommendation: The Secretary of the Interior should direct the BSEE Director to address trust concerns that exist between headquarters and the field, BSEE should expand the scope of its employee engagement strategy to incorporate the need to communicate quality information throughout the bureau.

    Agency: Department of the Interior
    Status: Open

    Comments: In its June 9, 2017 response to our report, Interior indicated that BSEE's response to this recommendation would be incorporated into its corrective actions for recommendation 1. The target completion date is April 30, 2018.
    Recommendation: The Secretary of the Interior should direct the BSEE Director to increase organizational trust in Integrity and Professional Responsibility Advisor (IPRA) activities, BSEE should assess and amend IPRA guidance to clarify (1) severity threshold criteria for referring allegations of misconduct to the IG and (2) its reporting chain.

    Agency: Department of the Interior
    Status: Open

    Comments: In its June 9, 2017, response to our report, Interior indicated that the BSEE Director will evaluate options for clarifying the roles, responsibilities, and processes for the IPRA. The target date for completion is December 31, 2017.
    Director: Allison Bawden
    Phone: (202) 512-7215

    6 open recommendations
    Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should ensure that CNCS completes its efforts to benchmark its assessment criteria and scoring process to further develop a risk-based approach to grant monitoring and that information from this effort is used to (a) score the indicators so that the riskiest grants get the highest scores; (b) revise the assessment indicators to meaningfully cover all identifiable risks, including fraud and improper payments; and (c) document decisions on how indicators are selected and weighted.

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: CNCS stated that it would continue to periodically benchmark its assessment criteria to ensure risk assessment. The agency recognizes the need to move from compliance- to risk-based monitoring and will refine its existing approach as part of reviewing and revising risk criteria and scoring. The agency's risk-based approach will begin with FY18 grant awards. To close this recommendation, CNCS will need to show documentation for how it selected and weighted revised indicators to cover identifiable risks, and how the revised scoring system identifies the riskiest grants.
    Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should establish and implement a policy to ensure that all grants expected to be active in a fiscal year, including those awarded after the annual assessment, are assessed for potential risk.

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: CNCS agrees with this recommendation and plans to revise its current assessment policy to ensure that all grants are included in the assessment process.
    Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should review monitoring protocols, including the level of information collected for oversight of subrecipients' activities such as criminal history checks, and enhance protocols, as appropriate.

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: Although CNCS said that by regulation, grantees are primarily responsible for subgrantee monitoring, the agency acknowledged that more needs to be done to address risk at the sub-recipient level, particularly regarding criminal history check compliance, and noted that it is taking several actions to improve criminal history check compliance. However, the agency's comments did not specifically address reviewing monitoring protocols. We continue to believe that it is important to determine whether monitoring protocols are designed to gather sufficient and appropriate information on subrecipient oversight, to help ensure that grantees are monitoring subgrantees as required.
    Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should establish activities to systematically evaluate grant monitoring results.

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: CNCS said that its Office of the Chief Risk Officer has been building on the agency's current risk assessment framework and capturing the information and data necessary to enhance its approach to risk-based monitoring. However, CNCS's comments did not specifically address any planned activities to systematically evaluate grant monitoring results. We continue to believe that reviewing the outcomes and findings from its monitoring activities would help the agency analyze how well its CNCS's current efforts assess risk, and help guide improvements.
    Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should develop and document a strategic workforce planning process.

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: CNCS reported that its senior level executive committee reviews all staffing requests and ensures that appropriate staffing justifications are provided, and ensures that all functions in the agency are provided appropriate resources. The agency also noted that, in accordance with direction received from OMB following the release of OMB Memorandum M-17-22 ("Memorandum for Heads of Executive Departments and Agencies"), it is launching an enterprise-wide re-examination of its mission, strategy and structure in order to develop a plan to ensure employee performance is maximized and the agency is operating effectively. To help close this recommendation, CNCS will need to document and develop a strategic workforce planning process that addresses key principles for effective strategic workforce planning, such as to develop strategies tailored to address gaps in number, deployment, and alignment of human capital approaches for enabling and sustaining the contributions of all critical skills and competencies, and to monitor and evaluate process toward human capital goals and programmatic results.
    Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should, as part of CNCS's efforts to develop an employee development program, update critical competencies for grant monitoring, and establish a training planning process linked with agency goals and these competencies.

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: CNCS cited its training efforts, such as providing training to grants management staff in FY15 and FY16 related to grants monitoring. The agency is in the process of developing a broader agency-wide employee development program that will link competencies to development needs in various mission-critical roles. To close this recommendation, CNCS will need to determine which competencies are critical for grant monitoring, and show how the competencies are linked with the agency's training planning processes and agency goals.
    Director: Marie A. Mak
    Phone: (202) 512-4841

    12 open recommendations
    Recommendation: The Inspectors General of Commerce, Homeland Security, Interior, and State should develop or clarify existing guidance on the implementation of the pilot program. For example, the guidance should identify specific pilot program processes such as levels of review during an investigation, and where the findings of investigations are to be reported.

    Agency: Department of Commerce: Office of the Inspector General
    Status: Open

    Comments: In providing comments on this report, Commerce OIG concurred with this recommendation. In its May 2017 letter to OMB and the Congress, the agency reported that it plans to revise its guidance on whistleblower investigations. We have requested the revised guidance.
    Recommendation: The Inspectors General of Commerce, Homeland Security, Interior, and State should develop or clarify existing guidance on the implementation of the pilot program. For example, the guidance should identify specific pilot program processes such as levels of review during an investigation, and where the findings of investigations are to be reported.

    Agency: Department of the Interior: Office of the Inspector General
    Status: Open

    Comments: In providing comments on this report, Interior OIG concurred with this recommendation but has not yet taken any actions necessary to implement it. In its May 2017 letter to OMB and the Congress, the agency reported that it plans to revise its guidance on whistleblower investigations.
    Recommendation: The Secretaries of Commerce, Homeland Security, Interior, and State should develop policies and processes to help ensure that the FAR clause 52.203-17 is inserted in new contracts and major modifications as appropriate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In providing comments on this report, Homeland Security concurred with this recommendation. Officials have said they have taken steps to implement this recommendation with guidance and once GAO is provided with evidence of executing guidance, we will review these efforts to assess whether the recommendation was implemented.
    Recommendation: The Secretaries of Commerce, Homeland Security, Interior, and State should develop policies and processes to help ensure that the FAR clause 52.203-17 is inserted in new contracts and major modifications as appropriate.

    Agency: Department of Commerce
    Status: Open

    Comments: In providing comments on this report, Commerce concurred with this recommendation but has not yet taken any actions necessary to implement it.
    Recommendation: The Secretaries of Commerce, Homeland Security, Interior, and State should develop policies and processes to help ensure that the FAR clause 52.203-17 is inserted in new contracts and major modifications as appropriate.

    Agency: Department of the Interior
    Status: Open

    Comments: In providing comments on this report, Interior concurred with this recommendation but has not yet taken any actions necessary to implement it. However, in its May 2017 letter to OMB and the Congress, the agency reported that it plans to issue updated acquisition policy.
    Recommendation: The Secretaries of Commerce, Homeland Security, Interior, and State should develop policies and processes to help ensure that the FAR clause 52.203-17 is inserted in new contracts and major modifications as appropriate.

    Agency: Department of State
    Status: Open

    Comments: In providing comments on this report, State concurred with this recommendation. Officials have reported they are in the process of drafting a Procurement Information Bulletin related to inserting the clause into relevant contracts.
    Recommendation: The Secretaries of Commerce, Homeland Security, Interior, and State should develop policies and processes to help ensure that contracting officials can determine whether a modification is major and the applicability of the FAR clause, and whether they are making their best efforts to include the clause into existing contracts during major modifications.

    Agency: Department of Commerce
    Status: Open

    Comments: In providing comments on this report, Commerce concurred with this recommendation but has not yet taken sufficient actions necessary to implement it.
    Recommendation: The Secretaries of Commerce, Homeland Security, Interior, and State should develop policies and processes to help ensure that contracting officials can determine whether a modification is major and the applicability of the FAR clause, and whether they are making their best efforts to include the clause into existing contracts during major modifications.

    Agency: Department of the Interior
    Status: Open

    Comments: In providing comments on this report, Interior concurred with this recommendation but has not yet taken any actions necessary to implement it. However, in its May 2017 letter to OMB and the Congress, the agency reported that it plans to issue updated acquisition policy.
    Recommendation: The Secretaries of Commerce, Homeland Security, Interior, and State should develop policies and processes to help ensure that contracting officials can determine whether a modification is major and the applicability of the FAR clause, and whether they are making their best efforts to include the clause into existing contracts during major modifications.

    Agency: Department of State
    Status: Open

    Comments: In providing comments on this report, State concurred with this recommendation. Officials have reported they are in the process of drafting a Procurement Information Bulletin related to inserting the clause into relevant contracts.
    Recommendation: The Secretaries of Commerce, Homeland Security, Interior, and State should develop policies and processes to help ensure that contracting officials communicate with contractors and subcontractors to help ensure employees are informed about the requirements and protections provided by the whistleblower protection pilot program.

    Agency: Department of Commerce
    Status: Open

    Comments: In providing comments on this report, Commerce concurred with this recommendation. Commerce officials have said they plan to issue an Acquisition Notice to the acquisition community encouraging Commerce contracting officials to communicate the program's requirements and protections. We have requested a copy of the acquisition notice.
    Recommendation: The Secretaries of Commerce, Homeland Security, Interior, and State should develop policies and processes to help ensure that contracting officials communicate with contractors and subcontractors to help ensure employees are informed about the requirements and protections provided by the whistleblower protection pilot program.

    Agency: Department of the Interior
    Status: Open

    Comments: In providing comments on this report, Interior concurred with this recommendation but has not yet taken any actions necessary to implement it. However, in its May 2017 letter to OMB and the Congress, the agency reported that it plans to issue updated acquisition policy.
    Recommendation: The Secretaries of Commerce, Homeland Security, Interior, and State should develop policies and processes to help ensure that contracting officials communicate with contractors and subcontractors to help ensure employees are informed about the requirements and protections provided by the whistleblower protection pilot program.

    Agency: Department of State
    Status: Open

    Comments: In providing comments on this report, State concurred with this recommendation. Officials have reported they are in the process of drafting a Procurement Information Bulletin related to inserting the clause into relevant contracts.
    Director: Michele Mackin
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To help ensure the Navy thoroughly considers the relative benefits of using FPI contracts for shipbuilding versus other contract types, the Secretary of Defense should direct the Secretary of the Navy to conduct a portfolio-wide assessment of the Navy's use of additional incentives on FPI contracts across its shipbuilding programs. This assessment should include a mechanism to share proven incentive strategies for achieving intended cost, schedule, and quality outcomes among contracting and program office officials.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: In providing comments on this report, the agency concurred with this recommendation but has not yet taken any actions necessary to implement it.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    5 open recommendations
    Recommendation: To improve its efforts to coordinate Predator B operations among supported agencies and assess the effectiveness of its Predator B and tactical aerostat programs, the Commissioner of CBP should develop and document procedures for Predator B coordination among supported agencies in all operating locations.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve its efforts to coordinate Predator B operations among supported agencies and assess the effectiveness of its Predator B and tactical aerostat programs, the Commissioner of CBP should update and maintain guidance for recording Predator B mission information in its data collection system.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve its efforts to coordinate Predator B operations among supported agencies and assess the effectiveness of its Predator B and tactical aerostat programs, the Commissioner of CBP should provide training to users of CBP's data collection system for Predator B missions.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve its efforts to coordinate Predator B operations among supported agencies and assess the effectiveness of its Predator B and tactical aerostat programs, the Commissioner of CBP should record air support forms for Predator B mission requests from non-CBP law enforcement agencies in its data collection system for Predator B missions.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve its efforts to coordinate Predator B operations among supported agencies and assess the effectiveness of its Predator B and tactical aerostat programs, the Commissioner of CBP should update Border Patrol's data collection practices to include a mechanism to distinguish and track asset assists associated with TARS from tactical aerostats.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Lori Rectanus
    Phone: (202) 512-2834

    4 open recommendations
    Recommendation: The Attorney General should instruct the Director of the Marshals Service to ensure that the improvements being made to the Marshals Service's information on the security concerns of individual buildings allow the Marshals Service to understand the concerns across the portfolio.

    Agency: Department of Justice
    Status: Open

    Comments: When we confirm what actions the Marshalls Service has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of GSA and the Director of the AOUSC, on behalf of the Judicial Conference of the United States, in conjunction with the Marshals Service and FPS, should improve CSP documentation in order to improve transparency and collaboration in the CSP program.

    Agency: General Services Administration
    Status: Open

    Comments: When we confirm what actions GSA has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of GSA and the Director of the AOUSC, on behalf of the Judicial Conference of the United States, in conjunction with the Marshals Service and FPS, should improve CSP documentation in order to improve transparency and collaboration in the CSP program.

    Agency: Administrative Office of the United States Courts
    Status: Open

    Comments: When we confirm what actions AOUSC has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of GSA--in conjunction with AOUSC, the Marshals Service, and FPS--should establish a national-level working group or similar forum, consisting of leadership designees with decision-making authority, to meet regularly to address courthouse security issues.

    Agency: General Services Administration
    Status: Open

    Comments: When we confirm what actions GSA has taken in response to this recommendation, we will provide updated information.
    Director: Yocom, Carolyn L
    Phone: (202) 512-7114

    2 open recommendations
    Recommendation: To improve efforts to promote EHR use and electronic exchange of health information in post-acute care settings, the Secretary of Health and Human Services should direct the Centers for Medicare & Medicaid Services (CMS) and ONC to evaluate the effectiveness of HHS's key efforts to determine whether they are contributing to HHS's goal for increasing the use of EHRs and electronic exchange of health information in post-acute care settings.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve efforts to promote EHR use and electronic exchange of health information in post-acute care settings, the Secretary of Health and Human Services should direct CMS and ONC to comprehensively plan for how to achieve the department's goal related to the use of EHRs and electronic information exchange in post-acute care settings. This planning may include, for example, identifying specific actions related to post-acute care settings and identifying and considering external factors.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    1 open recommendations
    Recommendation: To better ensure the effectiveness of CBP's predeparture programs, the Commissioner of U.S. Customs and Border Protection should develop and implement a system of performance measures and baselines to evaluate the effectiveness of CBP's predeparture programs and assess whether the programs are achieving their stated goals.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: U.S. Customs and Border Protection's (CBP) Office of Field Operations (OFO) reported that it established a working group comprised of designated program officials from CBP's Admissibility and Passenger Programs; National Targeting Center; Planning, Program Analysis, and Evaluation; and, Preclearance offices to develop and implement a system of performance measures and baselines to evaluate the effectiveness of CBP's predeparture programs. As of July 2017, CBP reported that the working group had developed three performance measures for its predeparture programs. According to OFO officials, fiscal year 2018 will be the first complete year that each of these measures is calculated using a standardized and repeatable methodology and will thus be used as a baseline year. The baselines developed during fiscal year 2018 will then be used in future assessments of program effectiveness. To fully address this recommendation to develop and implement performance measures and baselines for evaluating its predeparture programs, GAO will review documentation from CBP, when available, on the fiscal year 2018 baselines and CBP's planned evaluation of fiscal year 2019 data against those baselines.
    Director: Allison B. Bawden
    Phone: (202) 512-6806

    3 open recommendations
    Recommendation: To improve transparency in the grant merit-review process, the Secretary of the Department of the Interior should direct the Fish and Wildlife Service to issue written guidance to require all competitive grant programs to clarify in the public notice of funding opportunity all review criteria, including cost sharing factors as relevant, and their related scores to be used to make final award decisions.

    Agency: Department of the Interior
    Status: Open

    Comments: As of August 2017, Interior had updated its notice of funding opportunity template for competitive grant programs to clarify that the review process must ensure that applications are scored and selected based on announced criteria. In addition, competitive grant programs must establish a written merit review plan that details the merit review factors and sub-factors and the rating system and evaluation standards which explain the scoring basis. Furthermore, the Fish and Wildlife Service is developing new guidance to ensure discretionary grant programs include all required elements to be completed in December of 2017.
    Recommendation: To reduce the risk of duplicative and overlapping funding at the grant award level, the Secretary of the Department of the Interior should direct the National Park Service and the Fish and Wildlife Service to issue written guidance that ensures their grant management staff review grant applications for potential duplication and overlap before awarding their competitive grants and cooperative agreements.

    Agency: Department of the Interior
    Status: Open

    Comments: The Fish and Wildlife Service issued guidance to ensure grant applications are reviewed for potential overlap and duplication, as GAO recommended in January 2017, but as of August 2017 the National Park Service had yet to issue such guidance. In August 2017, the Department of Interior (Interior) provided documentation showing that the Fish and Wildlife Service now requires discretionary grant applicants to provide a statement that addresses whether there is any overlap or duplication of proposed projects or activities to be funded by the grant. Fish and Wildlife also updated its guidance to grant awarding offices instructing them to perform a potential overlap and duplication review of all selected applicants prior to award. Interior said the National Park Service had yet to issue guidance on duplication and overlap review, but it would provide the guidance to GAO when it is finalized and implemented. Completing these improvements will help the Fish and Wildlife Service and the National Park Service reduce the risk of unnecessary or inadvertent overlap or duplication in grant funding.
    Recommendation: To reduce the risk of duplicative and overlapping funding at the grant award level, the Secretary of Agriculture should direct the Food and Nutrition Service to issue written guidance that ensures its grant management staff review grant applications for potential duplication and overlap before awarding competitive grants and cooperative agreements.

    Agency: Department of Agriculture
    Status: Open

    Comments: In August 2017, the Department of Agriculture (Agriculture) said the Food and Nutrition Service was developing written guidance that will ensure its grants management staff identify grant programs for potential duplication and overlap with other federal agencies before awarding competitive grants and cooperative agreements, as GAO recommended in January 2017. Agriculture officials said the guidance would be based on input from grants management staff, relevant Food and Nutrition program officials, and reviews of similar guidance already in place at other Agriculture sub-agencies. The Food and Nutrition Service plans to issue this guidance by the end of federal fiscal year 2017 for use beginning in fiscal year 2018. Issuing and implementing this guidance will reduce the risk of unnecessary or inadvertent overlap or duplication in grant funding.
    Director: Kay E. Brown
    Phone: (202) 512-7215

    1 open recommendations
    Recommendation: To help states effectively address ongoing challenges related to ensuring the appropriate use of psychotropic medications for children in foster care, the Secretary of HHS should consider cost-effective ways to convene state child welfare, Medicaid, and other stakeholders to promote collaboration and information sharing within and across states on psychotropic medication oversight.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS agreed with this recommendation and provided examples of the virtual convening of contingency groups they employed to provide technical assistance and peer to peer networking in child welfare. The agency plans to offer additional technical assistance that is specifically related to the topic of mental health and psychotropic medication. GAO will consider closing the recommendation when the agency completes these efforts.
    Director: Charles Jeszeck
    Phone: (202) 512-7215

    3 open recommendations
    Recommendation: To assist IRA owners in addressing challenges associated with investing their retirement savings in unconventional assets, the Commissioner of Internal Revenue should provide guidance to IRA owners on the potential for IRA transactions involving certain unconventional assets to generate unrelated business taxable income subject to taxation in the current tax year and subsequent years. For example, IRS could consider adding an explicit caution in Publication 590 Individual Retirement Arrangements (IRAs) and include a link in Publication 590 to Publication 598 Tax on Unrelated Business Income of Exempt Organizations to provide examples demonstrating how certain unconventional assets in IRAs can generate unrelated business income tax for account owners.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS stated that it would add during the calendar year 2017 scheduled update, language to Publication 590-A, Contributions to Individual Retirement Arrangements (IRA), cautioning IRA owners about the possibility of unrelated business taxable income if the IRA owner engages in certain transactions or purchases certain assets. GAO will consider closing this recommendation when the agency has completed this effort.
    Recommendation: To assist IRA owners in addressing challenges associated with investing their retirement savings in unconventional assets, the Commissioner of Internal Revenue should provide guidance to IRA owners and custodians on how to determine and document fair market value (FMV) for certain categories of hard-to-value unconventional assets. For example, IRS could consider updating Form 5498 instructions to custodians on how to document FMV for hard-to-value assets (e.g., last-known FMV based on independent appraisal, acquisition price) and provide guidance directed at account owners that provides examples of how to ascertain FMV for different types of unconventional assets.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed that guidance should be provided to IRA owners and custodians and stated that the guidance could be provided as part of an item currently on the 2016-2017 Priority Guidance Plan. IRS will recommend to Treasury that the regulation project address this issue. We will consider closing this recommendation when the agency provides documentation that this effort has been completed.
    Recommendation: To assist IRA owners in addressing challenges associated with investing their retirement savings in unconventional assets, the Commissioner of Internal Revenue should clarify the content of the model custodial agreement to distinguish what has been reviewed and approved by IRS and what has not. For example, IRS could consider: (1) restricting custodians from stating that the form has been "preapproved by the IRS" on the form; (2) adding language to specify which articles have been preapproved by the IRS and which have not; and (3) limiting custodians from adding provisions to the model form other than those preapproved by the IRS.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS reported that it will change during the next scheduled update of the model agreements, the "pre-approved by IRS" statement to clarify that only the first seven articles of Form 5305, Traditional Individual Retirement Trust Account, and Form 5305-A, Traditional Individual Retirement Custodial Account, are approved by IRS. GAO will consider closing this recommendation when the agency has completed this effort.
    Director: Elizabeth H. Curda
    Phone: (202) 512-7114

    3 open recommendations
    Recommendation: In order to ensure that the agency is adequately protecting the White Oak campus as a designated high-risk facility and strategically planning for the White Oak campus's future, as FDA moves forward with its proposed planning efforts, the Commissioner of FDA, in consultation with the Administrator of GSA, should implement vehicular access control measures on the White Oak campus to meet the requirements of the high-risk facility level designation assigned in the 2014 risk assessment report, or fully document the rationale for any deviations from these requirements.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: In order to ensure that the agency is adequately protecting the White Oak campus as a designated high-risk facility and strategically planning for the White Oak campus's future, as FDA moves forward with its proposed planning efforts, the Commissioner of FDA, in consultation with the Administrator of GSA, should further incorporate leading strategic facilities planning practices into FDA's proposed planning efforts by ensuring that FDA establish strategic linkage between its strategic priorities and its facilities plans.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: In order to ensure that the agency is adequately protecting the White Oak campus as a designated high-risk facility and strategically planning for the White Oak campus's future, as FDA moves forward with its proposed planning efforts, the Commissioner of FDA, in consultation with the Administrator of GSA, should document the key information related to daily operational activities and ongoing benefits and challenges that are needed to inform FDA's proposed planning efforts in the areas of needs assessment, gap identification, and alternatives analysis, and incorporate into proposed planning efforts a detailed strategy for collecting and analyzing this information.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Katherine Iritani
    Phone: (202) 512-7114

    2 open recommendations
    Recommendation: To achieve a better understanding of the effect of certain Personal care services (PCS) services on beneficiaries and a more consistent administration of policies and procedures across PCS programs, the Acting Administrator of CMS should collect and analyze states' required information on the impact of the Participant-Directed Option and Community First Choice programs on the health and welfare of beneficiaries as well as the state quality measures for the Participant-Directed Option and Community First Choice programs.

    Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To achieve a better understanding of the effect of certain PCS services on beneficiaries and a more consistent administration of policies and procedures across PCS programs, the Acting Administrator of CMS should take steps to harmonize requirements, as appropriate, across PCS programs in a way that accounts for common risks faced by beneficiaries and to better ensure that billed services are provided.

    Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Susan Fleming
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: To continue the agency's efforts to improve state and local emergency preparedness for rail accidents involving hazardous materials, the Secretary of Transportation should, after the rulemaking is finalized, develop a process for regularly collecting information from state emergency response commissions on the distribution of the railroad-provided hazardous-materials-shipping information to local planning entities.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Lawrance L. Evans, Jr.
    Phone: (202) 512-8678

    17 open recommendations
    Recommendation: To help improve the consistency of federal banking regulators' stress test requirements and help ensure that institutions overseen by different regulators receive consistent regulatory treatment, the heads of the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency should harmonize their agencies' approach to granting extensions and exemptions from stress test requirements.

    Agency: Department of the Treasury: Office of the Comptroller of the Currency
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the consistency of federal banking regulators' stress test requirements and help ensure that institutions overseen by different regulators receive consistent regulatory treatment, the heads of the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency should harmonize their agencies' approach to granting extensions and exemptions from stress test requirements.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the consistency of federal banking regulators' stress test requirements and help ensure that institutions overseen by different regulators receive consistent regulatory treatment, the heads of the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency should harmonize their agencies' approach to granting extensions and exemptions from stress test requirements.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help provide stronger incentives for companies to perform company-run stress tests in a manner consistent with Federal Reserve goals, the Federal Reserve should remove company-run stress tests from the CCAR quantitative assessment.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should publicly disclose additional information that would allow for a better understanding of the methodology for completing qualitative assessments, such as the role of ratings and rankings and the extent to which they affect final determination decisions.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should, for future determinations to object or conditionally not object to a company's capital plan on qualitative grounds, disclose additional information about the reasons for the determinations.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should publicly disclose, on a periodic basis, information on capital planning practices observed during CCAR qualitative assessments, including practices the Federal Reserve considers stronger or leading practices.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should improve policies for official responses to CCAR companies by establishing procedures for notifying companies about time frames relating to Federal Reserve responses to company inquiries.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To strengthen the scenario design process, the Federal Reserve should assess--and adjust as necessary--the overall level of severity of its severely adverse scenario by establishing a process to facilitate proactive consideration of levels of severity that may fall outside U.S. postwar historical experience.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To strengthen the scenario design process, the Federal Reserve should assess--and adjust as necessary--the overall level of severity of its severely adverse scenario by expanding consideration of the trade-offs associated with different degrees of severity.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve understanding of the range of potential crises against which the banking system would be resilient and the outcomes that might result from different scenarios, the Federal Reserve should assess whether a single severe supervisory scenario is sufficient to inform CCAR decisions and promote the resilience of the banking system. Such an assessment could include conducting sensitivity analysis involving multiple severe supervisory scenarios--potentially using CCAR data for a cycle that is already complete, to avoid concerns about tailoring the scenario to achieve a particular outcome.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure that Federal Reserve stress tests do not amplify future economic cycles, the Federal Reserve should develop a process to test its proposed severely adverse scenario for procyclicality annually before finalizing and publicly releasing the supervisory scenarios.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should apply its model development principles to the combined system of models used in the supervisory stress tests.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should create an appropriate set of system-level model documentation, including an overview of how component models interact and key assumptions made in the design of model interactions.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process to test and document the sensitivity and uncertainty of the model system's output--the post-stress capital ratios used to make CCAR quantitative assessment determinations--including, at a minimum, the cumulative uncertainty surrounding the capital ratios and their sensitivity to key model parameters, specifications, and assumptions from across the system of models.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process to communicate information about the range and sources of uncertainty surrounding the post-stress capital ratio estimates to the Board during CCAR deliberations.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process for the Board and senior staff to articulate tolerance levels for key risks identified through sensitivity testing and for the degree of uncertainty in the projected capital ratios.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Kathleen M. King
    Phone: (202) 512-7114

    1 open recommendations
    Recommendation: To improve the efficiency and effectiveness of the agency's enrollment screening process, the Administrator of CMS should establish objectives and performance measures for assessing progress toward achieving its goals.

    Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
    Status: Open

    Comments: As of August 2017, the Department of Health and Human Services (HHS) considers this recommendation still open. HHS noted that the Centers for Medicare & Medicaid Services is planning to implement this recommendation in early 2018. GAO will continue to monitor the agency's progress and will update the status of the recommendation when we receive additional information.
    Director: Susan Fleming
    Phone: (202) 512-2834

    3 open recommendations
    Recommendation: To determine whether CSA interventions influence motor carrier safety performance, the Secretary of Transportation should direct the FMCSA Administrator to identify and implement, as appropriate, methods to evaluate the effectiveness of individual intervention types or common intervention patterns to obtain more complete, appropriate, and accurate information on the effectiveness of interventions in improving motor carrier safety performance. In identifying and implementing appropriate methods, FMCSA should incorporate accepted practices for designing program effectiveness evaluations, including practices that would enable FMCSA to more confidently attribute changes in carriers' safety behavior to CSA interventions.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To understand the efficiency of CSA interventions the Secretary of Transportation should direct the FMCSA Administrator to update FMCSA's cost estimates to determine the resources currently used to conduct individual intervention types and ensure FMCSA has cost information that is representative of all states.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enable FMCSA management to monitor the agency's progress in achieving its effectiveness and efficiency outcomes for CSA interventions and balance priorities, the Secretary of Transportation should direct the FMCSA Administrator to establish and use performance measures to regularly monitor progress toward both FMCSA's effectiveness outcome and its efficiency outcome.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Michael J. Courts
    Phone: (202) 512-8980

    5 open recommendations
    including 5 priority recommendations
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct the Bureau of Diplomatic Security (DS) to create consolidated guidance for RSOs that specifies required elements to include in post travel notification and transportation security policies. For example, as part of its current effort to develop standard templates for certain security directives, DS could develop templates for transportation security and travel notification policies that specify the elements required in all security directives as recommended by the February 2005 Iraq ARB as well as the standard transportation-related elements that DS requires in such policies.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in October 2016 describing its plans to address the recommendation. However, as of March 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to clarify whether or not the FAH's armored vehicle policy for overseas posts is that every post must have sufficient armored vehicles, and if DS determines that the policy does not apply to all posts, articulate the conditions under which it does not apply.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in October 2016 describing its plans to address the recommendation. However, as of March 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to develop monitoring procedures to ensure that all posts comply with the FAH's armored vehicle policy for overseas posts once the policy is clarified.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in October 2016 describing its plans to address the recommendation. However, as of March 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to clarify existing guidance on refresher training, such as by delineating how often refresher training should be provided at posts facing different types and levels of threats, which personnel should receive refresher training, and how the completion of refresher training should be documented.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: As of April 2017, State concurred with this recommendation and plans to clarify its guidance on refresher training. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to improve guidance for RSOs, in coordination with other relevant State offices and non-State agencies as appropriate, on how to promote timely communication of threat information to post personnel and timely receipt of such information by post personnel.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in October 2016 describing its plans to address the recommendation. However, as of March 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Director: Cary Russell
    Phone: (202) 512-5431

    3 open recommendations
    Recommendation: To better position combatant commanders to implement the requirements of DOD Instruction 4715.19 if burn pits become necessary and to assist in planning for waste disposal in future military operations, the Secretary of Defense should direct the combatant commanders of U.S. Africa Command, U.S. European Command, U.S. Pacific Command, and U.S. Southern Command to establish implementation policies and procedures for waste management. Such policies and procedures should include, as applicable, specific organizations within each combatant command with responsibility for ensuring compliance with relevant policies and procedures, including burn pit notification, and, when appropriate, monitoring and reporting on the use of burn pits.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To better understand the long-term health effects of exposure to the disposal of covered waste in burn pits, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics to, in coordination with the Secretary of Veterans Affairs, specifically examine the relationship between direct, individual, burn pit exposure and potential long-term health-related issues. As part of that examination, consider the results of the National Academies of Sciences, Engineering, and Medicine's report on the Department of Veteran Affairs registry and the methodology outlined in the 2011 Institute of Medicine study that suggests the need to evaluate the health status of service members from their time of deployment over many years to determine their incidence of chronic disease, with particular attention to the collection of data at the individual level, including the means by which that data is obtained.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To better understand the long-term health effects of exposure to the disposal of covered waste in burn pits, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics to take steps to ensure United States Central Command and other geographic combatant commands, as appropriate, establish processes to consistently monitor burn pit emissions for unacceptable exposures.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David C. Trimble
    Phone: (202) 512-3841

    4 open recommendations
    Recommendation: To help ensure compliance with the United States' nuclear cooperation agreements, the Under Secretary for Nuclear Security, as the Administrator of the National Nuclear Security Administration, and the Nuclear Regulatory Commission, should clarify in guidance the conditions under which facilities may carry negative obligation balances.

    Agency: Department of Energy: National Nuclear Security Administration
    Status: Open

    Comments: As of March 2017, NNSA has several initiatives underway to implement this recommendation. Later in 2017, we will know what changes NNSA and NRC made.
    Recommendation: To help ensure compliance with the United States' nuclear cooperation agreements, the Under Secretary for Nuclear Security, as the Administrator of the National Nuclear Security Administration, and the Nuclear Regulatory Commission, should clarify in guidance the conditions under which facilities may carry negative obligation balances.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: As of March 2017, NNSA has several initiatives underway to implement this recommendation. Later in 2017, we will know what changes NNSA and NRC made.
    Recommendation: To help ensure compliance with the United States' nuclear cooperation agreements, the Under Secretary for Nuclear Security, as the Administrator of the National Nuclear Security Administration, and the Nuclear Regulatory Commission, should develop an early-warning monitoring capability in NMMSS to alert senior DOE officials when the inventory of unobligated LEU is particularly low.

    Agency: Department of Energy: National Nuclear Security Administration
    Status: Open

    Comments: As of March 2017, NNSA has several initiatives underway to implement this recommendation. Later in 2017, we will know what changes NNSA and NRC made to NMMSS.
    Recommendation: To help ensure compliance with the United States' nuclear cooperation agreements, the Under Secretary for Nuclear Security, as the Administrator of the National Nuclear Security Administration, and the Nuclear Regulatory Commission, should develop an early-warning monitoring capability in NMMSS to alert senior DOE officials when the inventory of unobligated LEU is particularly low.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: As of March 2017, NNSA has several initiatives underway to implement this recommendation. Later in 2017, we will know what changes NNSA and NRC made.
    Director: J. Alfredo Gómez
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To ensure that CSTAG's information needs are met for update meetings, the EPA Administrator should direct CSTAG to clarify, in its operating procedures, what type of information and documentation, if any, should be prepared by regional offices and provided to CSTAG members in advance of these meetings.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA concurred with our recommendation, stating that it will revise the CSTAG operating procedures to clearly describe the types of information and data that regional offices need to provide before update meetings. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Seto Bagdoyan
    Phone: (202) 512-6722

    1 open recommendations
    Recommendation: To strengthen USCIS's EB-5 Program fraud risk management, the Director of USCIS should develop a fraud risk profile that aligns with leading practices identified in GAO's Fraud Risk Framework.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: In November 2016, Department of Homeland Security's (DHS) U.S. Citizenship and Immigration Services (USCIS)stated that the program would implement GAO's recommendation to develop a fraud risk profile and anticipated completion by September 30, 2017. In April 2017, USCIS provided an update including supporting documentation which reported that USCIS had contracted with an outside consultant to, among other things, develop a fraud risk profile that aligns with leading practices identified in GAO's Fraud Risk Framework. According to its response, USCIS expected to complete development of the profile by September 30, 2017.
    Director: Chris Currie
    Phone: (404) 679-1875

    3 open recommendations
    including 1 priority recommendation
    Recommendation: To strengthen efforts to mitigate earthquake risks to federal buildings, the Secretary of Defense and the Administrator of GSA should (1) Define what constitutes an exceptionally high risk building, identify such buildings, and develop plans to mitigate those risks, including prioritizing associated funding requests as needed; and (2) To the extent practicable, prioritize and implement comprehensive seismic safety measures which could include earthquake drills, seismic safety inspections, and non-structural retrofits to decrease risks and reduce damage in federally-owned and -leased buildings in earthquake hazard areas.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To strengthen efforts to mitigate earthquake risks to federal buildings, the Secretary of Defense and the Administrator of GSA should (1) Define what constitutes an exceptionally high risk building, identify such buildings, and develop plans to mitigate those risks, including prioritizing associated funding requests as needed; and (2) To the extent practicable, prioritize and implement comprehensive seismic safety measures which could include earthquake drills, seismic safety inspections, and non-structural retrofits to decrease risks and reduce damage in federally-owned and -leased buildings in earthquake hazard areas.

    Agency: General Services Administration
    Status: Open
    Priority recommendation

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: Following the expansion of the ShakeAlert governance structure to include key stakeholders, the Secretary of the Department of the Interior should direct the U.S. Geological Survey, working through the ShakeAlert governance structure, to establish a program management plan that addresses, among other things, the known implementation challenges.

    Agency: Department of the Interior
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the National Institute of Standards and Technology Cybersecurity Framework.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should update technical assistance that is provided to covered entities and business associates to address technical security concerns.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should revise the current enforcement program to include following up on the implementation of corrective actions.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS neither concurred nor nonconcurred with the recommendation but plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish performance measures for the Office of Civil Rights (OCR) audit program.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish and implement policies and procedures for sharing the results of investigations and audits between OCR and Centers for Medicare & Medicaid Services to help ensure that covered entities and business associates are in compliance with the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS neither concurred nor nonconcurred with the recommendation but plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Director: Neumann, John
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To ensure that DOE's control activities continue to be relevant and effective for managing supply chain risk, the Secretary should direct the Under Secretary for Nuclear Security, as the Administrator of the NNSA, to work with the Office of Intelligence and Counterintelligence and other DOE organizations, as appropriate, to assess the circumstances that might warrant using the enhanced procurement authority, and (1) if this assessment identifies circumstances that might warrant using the authority, the Secretary should direct the Under Secretary for Nuclear Security to work with other DOE organizations, as appropriate, to establish processes for using it and examine whether adequate resources are in place to support those processes, and (2) communicate the results of this assessment to the relevant congressional committees for their use in determining whether to extend the authority past its current termination date.

    Agency: Department of Energy
    Status: Open

    Comments: In an October 7, 2016, letter the Under Secretary for Nuclear Security and Administrator of the National Nuclear Security Administration (NNSA) said he agreed with GAO's recommendation to assess situations that might warrant the use of the enhanced procurement authority and, should specific circumstances be identified for use of the authority, NNSA would develop a process for its use. The assessment would include an examination of resources to support use of the authority. NNSA would work with other Department of Energy organizations as appropriate in conducting the assessment. The results would be shared with relevant congressional committees, as GAO recommended. NNSA had anticipated completion of the assessment by March 2017, but on June 1, 2017, NNSA officials told us they anticipated the completion date would be September 30, 2017.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    7 open recommendations
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to update the CEDCAP program office cost estimate to reflect the current status of the program as soon as appropriate information becomes available.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In May 2017, the Census Bureau provided summary documentation that included the fiscal year 2015 through 2021 estimated lifecycle costs for the Census Enterprise Data Collection and Processing (CEDCAP) program; however, this information lacked the level of detail needed to determine whether the cost estimate reflects the current status of the program. In addition, in June 2017, the Bureau developed a draft version of the CEDCAP Cost Analysis Requirements Description (CARD), which included descriptions of technical and programmatic features of the program and is intended to serve as the basis for preparing the Program Office Estimate and the Independent Cost Estimate. However, as of August 2017, the CARD had not yet been finalized. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to ensure that updates to the status of risks are consistently documented for CEDCAP's Internet and Mobile Data Collection and Survey (and Listing) Interview Operational Control projects.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In August 2017, the Census Bureau provided risk management documentation, including a risk management plan and risk review board meeting minutes. However, this information did not include updated risk registers that documented risk status for the Census Enterprise Data Collection and Processing (CEDCAP) Internet and Mobile Data Collection and Survey (and Listing) Interview Operational Control projects. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: TTo ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to ensure that CEDCAP's Internet and Mobile Data Collection, Survey (and Listing) Interview Operational Control, and Centralized Operational Analysis and Control projects establish detailed risk mitigation plans on a consistent basis and that the Internet and Mobile Data Collection and Centralized Operational Analysis and Control projects establish trigger events for all relevant risks.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In August 2017, the Census Bureau provided risk management documentation, including a risk management plan and risk review board meeting minutes. However, this documentation did not include detailed risk mitigation plans for risks related to the Census Enterprise Data Collection and Processing (CEDCAP) Internet and Mobile Data Collection, Survey (and Listing) Interview Operational Control, and Centralized Operational Analysis and Control projects. The Bureau's risk management documentation also did not include trigger events for all relevant risks for the Internet and Mobile Data Collection and Centralized Operational Analysis and Control projects. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to define, document, and implement a repeatable process to establish complete alignment between CEDCAP and 2020 Census programs by, for example, maintaining a single dependency schedule.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation, but has not yet taken steps to implement it. In August 2016, we reported that several issues can result from the lack of a single dependency schedule, including the need to manually identify activities, the inability to be dynamically responsive to change, and a limited ability to ensure that both the Census Enterprise Data Collection and Processing (CEDCAP) and 2020 Census program are planning and measuring their activities according to the same agreed upon timeframe. However, as of August 2017, the Bureau had not yet established a single dependency schedule to ensure complete alignment between the CEDCAP and 2020 Census programs. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to establish a comprehensive and integrated list of all interdependent risks facing the CEDCAP and 2020 Census programs, and clearly identify roles and responsibilities for managing this list.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation, but has not yet taken steps to implement it. In August 2016, we reported that several issues can result from the lack of an integrated risk register, including inconsistencies in tracking and managing interdependent risks, redundant efforts to manage risks, and potentially conflicting risk mitigation efforts. As of August 2017, the Census Bureau had not yet developed an integrated risk register for the Census Enterprise Data Collection and Processing (CEDCAP) and 2020 Census programs or documented the roles for managing it. Instead, Bureau officials stated that they flag risks in the risk register that affect both programs. However, as of August 2017, the Bureau had not provided evidence that relevant risks for both programs are flagged in the risk registers. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to identify when the 74 requirements related to redistricting data program and data products and dissemination will be tested.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In June 2017, Census Bureau officials stated that, as part of the 2018 End-to-End Census Test, program-level integration testing of the requirements related to the redistricting program and the data products and dissemination are planned to occur from April 3, 2018, to August 1, 2018. However, as of August 2017, the Bureau had not provided supporting documentation for its plans for program-level integration testing of the requirements related to the redistricting program and data products and dissemination. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to make developing a better understanding of and identifying requirements related to non-ID response validation a high and immediate priority, or consider alternatives to avoid late definition of such requirements.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In April 2017, the Census Bureau documented high-level milestones related to implementing a fraud detection process in an initial effort to better understand non-ID response validation. However, as of August 2017, the Bureau had not finalized the fraud detection process or documented milestones for implementing the non-ID response validation process. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Director: Dillingham, Gerald L
    Phone: (202) 512-28334

    2 open recommendations
    Recommendation: To enhance FAA's risk-based approach for oversight of repair stations, the Secretary of Transportation should direct the Administrator of the Federal Aviation Administration to develop and implement a process in Flight Standards for incorporating into SAS the volume of critical maintenance that each U.S. airline contracts to repair stations.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA did not concur with this recommendation. In July 2017, GAO confirmed that FAA does not plan to implement the recommendation because the agency believes the subjective nature of volume of work makes it an ineffective risk indicator. While FAA does not specifically assess volume of work as a primary factor in determining risk at repair stations, the agency does monitor many risks factors as primary risk indicators. Many of these risk indicators are associated with important aspects of work volume such as high workforce turnover; changes in management; rapid growth or downsizing; changes in aircraft complexity/programs; financial conditions; age of fleet and increases in aircraft discrepancies. FAA considers these factors and the criticality of a specific maintenance action on the safe operation of an aircraft to be primary risk indicators.
    Recommendation: To enhance FAA's risk-based approach for oversight of repair stations, the Secretary of Transportation should direct the Administrator of the Federal Aviation Administration to develop and implement an evaluative process with measurable performance goals and measures to determine the effectiveness of SAS as the SMS safety assurance component.

    Agency: Department of Transportation
    Status: Open

    Comments: In July 2017, GAO confirmed that FAA plans to develop overall program goals and metrics as part of the next implementation phase of its new Safety Assurance System. These metrics are expected to be fully developed based on the final design of the new system and the program requirements identified, which is scheduled to be completed in December 2017.
    Director: Fennell, Anne-marie Lasowski
    Phone: (202) 512-3841

    2 open recommendations
    Recommendation: To help ensure that the Corps and FEMA carry out the national leveesafety- related activities required in the Water Resources Reform and Development Act of 2014, the Secretary of Defense should direct the Secretary of the Army to direct the Chief of Engineers and Commanding General of the U.S. Army Corps of Engineers and that the Secretary of Homeland Security direct the FEMA Administrator to develop a plan, with milestones, for implementing these activities, using existing resources or requesting additional resources as needed. This plan could be posted on the Corps' website and monitored for progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of December 2016, GAO is awaiting action by the agency to implement this recommendation.
    Recommendation: To help ensure that the Corps and FEMA carry out the national leveesafety- related activities required in the Water Resources Reform and Development Act of 2014, the Secretary of Defense should direct the Secretary of the Army to direct the Chief of Engineers and Commanding General of the U.S. Army Corps of Engineers and that the Secretary of Homeland Security direct the FEMA Administrator to develop a plan, with milestones, for implementing these activities, using existing resources or requesting additional resources as needed. This plan could be posted on the Corps' website and monitored for progress.

    Agency: Department of Defense
    Status: Open

    Comments: As of December 2016, GAO is awaiting action by the agency to implement this recommendation.
    Director: Mark Goldstein
    Phone: (202) 512-2834

    3 open recommendations
    Recommendation: To improve the effectiveness, transparency, and accountability of the ECPC's efforts, the Secretary of Homeland Security, as the administrative leader of the ECPC, should clearly document the ECPC's strategic goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the effectiveness, transparency, and accountability of the ECPC's efforts, the Secretary of Homeland Security, as the administrative leader of the ECPC, should establish a mechanism to track progress by the ECPC's member agencies in implementing the ECPC's recommendations.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the effectiveness, transparency, and accountability of the ECPC's efforts, the Secretary of Homeland Security, as the administrative leader of the ECPC, should clearly define the roles and responsibilities of the ECPC's member agencies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Thomas Melito
    Phone: (202) 512-9601

    4 open recommendations
    including 4 priority recommendations
    Recommendation: To improve the financial oversight of U.S. programs to provide humanitarian assistance to people inside Syria, the USAID Administrator should update guidance to require non-governmental organizations to conduct risk assessments addressing the risk of fraud.

    Agency: United States Agency for International Development
    Status: Open
    Priority recommendation

    Comments: USAID concurred with our recommendation; however, as of April 2017, it has yet to fully implement this recommendation. In December 2016, the Office of Food for Peace updated its annual program statement to include language requiring organizations to complete an analysis of risks related to fraud, corruption, and mismanagement, with relevant mitigation measures. However, the Office of U.S. Foreign Disaster Assistance (OFDA) has yet to officially update its guidance, although USAID has previously noted that OFDA will require all organizations seeking funding to address fraud risks and submit a detailed mitigation plan in their proposal package. We will continue to update the status of this recommendation as we receive information.
    Recommendation: To improve the financial oversight of U.S. programs to provide humanitarian assistance to people inside Syria, the USAID Administrator should use risk assessments submitted by implementing partners to inform USAID oversight activities, for example, using information from assessments to ensure that control activities for programs are designed to mitigate identified risks.

    Agency: United States Agency for International Development
    Status: Open
    Priority recommendation

    Comments: USAID concurred with our recommendation, stating that they plan to tailor their oversight activities to mitigate risks identified in the fraud risk mitigation plans that organizations will submit as part of their funding proposal packages in the future. In addition, USAID noted that it planned to hire a compliance officer by October 2016 to manage fraud mitigation and other compliance issues for OFDA and FFP's Syria and Iraq portfolios. However, as of April 2017, USAID has yet to fill this position. We will continue to track the status of this recommendation.
    Recommendation: To improve the financial oversight of U.S. programs to provide humanitarian assistance to people inside Syria, the USAID Administrator should ensure that field monitors in Syria are trained on assessing and identifying potential fraud risks.

    Agency: United States Agency for International Development
    Status: Open
    Priority recommendation

    Comments: USAID concurred with our recommendation, but has yet to implement this recommendation, as of April 2017. USAID has previously stated that it would work to provide the third-party monitoring organization with information specific to the Syria context that identifies methods to detect fraud. USAID also stated that it would work with the third-party monitoring organization to ensure that data collectors are trained on fraud risks and methods for identifying fraud. We will continue to track the status of this recommendation.
    Recommendation: To improve the financial oversight of U.S. programs to provide humanitarian assistance to people inside Syria, the USAID Administrator should instruct the third party monitoring organization monitoring Office of U.S. Foreign Disaster Assistance programs in Syria to modify the site visit forms to include specific guidance for documenting incidents of potential fraud.

    Agency: United States Agency for International Development
    Status: Open
    Priority recommendation

    Comments: USAID concurred with this recommendation, stating that it would seek to have site visit forms revised to include indications of fraud, waste, and abuse. However, as of April 2017, USAID has yet to implement the recommendation. We will continue to track the status of this recommendation.
    Director: Kimberly M. Gianopoulos
    Phone: (202) 512-8612

    3 open recommendations
    Recommendation: To better manage the AD/CV duty liquidation process, CBP should issue guidance directing the Antidumping and Countervailing Duty Centralization Team to (a) collect and analyze data on a regular basis to identify and address the causes of liquidations that occur contrary to the process or outside the 6-month time frame mandated by statute, (b) track progress on reducing such liquidations, and (c) report on any effects these liquidations may have on revenue.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: CBP concurred with this recommendation and said it would take steps to implement it. CBP has issued guidance requiring the collection, analysis, and reporting of AD/CV data to identify and address the causes of liquidations that occur contrary to the process or outside the 6-month time frame mandated by statute, as GAO recommended in July 2016. CBP is analyzing the results of its fiscal year 2017 self-inspection program to assess its progress on reducing such liquidations and report on the revenue effect. CBP expects to complete its analysis by Fall 2017. Systematically collecting and analyzing liquidation data on a regular basis to identify and address the causes of untimely liquidations and tracking and reporting on progress toward reducing such liquidations could help CBP reduce revenue loss.
    Recommendation: To improve risk management in the collection of AD/CV duties and to identify new or changing risks, CBP should regularly conduct a comprehensive risk analysis that assesses both the likelihood and the significance of risk factors related to AD/CV duty collection. For example, CBP could construct statistical models that explore the associations between potential risk factors and both the probability of nonpayment and the size of nonpayment when it occurs.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: CBP concurred with this recommendation and said it would take steps to implement it. As of September 2017, CBP had not regularly conducted a risk analysis that assesses both the likelihood and significance of risk factors related to AD/CV duty collection, as GAO recommended in July 2016. However, CBP was in the process of developing a model to enable it to conduct such a risk analysis on a regular basis. CBP expects to test the model by Fall 2017; however, CBP officials said that full implementation of the model will not take place until the end of fiscal year 2018 due to the complexity of the project. CBP officials noted that they are working to hire additional staff to dedicate to model development; acquire a dedicated server for processing data to regularly update the models; and identify other CBP programs that would benefit from risk models similar to the ones they are developing for AD/CV duties. Regularly conducting a comprehensive risk analysis of factors related to AD/CV duty non-collection could enhance CBP's capacity to collect additional revenue. For example, it could result in the identification of new factors generating a requirement for an importer to provide additional security in the form of bonds as part of an enhanced bonding requirement.
    Recommendation: To improve risk management in the collection of AD/CV duties, CBP should, consistent with U.S. law and international obligations, take steps to use its data and risk assessment strategically to mitigate AD/CV duty nonpayment, such as by using predictive risk analysis to identify entries that pose heightened risk and taking appropriate action to mitigate the risk.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: CBP concurred with this recommendation and said it would take steps to implement it. As of September 2017, CBP was in the process of developing a risk analysis model to use in mitigating AD/CV duty nonpayment, as GAO recommended in July 2016. The model will use predictive risk analysis to identify entries that pose a heightened risk of nonpayment. CBP has contacted the Customs Surety Association and the Commercial Customs Operations Advisory Committee to discuss bonding options to help mitigate the risk of nonpayment. Developing a risk analysis model to use in mitigating AD/CV duty nonpayment could enhance CBP's capacity to collect additional revenue. For example, it could be used to identify entries from importers requiring additional security in the form of bonds as part of an enhanced bonding requirement.
    Director: Kimberly Gianopoulos
    Phone: (202) 512-8612

    3 open recommendations
    Recommendation: To improve CERC's performance monitoring, the Secretary of Energy should ensure that for CERC's second phase the program creates targets and tracks progress against those targets in order to measure program performance.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with GAO's recommendation and has taken steps to implement it since our report. For example, DOE created a standardized reporting template with performance measures for CERC partners to complete on a quarterly basis. DOE officials informed GAO that they are working to develop targets for those performance measures. We will continue to monitor DOE's progress in implementing this recommendation.
    Recommendation: To improve the agency's performance monitoring, the Director of the U.S. Trade and Development Agency should develop and make public annual targets for the agency's performance measures.

    Agency: U.S. Trade and Development Agency
    Status: Open

    Comments: USTDA concurred with GAO's recommendation and has taken steps to implement it since our report. For example, USTDA revised its fiscal year 2016 through 2018 strategic plan to include an annual performance target for one of its two performance measures: the value of exports generated for every program dollar. We will continue to monitor USTDA's progress in developing an annual performance target for its performance measure on procurements awarded to small U.S. businesses.
    Recommendation: To improve the East Asia Program's performance monitoring, the Director of the U.S. Trade and Development Agency should ensure that the East Asia Program sets targets for its performance measures and tracks progress against those measures.

    Agency: U.S. Trade and Development Agency
    Status: Open

    Comments: USTDA concurred with GAO's recommendation. As of October 2016, USTDA had planned to review its internal goals for the East Asia Program, and other regional programs, and to begin to track progress against those goals. We will continue to monitor USTDA's progress in implementing this recommendation.
    Director: Robert Goldenkoff
    Phone: (202) 512-2757

    3 open recommendations
    including 3 priority recommendations
    Recommendation: To help ensure the Bureau produces a reliable cost estimate for the 2020 Census, the Secretary of Commerce and Under Secretary for Economic Affairs should direct the Census Bureau to take the following steps to meet the characteristics of a high-quality estimate: (1) Comprehensive--among other practices, ensure the estimate includes all life-cycle costs and documents all cost-influencing assumptions. (2) Well-documented--among other practices, ensure that its planned documentation plan captures the source data used; contains the calculations performed and the estimating methodologies used for each element; and describes step by step how the estimate was developed. (3) Accurate--among other practices, ensure the estimating technique for each cost element is used appropriately and that variances between planned and actual cost are documented, explained, and reviewed. (4) Credible--among other practices, ensure the estimate includes a sensitivity analysis, major cost elements are cross-checked to see whether results are similar, and an independent cost estimate is conducted to determine whether other estimating methods produce similar results.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: Commerce agreed with this recommendation. The Bureau should provide a cost estimate more current than the October 2015 estimate and ensure that the estimate is comprehensive, well-documented, accurate, and credible. In doing this the Bureau should consult the GAO's cost assessment guide (GAO-09-3SP) and Standards for Internal Control in the Federal Government (GAO-14-704G). High-quality estimates will: explicitly consider all life-cycle costs and assumptions, offer a clear step-by-step account of the methods and data sources used to compile the estimate, ensure the proper estimation techniques are used, reconcile any variances between actual and estimated costs, and allow cross-checking with independent cost estimates as verification of results. In August 2016, the Bureau laid out its action plan to implement this recommendation. The Bureau planned to develop a Cost Estimation Enhancement Plan that would mature the 2020 Census cost estimate and its associated processes via a series of 3-month sprints. According to the Bureau, the areas targeted for improvement were (I) Documentation, (2) Process, (3) Cost Estimate, and (4) Cost Integration. The Bureau's action plan reported the following deliverables: Incorporating the Decennial Census Management Division program work breakdown structure into the 2020 Census Cost Estimate (target completion was Q4 FY 2016); developing a formal basis of estimate document to address the cost elements, process flow, and calculations for the 2020 Census Cost Estimate (Q2 FY 2017); internal communication and training efforts to ensure these changes are widely shared and communicated (Q2 FY 2017); engaging with internal stakeholders to increase the amount of source and derivation documentation for estimates/model parameters currently based on expert judgment (Q4 FY 2016); developing a formal BOE document to address how 2020 Census program risk and uncertainty are dealt with in the 2020 Census Cost Estimate (Q2 FY 2017); and regularly comparing the results of the independent cost estimate conducted by the Office of Cost Estimation, Analysis and Assessment to the 2020 Census Cost Estimate and investigate/reconcile any significant differences (Q3 FY 2017). As of July 2017, we await this and other documentation from Bureau that may address this recommendation.
    Recommendation: To further ensure the credibility of data used in cost estimation, the Secretary of Commerce and Under Secretary for Economic Affairs should direct the Census Bureau to establish clear guidance on when information for cost assumptions can and should be changed as well as the procedures for documenting such changes and traceable sources for information being used.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: Commerce agreed with this recommendation. The Bureau should implement processes for controlling and changing cost assumptions. These processes should include methods for evaluating the justification for any changes and documentation requirements that clearly show the information changed and the basis for the change. In August 2016, Bureau officials laid out their action plan to address this recommendation. The action plan described developing a Decennial Census Cost Estimation and Analysis Process and supporting policy to improve the maturity levels in this area and mentioned developing a draft internal communication and training plan for staff--target date is Q2 FY 2017. As of July 2017, we await this and other documentation from Bureau that may address this recommendation.
    Recommendation: To ensure Bureau and congressional confidence that the Bureau's budgeted contingencies are at appropriate levels, the Secretary of Commerce and Under Secretary for Economic Affairs should direct the Census Bureau to improve control over how risk and uncertainty are accounted for and communicated with the Bureau's decennial cost estimation process, such as by implementing and institutionalizing processes or methods for doing so with clear guidance.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: Commerce agreed with this recommendation. The Bureau should ensure that its budget for contingencies reflects an accurate accounting of risk and uncertainty. In doing this, the Bureau should improve controls over risk and uncertainty accounting, ensure that risk accounting informs any relevant budgets and cost estimates, and institutionalize these controls by providing clear methods for their use. In August 2016, the Bureau laid out its action plan to implement this recommendation, describing that it would ensure regular review of 2020 Census program risks that would have high cost impacts if they occur and ensure estimates of these impacts are accounted for and documented in each iteration of the life-cycle cost estimates--target date is Q2 FY 2017. As of July 2017, we await documentation from Bureau that may address this recommendation.
    Director: J. Christopher Mihm
    Phone: (202) 512-6806

    13 open recommendations
    Recommendation: To improve the public reporting of major management challenges and to ensure performance information is useful, transparent, and complete, the Secretary of Agriculture should describe the Department of Agriculture's (USDA) major management challenges and include performance goals, performance measures, milestones and an agency official responsible for resolving each of its major management challenges as part of USDA's agency performance plan.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of August 2017, USDA had not taken any actions to implement our recommendation. When the 2019 annual performance plan is issued, we will update the status of this recommendation.
    Recommendation: To improve the public reporting of major management challenges and to ensure performance information is useful, transparent, and complete, the Secretary of Commerce should describe the Department of Commerce's major management challenges and include performance goals, performance measures, milestones and an agency official responsible for resolving each of its major management challenges as part of the Department of Commerce's agency performance plan.

    Agency: Department of Commerce
    Status: Open

    Comments: According to the Department of Commerce' action plan to address GAO's recommendations, it will begin including a description of the Department's major management challenges, as well as related performance goals, performance milestones and an agency official responsible for resolving each of its major management challenges, in the Department's annual performance plan reporting, starting with the report to be issued concurrent with final fiscal year 2018 Congressional Budget Justifications (CBJ). As of August 2017, Commerce has not taken action to implement our recommendation. Our review of the Department of Commerce's 2018 CBJ found that it did not include recommended information. When the 2019 CBJ is issued, we will update the status of this recommendation.
    Recommendation: To improve the public reporting of major management challenges and to ensure performance information is useful, transparent, and complete, the Secretary of Defense should include planned actions for each of the Department of Defense's (DOD) major management challenges and ensure that required information about its major management challenges, currently in DOD's Agency Strategic Plan for Fiscal Years 2015-2018, be included in its agency performance plan so that progress toward resolving each of its major management challenges is transparent and reported annually.

    Agency: Department of Defense
    Status: Open

    Comments: As of August 2017, the Department of Defense had not taken any actions to implement our recommendation. When the 2019 annual performance plan is issued, we will update the status of this recommendation.
    Recommendation: To improve the public reporting of major management challenges and to ensure performance information is useful, transparent, and complete, the Secretary of Energy should describe the Department of Energy's major management challenges and include performance goals, performance measures, milestones and an agency official responsible for resolving each of its major management challenges as part of the Department of Energy's agency performance plan.

    Agency: Department of Energy
    Status: Open

    Comments: As of August 2017, the Department of Energy had not taken any actions to implement our recommendation. When the 2019 annual performance plan is issued, we will update the status of this recommendation.
    Recommendation: To improve the public reporting of major management challenges and to ensure performance information is useful, transparent, and complete, the Attorney General should describe the Department of Justice's major management challenges and include performance goals, performance measures, milestones, planned actions and an agency official responsible for resolving each of its major management challenges as part of the Department of Justice's agency performance plan.

    Agency: Department of Justice
    Status: Open

    Comments: According to the Department of Justice's action plan to address GAO's recommendations, it will report the Office of Inspector General Top Management Challenges in both the Annual Financial Report (AFR) and the Annual Performance Report(APR)/Annual Performance Plan(APP). For the APR/APP, the Department of Justice will also include the appropriate performance goals, performance measures, milestones, planned actions addressing the challenges and the name(s) of agency official(s) responsible for resolving each of its major management challenges. As of August 2017, however, the Department of Justice had not taken any actions to implement our recommendation. When the 2019 annual performance plan is issued, we will update the status of this recommendation.
    Recommendation: To improve the public reporting of major management challenges and to ensure performance information is useful, transparent, and complete, the Secretary of Labor should describe the Department of Labor's major management challenges and include performance goals, performance measures, milestones, planned actions, and an agency official responsible for resolving each of its major management challenges as part of the Department of Labor's agency performance plan.

    Agency: Department of Labor
    Status: Open

    Comments: According to the Department of Labor's action plan to address GAO's recommendations, it will comply with the updated Circular A-11 guidance to report on major management challenges in its next Annual Performance Report (APR), published with the FY 2018 Congressional Budget Justification. In its most recent APR, the Department of Labor took steps to implement this recommendation by including planned actions and an agency official responsible for each of the three issues it identified as a major management challenge. Further action is needed to establish performance goals, performance measures, and milestones. When the Fiscal Year 2017 APR is issued, we will update the status of this recommendation.
    Recommendation: To improve the public reporting of major management challenges and to ensure performance information is useful, transparent, and complete, the Secretary of Transportation should describe the Department of Transportation's major management challenges and include performance goals, performance measures, milestones, planned actions and an agency official responsible for resolving major management challenges as part of the Department of Transportation's agency performance plan.

    Agency: Department of Transportation
    Status: Open

    Comments: As of August 2017, the Department of Transportation had not taken any actions to implement our recommendation. When the 2019 annual performance plan is issued, we will update the status of this recommendation.
    Recommendation: To improve the public reporting of major management challenges and to ensure performance information is useful, transparent, and complete, the Secretary of the Treasury should include performance goals, performance measures, milestones, and an agency official responsible for resolving major management challenges as part of the Department of the Treasury's agency performance plan.

    Agency: Department of the Treasury
    Status: Open

    Comments: As of August 2017, Treasury had not taken any actions to implement our recommendation. When the 2019 annual performance plan is issued, we will update the status of this recommendation.
    Recommendation: To improve the public reporting of major management challenges and to ensure performance information is useful, transparent, and complete, the Administrator of the Environmental Protection Agency (EPA) should include performance goals, performance measures, milestones, planned actions and an agency official responsible for resolving each of its major management challenges as part of EPA's agency performance plan.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In its Fiscal Year 2018 APP, EPA took steps to implement this recommendation by clearly identifying its major management challenges and including planned actions for resolving them. Further action is needed to establish performance goals, performance measures, milestones, and identify an agency official responsible for resolving the challenge. When the 2019 annual performance plan is issued, we will update the status of this recommendation.
    Recommendation: To improve the public reporting of major management challenges and to ensure performance information is useful, transparent, and complete, the Administrator of the General Services Administration (GSA) should describe GSA's major management challenges and include performance goals, performance measures, milestones and an agency official responsible for resolving each of its major management challenges as part of GSA's agency performance plan.

    Agency: General Services Administration
    Status: Open

    Comments: In its Fiscal Year 2018 APP, GSA took steps to implement this recommendation by clearly identifying three major management challenges and including planned actions, performance measures, milestones, and an agency official responsible for resolving them. Further action is needed to establish performance goals. When the 2019 annual performance plan is issued, we will update the status of this recommendation.
    Recommendation: To improve the public reporting of major management challenges and to ensure performance information is useful, transparent, and complete, the Secretary of Health and Human Services (HHS) should include performance goals, milestones and an agency official responsible for resolving each of HHS's major management challenges as part of HHS's agency performance plan.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: According to its website, for fiscal year 2018, HHS is meeting its performance reporting requirements as designated in the GPRA Modernization Act of 2010 and OMB Circular A-11 through the program performance information provided in the FY 2018 HHS Budget Justifications to Congress. As of August 2017, however, HHS has not taken action to implement our recommendation. Our review of HHS' 2018 Congressional Budget Justification found that it did not include recommended information. When the 2019 CBJ is issued, we will update the status of this recommendation.
    Recommendation: To improve the public reporting of major management challenges and to ensure performance information is useful, transparent, and complete, the Secretary of the Interior should describe the Department of Interior's major management challenges and include performance goals, performance measures, planned actions, milestones and an agency official responsible for resolving each of its major management challenges as part of the Department of the Interior's agency performance plan.

    Agency: Department of the Interior
    Status: Open

    Comments: As of August 2017, the Department of Interior had not taken any actions to implement our recommendation. It is unclear in the APP what Interior considers to be its major management challenges and, if there are such issues, which performance information aligns with resolving those issues. When the 2019 annual performance plan is issued, we will update the status of this recommendation.
    Recommendation: To improve the public reporting of major management challenges and to ensure performance information is useful, transparent, and complete, the Director of the National Science Foundation (NSF) should describe NSF's major management challenges and identify performance goals, performance measures, milestones, and an agency official responsible for resolving each of its major management challenges as part of NSF's agency performance plan.

    Agency: National Science Foundation
    Status: Open

    Comments: In its Fiscal Year 2018 APP, NSF took steps to implement this recommendation by clearly identifying its major management challenges and including planned actions for resolving them. Further action is needed to establish performance goals, performance measures, milestones, and identify an agency official responsible for resolving the challenge. When the 2019 annual performance plan is issued, we will update the status of this recommendation.
    Director: Mackin, Michele
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: The Secretary of Defense should, before the downselect decision for the frigates, require the program to submit appropriate milestone documentation as identified by OSD, which could include an Independent Cost Estimate, an Acquisition Program Baseline, and a plan to incorporate the frigate into SAR updates.

    Agency: Department of Defense
    Status: Open

    Comments: DOD partially concurred with this recommendation, noting that the Navy views the LCS transition to the frigate as an incremental upgrade as opposed to a new acquisition program. DOD also stated that the Navy would be required to provide key documentation related to the seaframe, including an independent cost estimate and an updated acquisition program baseline. In 2017, the Navy decided to pursue a different frigate acquisition strategy, and according to the program office, the frigate is now considered a new, distinct acquisition program and will have milestone decisions and require the applicable milestone documentation and OSD oversight and reporting as the program moves toward an award decision in fiscal year 2020. The program office also noted that the specific milestone documentation that will be required is currently being assessed and the program plans to have a frigate Selected Acquisition Report. Once more details are finalized for the program, the planned actions would meet the intention of our recommendation. We will keep this recommendation open until the program's approach has been better defined.
    Director: David A. Powner
    Phone: (202) 512-9286

    22 open recommendations
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Education
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address it. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Energy
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO will update the CIO's OMB IT Dashboard Standard Operating Procedure to include the evaluation and assessment of active risks. This effort is to be completed by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department agreed with this recommendation and, in a written response, stated that it plans to address this recommendation with the following actions: (1) developing a method to review and assign ratings for active risks that will be incorporated into CIO ratings and (2) integrating the risk rating methodology into a new process for all major investments' CIO ratings. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it is amending its current monthly review process to ensure that risks are factored into its IT Dashboard CIO ratings. VA expects to complete this effort during the first quarter of 2017. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of State
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address the recommendation. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Office of Personnel Management
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Defense, Education, and Homeland Security; and the Commissioner of the Social Security Administration should direct their CIOs to update their CIO ratings at least as frequently as required in OMB's guidance.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) disagreed with this recommendation. In its written response, the Department noted that its semi-annual reporting is consistent with FITARA requirements and is documented in its OMB-approved FITARA Implementation Plan. After the publication of our report in June 2016, OMB issued its "Fiscal Year 2018 IT Budget-Capital Planning Guidance." This guidance removes the mandatory reporting frequency, but states that OMB expects that the CIOs would evaluate and rate their investments at specific times, including when the investment business cases are submitted to OMB in the agency budget request and when the business cases are prepared for the President's Budget release. In light of this new guidance, we analyzed the Department's update frequency for its 34 major investments (as listed on the IT Dashboard in June 2017). From June 2016 through May 2017, we found that 26 of the investments' ratings were updated once: in May 2017. The other 8 investments were not updated during this timeframe. Prior to this, the last DOD rating updates were made in March 2016, over a year beforehand. This analysis shows that DOD is not adhering to either its own semi-annual reporting requirements or to OMB's expectations. As such, we are not closing the recommendation at this time. We will continue to monitor the IT Dashboard for changes to DOD's update frequency. We maintain that frequent rating updates help ensure that the information on the Dashboard is timely and accurately reflects recent changes. Without such updates, the CIO ratings on the IT Dashboard may not reflect the current level of investment risk.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO Enterprise Business Management Office is updating its program assessment guideline. The updated guideline will include risk-based scores as the basis for its investment ratings. The Department expects to release this new guideline by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Education
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address it. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department agreed with our recommendation and, in a written response, stated that the CIO has revised the IT Dashboard assessment criteria to directly incorporate the degree of risk represented in the investments' Business Case documents. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Energy
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO will update its IT Dashboard Standard Operating Procedure to include an active risk sub-criteria comprised of probability and impact scores. This effort is to be completed by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. According to HHS, these risk areas reflect both internal and external risks that affect an investment's ability to accomplish its goals. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Social Security Administration
    Status: Open

    Comments: The agency partially agreed with our recommendation and, in a written response, stated that its CIO rating criteria includes a review of the level of risk facing an investment relative to that investment's ability to accomplish its goals. The written statement also notes that the CIO receives regular updates from key stakeholders on investment risks and mitigation plans. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of the Treasury
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it plans to require investment managers to assess operational risks detailing the probability and impact of pending threats to success. VA expects to complete this effort during the first quarter of 2017. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of State
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address the recommendation. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The agency disagreed with the recommendation and has not provided an update on its actions to address the recommendation. We will continue to monitor the implementation of this recommendation.
    Director: Jennifer Grover
    Phone: (202) 512-7141

    6 open recommendations
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should update the Risk Assessment of Airport Security to reflect changes to its risk environment, such as those updates reflected in Transportation Sector Security Risk Assessment (TSSRA) and JVA findings, and share results of this risk assessment with stakeholders on an ongoing basis.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should establish and implement a process for determining when additional risk assessment updates are needed.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should develop and implement a method for conducting a system-wide assessment of airport vulnerability that will provide a more comprehensive understanding of airport perimeter and access control security vulnerabilities.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should use security event data for specific analysis of system-wide trends related to perimeter and access control security to better inform risk management decisions.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should update the 2012 Strategy for airport security to reflect changes in risk assessments, agency operations, and the status of goals and objectives. Specifically, this update should reflect: (1) information from the Risk Assessment of Airport Security, as well as information contained in the most recent TSSRA and JVAs; (2) new airport security-related activities; (3) the status of TSA efforts to address goals and objectives; and (4) finalized outcome-based performance measures and performance levels--or targets--for each relevant activity and strategic goal.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should establish and implement a process for determining when additional updates to the Strategy are needed.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Jennifer Grover
    Phone: (202) 512-7141

    2 open recommendations
    Recommendation: To better ensure that FAMS uses its resources to cover the highest-risk flights, in addition to considering risk when determining how to divide FAMS's international flight coverage resources among international destinations, the Director of FAMS should incorporate risk into FAMS's method for initially setting its annual target numbers of average daily international and domestic flights to cover.

    Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
    Status: Open

    Comments: In May 2016, we found that FAMS officials considered risk when selecting specific domestic and international flights to cover, but they did not consider risk when deciding how to initially divide their annual resources between domestic and international flights. Rather, each year FAMS considered two variables--travel budget and number of air marshals--to identify the most efficient way to divide the agency's resources between domestic and international flights. As a result, we recommended that FAMS incorporate risk into FAMS's method for initially setting its annual target numbers of average daily international and domestic flights to cover. In March 2017, TSA officials reported that FAMS was continuing to identify ways to refine the methodology FAMS uses to allocate resources between international and domestic flights. Specifically, TSA officials noted that FAMS was considering ways to incorporate information on the travel patterns of known or suspected terrorists, trends in TSA PreCheck passenger data, airport screening capabilities, and other factors. FAMS officials also reported that, as part of this effort, they were reviewing their International Concept of Operations. It is unclear how these steps will address the recommendation. To fully address this recommendation, FAMS should incorporate risk into its method for initially setting its annual target numbers of average daily international and domestic flights to cover.
    Recommendation: To better ensure that FAMS uses its resources to cover the highest-risk flights, the Director of FAMS should conduct and document a risk assessment--systematically collecting information on and assigning value to current risks--to further support FAMS's domestic resource allocation decisions, including the identification of high-priority geographic areas.

    Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
    Status: Open

    Comments: In May 2016, we reported that FAMS's choice of domestic geographic focus areas and resource allocation levels were based on professional judgment, not risk assessment. With regard to the geographic focus areas, for example, FAMS officials explained that they did not conduct a risk assessment to inform this decision, but rather selected these areas in consultation with 30 subject matter experts from various offices within TSA based on their intuitive, qualitative perceptions of threats, vulnerabilities, potential impacts, history, and the demographics of the areas. Without fully incorporating risk when determining such priorities, FAMS cannot reasonably ensure it is targeting its resources to the highest-risk flights. As a result, we recommended that FAMS conduct and document a risk assessment--systematically collecting information on and assigning value to current risks--to further support FAMS's domestic resource allocation decisions, including the identification of high-priority geographic areas. In March 2017, TSA officials explained that they were continuing to develop their "risk-by-flight" initiative--a long-term effort to develop a method of assigning each domestic flight a relative risk score to assist in identifying high-risk flights. At the time of our report in 2016, FAMS officials estimated that the risk-by-flight tool would probably be ready for use within 7 to 10 years. In March 2017, TSA officials stated that they had developed a prototype Risk-Based Resource Deployment Decision Aid, which they refer to as R2D2. TSA officials further reported that the DHS Science and Technology Directorate had contracted for the development of a risk engine--based on the R2D2 data--to assign risk values to all U.S.-carrier domestic and international flights. TSA officials reported that this contract runs through early 2018. To fully address this recommendation, FAMS should conduct and document a risk assessment to further support FAMS's domestic resource allocation decisions, including the identification of high-priority geographic areas.
    Director: J. Christopher Mihm
    Phone: (202) 512-6806

    1 open recommendations
    Recommendation: To improve the transparency of public reporting on CAP goal progress, the Director of OMB should, working with the PIC, report on Performance.gov the actions that CAP goal teams are taking, or plan to take, to develop performance measures and quarterly targets.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We reviewed selected CAP goals quarterly performance information on the Performance.Gov website as of Q4 of FY 2016, which updates the status of the CAP goals through September 2016. Some of the selected CAP goals have updated and new performance measures, but it was not clear the extent to which CAP goal teams included information on the actions they are taking to develop such measures, consistent with our recommendation. We contacted OMB in June 2017 on the current status of this recommendation. We will provide an update to its status once OMB responds to our request.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    17 open recommendations
    including 7 priority recommendations
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update security assessment plans for selected systems to ensure they include the test procedures to be performed.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system to support updates of security assessment plans that include the test procedures to be performed. Subsequent to NASA informing us that security assessment plans for selected systems include these test procedures, we plan to verify the agency's actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should re-evaluate security control assessments for selected systems to ensure that they comprehensively test technical controls.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation, and will re-evaluate the selected systems' security control assessments to ensure that technical controls will be comprehensively tested. NASA officials said that they expect to complete this action by January 15, 2018. Subsequent to NASA informing us that it has implemented the recommendation, we plan to verify the agency's actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update remedial action plans for selected systems, to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system that generates plans of actions and milestones (POA&Ms), but has not yet provided sufficient examples of remedial action plans for the selected systems. Subsequent to NASA informing us that it has updated POA&Ms for the selected systems to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates, we plan to verify these actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update the continuous monitoring strategy to include metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has issued an updated continuous monitoring strategy, but this strategy does not clearly identify specific metrics to be used. Subsequent to NASA informing us that the strategy includes metrics, ongoing status monitoring of metrics, and reporting of security status, we plan to verify these actions.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. NRC supplied documents regarding its cybersecurity assessment process, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update remedial action plans for selected systems, to include responsible organization, estimated funding, funding source, and scheduled completion dates.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency provided evidence that it is including the responsible organization and scheduled completion dates in its plans of action and milestones (POA&Ms). While the estimated funding and source of funding do not appear in the POA&Ms, the agency has indicated that this data is available elsewhere. We are following up with NRC to verify this information.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update the standard that addresses continuous monitoring to include metrics and ongoing status monitoring.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency expects to publish a revised computer security standard in 2018.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented, and where other plans are cross-referenced, ensure that the other system's plan appropriately addresses the control.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM concurred with our recommendation. The agency intends to migrate security plans to an automated system in order to improve management of security controls.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM partially concurred with our recommendation. OPM is in the process of reviewing its procedures for identifying employees and contractors who directly access its information systems and reviewing the training requirements for those individuals, as well as specialized training requirements, and how compliance is tracked.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM did not concur with our recommendation. OPM is developing additional standards for evaluating technical-controls testing and will incorporate these standards into its oversight of security assessments, once the standards are complete.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update remedial action plans for selected systems, to include source of funding and updated completion dates.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with our recommendation. OPM is in the process of migrating POA&Ms to a new automated system that will allow the source of funding to be included in plans of action and milestones.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA stated that all high-impact security controls have been addressed, and the agency expects to include all controls in one plan. Subsequent to the agency informing us that it has implemented the recommendation, we plan to verify its actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is tracking specialized training for staff who have significant security responsibilities. GAO plans to request further documentation and verify the completeness of VA's actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA has assessed technical controls, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update remedial action plans for selected systems, to include estimated funding and funding source.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is including more information in its remedial action plans for selected systems, but did not demonstrate that it is including estimated funding and funding sources in these plans.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should develop a continuous monitoring strategy that addresses organization-defined metrics, frequency of monitoring metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA is developing a new framework to address the people, processes, technology, and performance monitoring mechanisms identified in the Information Security Continuous Monitoring (ISCM) Maturity Model. This framework and supporting program plan are linked to the Department of Homeland Security Continuous Diagnostics and Mitigation (CDM) phase 1 deployment that is ongoing and anticipated to be completed by the fourth quarter of 2017. VA's ISCM program plan and framework have been delayed to accommodate these changes.
    Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. In addition OMB provided limited access to a document describing best practices for federal security operation centers. GAO is requesting further access to this document on best practices in order to determine whether OMB has adequately addressed the recommendation.
    Director: Andrew Von Ah
    Phone: (213) 830-1011

    4 open recommendations
    Recommendation: To ensure the quality of the risk assessments used to inform its future QHSR processes, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to ensure future QHSR risk assessment methodologies reflect key elements of successful risk assessment methodologies, such as being: (1) Documented, which includes documenting how risk information was integrated to arrive at the assessment results, (2) Reproducible, which includes producing comparable, repeatable results, and (3) Defensible, which includes communicating any implications of uncertainty to users of the risk results.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, the Office of Policy's Office of Strategy, Plans, Analysis and Risks completed initial meetings in April 2016 with government and non-government subject matter experts to refine risk analyses for the upcoming 2018 QHSR. Representatives from the department's component and headquarters staff are to take part in the Department's Risk Modeling and Analysis Steering Committee by reviewing, documenting and approving proposed new methodologies planned to help identify and prioritize threats and hazards. This effort is intended to lead to a documented, reproducible, and defensible assessment, according to the DHS officials. This recommendation will remain open until we verify that the risk analysis contains these elements.
    Recommendation: To enable the use of risk information in supporting resource allocation decisions, guiding investments, and highlighting the measures that offer the greatest return on investment, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to refine its risk assessment methodology so that in future QHSRs it can compare and prioritize homeland security risks and risk mitigation strategies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk, with support from the RAND Corporation, has proposed a methodology to assess threats, hazards, and vulnerabilities impacting U.S. homeland security. In addition, the department's Risk Modeling and Analysis Executive Steering Committee is to review and approve the proposed methodology. The methodology is intended to enable the Department of Homeland Security to compare and prioritize homeland security risks and risk mitigation strategies, according to DHS officials. The recommendation will remain open until we verify that the methodology allows such comparisons.
    Recommendation: To ensure proper management of the QHSR stakeholder consultation process, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to identify and implement stakeholder meeting processes to ensure that communication is interactive when project planning for the next QHSR.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk finalized a draft stakeholder outreach plan to include use of the Office of Management and Budget's Max electronic collaboration website to engage with federal, state, and local stakeholders. The OMB-MAX website is available to government and non-government offices and allows the posting of documents, articles, and links, as well as facilitating collaborative editing of documents and participant interaction threads, according to DHS officials. In addition, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk is exploring the use of different tools to facilitate more interactive stakeholder engagement. For example, DHS's Office of Partnerships and Engagement is to facilitate additional engagement with external subject matter experts, arrange interagency coordination, and organize review and approval with parties of the homeland security enterprise in order to coordinate and approve the development of the 2018 QHSR. This recommendation will remain open until we verify that interactive communication approaches are implemented.
    Recommendation: To ensure proper management of the internal QHSR stakeholder consultation process, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to clarify component detailee roles and responsibilities when project planning for the next QHSR.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk (SPAR) drafted a memorandum for the Deputy Secretary to solicit Component subject matter experts. The memorandum specifies component detailee roles and responsibilities, to include serving in an advisory, consultation, and coordination role, according to DHS officials. SPAR is to lead an integrated group of analysts and strategic planners that are to be supported and augmented by the subject matter experts. The experts and detailees are to serve as members of study teams analyzing key threats, trends, and strategy and policy alternatives associated with issues and challenges relating to DHS's mission and objectives. A second memorandum requesting additional detailee support is to be issued in November 2016, prior to the formal review phase of the new QHSR which is to begin in January 2017. This recommendation will remain open until we verify that clarified detailee roles and responsibilities are finalized and implemented.
    Director: Cary Russell
    Phone: (202) 512-5431

    2 open recommendations
    Recommendation: To ensure that risks associated with ALIS are addressed expediently and holistically, the Secretary of Defense should direct the F-35 Program Executive Officer to improve the reliability of its cost estimates, conduct uncertainty and sensitivity analyses consistent with cost-estimating best practices identified in GAO's Cost Estimating and Assessment Guide.

    Agency: Department of Defense
    Status: Open

    Comments: According to DOD officials, the F-35 Program regularly performs sensitivity analysis in its cost estimates. The F-35 Cost Team runs drills throughout the year on varying ground rules and assumptions for all elements of the sustainment Annual Cost Estimate (ACE), including ALIS cost elements. These drills are used to assess cost impacts of various proposed requirements changes from the F-35 Program Office and the Services. The cost models capture the sensitivity of those technical baseline changes and the F-35 Program Office and Services use those results to inform the final technical baseline definition that becomes the basis of the annual estimate update. Although these measures are regularly performed, they do not constitute a direct uncertainty or sensitivity analysis on ALIS itself. For that reason, as of September 2017, this recommendation remains open.
    Recommendation: To ensure that risks associated with ALIS are addressed expediently and holistically, the Secretary of Defense should direct the F-35 Program Executive Officer to improve the reliability of its cost estimates, ensure that future estimates of ALIS costs use historical data as available and reflect significant program changes consistent with cost-estimating best practices identified in GAO's Cost Estimating and Assessment Guide.

    Agency: Department of Defense
    Status: Open

    Comments: According to DOD officials, as part of the cost estimating processes in the F-35 Program Office, the sustainment Annual Cost Estimate does incorporate the latest available historical cost data and reflects the latest approved technical baseline. For example, the latest hardware procurement costs from the most recent annual contracts for the F-35 were incorporated into the 2016 Annual Cost Estimate update as were the manpower assembly installation costs based on final delivered item prices. Although these are positive measures for the program and the cost estimate, the program has not incorporated a range of potential future costs that may better reflect actual ALIS costs. Until this step is taken, the recommendation will remain open.
    Director: John H. Pendleton
    Phone: (202) 512-3489

    1 open recommendations
    Recommendation: To identify and mitigate risk associated with the Army's planned force structure and improve future decision making, the Secretary of Defense should direct the Secretary of the Army to expand the Army's Total Army Analysis process to routinely require a mission risk assessment for the Army's combat and enabler force structure and an assessment of mitigation strategies for identified risk prior to finalizing future force structure decisions.

    Agency: Department of Defense
    Status: Open

    Comments: The Army is in the process of reissuing its force development regulation (Army Regulation 71-32) and issuing a new Army Pamphlet. Collectively, officials said that these documents will codify the Army's approach to assessing mission risk and mitigation strategies for its force structure and require that these assessments be completed prior to finalizing future force structure decisions. Army officials said that these documents will be published in September 2017.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    5 open recommendations
    Recommendation: To ensure that FEMA's IT systems can adequately support its ability to respond to major disasters, the Secretary of DHS should direct the FEMA Administrator to define the scope, implementation strategy, and schedule of the agency's overall modernization approach, with related goals and measures for effectively overseeing the effort. At a minimum, the agency should update its IT strategic plan and complete its modernization plan.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security concurred with this recommendation, and reported on actions taken to update its IT Modernization Plan such as conducting cross-functional work sessions to establish an actionable implementation roadmap in line with agency priorities. However, as of April 2017, we have not yet obtained evidence that FEMA has fully updated its IT strategic plan and completed its modernization plan to address the weaknesses identified in our report. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure that FEMA's IT systems can adequately support its ability to respond to major disasters, the Secretary of DHS should direct the FEMA Administrator to establish time frames for current and future IT workforce planning during its modernization efforts and ensure all regions and offices are included in these initiatives.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security concurred with, and has taken steps to implement our recommendation. For example, the department stated that FEMA completed the assessment of skills gap and identified and prioritized the skills required to staff and sustain the core competencies required to successfully implement FEMA's IT modernization efforts. However, we have not yet validated the agency actions to establish time frames for current and future IT workforce planning during its modernization efforts. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure that FEMA adequately manages the selected emergency management systems, the FEMA Administrator should direct the DAIP, EMMIE, and IPAWS program offices, in conjunction with the FEMA CIO, to implement complete program plans that define overall budget and schedule, key deliverables and milestones, assumptions and constraints, description and assignment of roles and responsibilities, staffing and training plans, and an approach for maintaining these plans.

    Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
    Status: Open

    Comments: The Department of Homeland Security concurred with our recommendation and in response updated its program management plans that support the program offices of the Disaster Assistance Improvement Plan, Emergency Management Mission Integrated Environment, and Integrated Public Alert and Warning System. The program plans addressed some of the weaknesses we identified in our report. For example, the program management plans identified and described the overall program management processes and methods to be used during all phases of projects and defined key deliverables and milestones, roles and responsibilities, staffing and training and an approach for maintaining the plans. However, the plans did not clearly define the knowledge and skills needed to carry out the program or provide sufficient details on the budget and scheduling for the programs under review. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure that FEMA adequately manages the selected emergency management systems, the FEMA Administrator should direct the DAIP, EMMIE, and IPAWS program offices, in conjunction with the FEMA CIO, to implement a system integration plan that include all systems to be integrated with the system, roles and responsibilities for all relevant participants, the sequence and schedule for every integration step, and how integration problems are to be documented and resolved.

    Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
    Status: Open

    Comments: The Department of Homeland Security concurred with, and has taken steps to implement our recommendation. For example, the department reported that the system owner for DAIP, EMMIE, and IPAWS programs have updated their respective system integration plans to address the risks identified within the recommendation. In addition, the agency provided documentation such as the IPAWS Integrated Logistics Support Plan, as well as the quality control plan, and test execution plans for both the DAIP and EMMIE programs. However, we have not yet completed our analysis and validated the agency actions on this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: As part of the effort of improving IT management at the three programs, the FEMA Administrator should direct the CIO to ensure that FEMA policy for managing IT programs includes guidance for implementing the key management practices.

    Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
    Status: Open

    Comments: The Department of Homeland Security concurred with the recommendation. In its November 2016 update, FEMA reported that the System Owner for DAIP, EMMIE, and IPAWS have updated their respective IT management program and plans and coordinated with the FEMA CIO to address the risks identified within the recommendation. However, we have not yet validated the agency actions on this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Dave Wise
    Phone: (202) 512-2834

    2 open recommendations
    including 1 priority recommendation
    Recommendation: To improve the quality and transparency of data entered into FRPP as GSA transitions the database to a platform that would enable greater government-wide use, the Administrator of GSA, in consultation with OMB and federal agencies, should (1) assess the reliability of FRPP data by determining how individual agencies collect and report FRPP data for each FRPP field, including any supplemental guidance used by agencies to comply with government-wide FRPP data definitions as part of the annual certification of FRPP data; (2) analyze the differences in collecting and reporting practices used by these agencies; and (3) identify and make available to FRPP users the limitations of using FRPP data, in the context of how the data are intended to be used in real property decision making and to measure real property performance across agencies and update federal guidance to address limitations, as needed.

    Agency: General Services Administration
    Status: Open
    Priority recommendation

    Comments: GSA partially agreed with the recommendation noting that it has limited resources to fully analyze and map the data relative to FRPP data definitions, and that it is the responsibility of individual agencies to ensure reliability of the data and compliance with FRPP definitions. As of October 2016, GSA has taken some action to implement this recommendation. GSA told us it has made progress by conducting an in-depth survey in June 2106 focusing on several data elements including: replacement value, status, owned and otherwise management operating costs, repair needs, utilization, and lease costs. The survey asked agencies questions regarding the processes/resources used to source and compile these data elements from agency IT systems as well as internal agency guidance. GSA received responses from 24 agencies and stated it plans to complete its initial analysis of the survey in the fall of 2016 and indicate limitations of these data elements. GSA plans to conduct a series of working group meetings with agencies to conduct an in depth review of the survey results and to develop a set of recommendations for the Federal Real Property Council. GSA said these recommendations may include, but are not limited to, altering data dictionary definitions, sharing best or common practices for reporting these data elements, and sharing the limitations on the use of these data elements. Based on the working group outcomes and input from the Federal Real Property Council and OMB, GSA plans to produce a white paper on these topics by the latter part of 2017.
    Recommendation: To enhance the usefulness of the National Strategy for managing federal real property government-wide, the Director of OMB should expand the National Strategy to further address long-standing real property management challenges by: (1) expanding the scope to include maintenance and repair needs; (2) articulating planned actions and identifying alternative approaches, including alternative-funding mechanisms, to address underlying causes of the real property problems; (3) ensuring that performance measures at the agency level inform the overall progress of the National Strategy; and (4) determining the government-wide costs, benefits, and risks by leveraging agencies' long-term capital plans and identifying approaches to optimally manage that risk.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm the actions that OMB has taken in response to this recommendation, we will provide updated information.
    Director: Mathew Scirè
    Phone: (202) 512-8678

    8 open recommendations
    Recommendation: To improve compliance with OMB Circular A-129 standards and strengthen management and oversight of the guarantee program, and to enhance screening of loan guarantee applicants, the Secretary of Agriculture should direct the Undersecretary for Rural Development to complete steps to obtain access to Treasury's Do Not Pay portal and establish policies and procedures to deny loan guarantees to applicants who are subject to administrative offsets for delinquent child support payments.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of August 2017, Rural Development said it was in the process of gaining access to Treasury's Do Not Pay portal in order to conduct the recommended screening of loan guarantee applicants.
    Recommendation: To improve compliance with OMB Circular A-129 standards and strengthen management and oversight of the guarantee program, and to strengthen oversight of lenders and servicers, the Secretary of Agriculture should direct the Undersecretary for Rural Development to develop and publish in the Federal Register qualification requirements for the principal officers of lenders and servicers seeking initial or continued approval to participate in the guarantee program.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of August 2017, Rural Development said it had drafted a regulatory work plan to propose qualification requirements for principal officers of lenders and servicers.
    Recommendation: To improve compliance with OMB Circular A-129 standards and strengthen management and oversight of the guarantee program, and to strengthen oversight of lenders and servicers, the Secretary of Agriculture should direct the Undersecretary for Rural Development to develop and publish in the Federal Register capital and financial requirements for guarantee program lenders that are not regulated by a federal financial institution regulatory agency.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of August 2017, Rural Development said it had drafted a regulatory work plan to propose lender capital and financial requirements.
    Recommendation: To improve compliance with OMB Circular A-129 standards and strengthen management and oversight of the guarantee program, and to strengthen oversight of lenders and servicers, the Secretary of Agriculture should direct the Undersecretary for Rural Development to establish standing policies and procedures to help ensure that the agency reviews the eligibility of lenders and servicers participating in the guarantee program at least every 2 years.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of August 2017, Rural Development said it was planning to automate reviews of lender eligibility every 2 years, but in the meantime was using a manual process. We will update the status of this recommendation when Rural Development provides standing policies and procedures regarding the frequency of its lender and servicer eligibility reviews.
    Recommendation: To improve compliance with OMB Circular A-129 standards and strengthen management and oversight of the guarantee program, and to strengthen risk assessment and reporting, the Secretary of Agriculture should direct the Undersecretary for Rural Development to improve performance measures comparing RHS and the Federal Housing Administration loan performance, potentially by making comparisons on a cohort basis and limiting comparisons to loans made in similar geographic areas.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of August 2017, Rural Development said it had hired a contractor to develop more meaningful performance measures.
    Recommendation: To improve compliance with OMB Circular A-129 standards and strengthen management and oversight of the guarantee program, and to strengthen risk assessment and reporting, the Secretary of Agriculture should direct the Undersecretary for Rural Development to develop risk thresholds for the guarantee program, potentially in the form of maximum portfolio- or loan-level loss tolerances.

    Agency: Department of Agriculture
    Status: Open

    Comments: Rural Development hired a contractor to help establish risk thresholds for the guarantee program. The contractor's October 2016 report developed and recommended portfolio-level and loan-level risk thresholds (values that trigger consideration of policy adjustments) and also recommended that program officials conduct stress tests to validate that each recommended risk threshold was appropriate for the program's overall risk appetite. As of August 2017, Rural Development had not provided documentation that it had validated and implemented the risk thresholds.
    Recommendation: To improve compliance with OMB Circular A-129 standards and strengthen management and oversight of the guarantee program, and to strengthen risk assessment and reporting, the Secretary of Agriculture should direct the Undersecretary for Rural Development to identify issues for increased management focus in high-level dashboard reports.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of August 2017, Rural Development had not provided examples of high-level dashboard reports that clearly identify issues for increased management focus.
    Recommendation: To improve compliance with OMB Circular A-129 standards and strengthen management and oversight of the guarantee program, and to more effectively fulfill the requirements for conducting program reviews described in OMB Circular A-129, the Secretary of Agriculture should direct the Undersecretary for Rural Development to develop procedures for selecting RD credit programs for review based on risk and establish a prioritized schedule for conducting the reviews.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of August 2017, Rural Development said that its Chief Risk Officer was working to establish procedures for selecting Rural Development credit programs for review based on risk, including a prioritized schedule.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    6 open recommendations
    Recommendation: To help improve the management of MAIS programs, the Secretary of the Army should direct the Tactical Mission Command program manager to develop a requirements management plan to document and manage its requirements process.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: The Department of Defense concurred with our recommendation. We have requested documentation regarding the status of implementing this recommendation. As of April 2017, we have not received a response from the department to our request. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help improve the management of MAIS programs, the Secretary of the Navy should direct the Common Aviation Command and Control System program manager to identify weaknesses in the requirements traceability process and take corrective actions to manage the traceability of requirements to the respective lower-level requirements, and periodically evaluate work products, including the requirements management plan, and update them in accordance with the requirements guidance.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: The Department of Defense concurred with our recommendation. We have requested documentation regarding the status of implementing this recommendation. As of April 2017, we have not received a response from the department to our request. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help improve the management of MAIS programs, the Secretary of the Air Force should direct the Defense Enterprise Accounting and Management System program manager to address weaknesses in its controls for ensuring that all software requirements are tested and validated before deployment of new software releases.

    Agency: Department of Defense: Department of the Air Force
    Status: Open

    Comments: The Department of Defense concurred with our recommendation. We have requested documentation regarding the status of implementing this recommendation. As of April 2017, we have not received a response from the department to our request. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help improve the management of MAIS programs, the Director of OMB should instruct the Federal Chief Information Officer (CIO) to add the Under Secretary of Defense for AT&L as a responsible party to DOD's MAIS entries on the Federal IT Dashboard website, alongside the CIO, to publicly disclose the responsible party for the acquisition performance management of MAIS programs.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget did not agree with the recommendation, but stated it would work with the Department of Defense to address it. In April 2017, the Department of Defense stated that it is reorganizing the office of the Under Secretary of Defense for AT&L and its responsibilities. We will continue to follow up with the department subsequent to the reorganization in an effort to determine the party responsible for the acquisition performance management of MAIS programs and OMB's efforts to disclose the responsible party on the Federal IT Dashboard.
    Recommendation: To help improve the management of MAIS programs, the Secretary of Defense should examine the MAIS critical change reporting process to identify root causes for delays and implement corrective actions for the timely delivery of critical change reports.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense concurred with our recommendation. We have requested documentation regarding the status of implementing this recommendation. As of April 2017, we have not received a response from the department to our request. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help improve the management of MAIS programs, the Secretary of Defense should develop a mechanism for monitoring whether MAIS programs with late reports are restricted from obligating funds and in turn ensuring compliance with the Antideficiency Act.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense concurred with our recommendation. We have requested documentation regarding the status of implementing this recommendation. As of April 2017, we have not received a response from the department to our request. We will continue to monitor the department's progress in implementing this recommendation.
    Director: Chris Currie
    Phone: (404) 679-1875

    5 open recommendations
    Recommendation: To enhance accountability for key risk-management activities and facilitate coordination with federal and industry stakeholders regarding electromagnetic risks, the Secretary of Homeland Security should designate roles and responsibilities within the department for addressing electromagnetic risks and communicate these to federal and industry partners.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In a June 2016 update to our proposed recommendation, DHS reported that the Cyber, Infrastructure and Resilience (CIR) Policy Office within the DHS Office of Policy is working with DHS components to identify and articulate the roles of the National Protection and Programs Directorate, Federal Emergency Management Agency, Science and Technology Directorate, and others regarding to address electromagnetic risks. As part of this effort, CIR is to coordinate the development of a joint roles and responsibilities document to be communicated through existing partnership structures with internal and external entities.
    Recommendation: To more fully leverage critical infrastructure expertise and address responsibilities to identify critical electrical infrastructure assets as called for in the National Infrastructure Protection Plan, the Secretary of Homeland Security and the Secretary of Energy direct responsible officials to review FERC's electrical infrastructure analysis and collaborate to determine whether further assessment is needed to adequately identify critical electric infrastructure assets, potentially to include additional elements of criticality that might be considered.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In a June 2016 update to our proposed recommendation, DHS reported that the National Protection and Programs Directorate (NPPD) will increase collaborative outreach activities with FERC staff that will include a review of identified critical substations developed by FERC. The intended outcome of this review is to inform DHS activities regarding identification and prioritization of critical infrastructure assets for use during steady state and response activities. NPPD is also to inform FERC of its criticality modeling capabilities through the National Infrastructure Simulation and Analysis Center (NISAC) to enhance engagement with FERC's electric power subject matter expertise and inform future capability developments regarding response to and recovery from events such as electromagnetic pulse.
    Recommendation: To more fully leverage critical infrastructure expertise and address responsibilities to identify critical electrical infrastructure assets as called for in the National Infrastructure Protection Plan, the Secretary of Homeland Security and the Secretary of Energy direct responsible officials to review FERC's electrical infrastructure analysis and collaborate to determine whether further assessment is needed to adequately identify critical electric infrastructure assets, potentially to include additional elements of criticality that might be considered.

    Agency: Department of Energy
    Status: Open

    Comments: In June 2016, DOE provided an update (60-day letter) reiterating their intent to continue with actions identified previously to address the GAO recommendation, namely that the Office of Electricity Delivery and Energy Reliability was to review the Federal Energy Regulatory Commission's electrical infrastructure analysis, and subsequently engage with FERC and DHS to identify if any additional elements of criticality should be considered.
    Recommendation: To enhance federal efforts to assess electromagnetic risks and help determine protection priorities, the Secretary of Homeland Security should direct the Under Secretary for National Protection and Programs Directorate and the Assistant Secretary for the IP to work with other federal and industry partners to collect and analyze key inputs on threat, vulnerability, and consequence related to electromagnetic risks--potentially to include collecting additional information from DOD sources and leveraging existing assessment programs such as the Infrastructure Survey Tool, Regional Resiliency Assessment Program, and DCIP.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In a June 2016 update, DHS reported that the department had completed the planned refresh of the Strategic National Risk Assessment, which was intended to incorporate potential impacts to the power system from electromagnetic events. In addition, DHS reported that the Electricity Sub-sector Coordinating Council created an Electromagnetic pulse (EMP) task force, which met in April 2016 and is currently working to develop a joint industry and government approach to address EMP. It was further noted that DHS and DOE initiated a joint study on the effects of EMP on the electric power sector - led by Los Alamos National Laboratory and the National Infrastructure Simulation and Analysis Center (NISAC) - to analyze the hazard environments, impacts, and consequences of EMP and GMD on U.S. electric power infrastructure. In addition, DHS noted their support of a new effort by the Electric Power Research Institute and 39 industry partners to further study EMP vulnerabilities.
    Recommendation: To facilitate federal and industry efforts to coordinate risk-management activities to address an EMP attack, the Secretary of Homeland Security and the Secretary of Energy should direct responsible officials to engage with federal partners and industry stakeholders to identify and implement key EMP research and development priorities, including opportunities for further testing and evaluation of potential EMP protection and mitigation options.

    Agency: Department of Energy
    Status: Open

    Comments: On March 9, 2016 DOE provided agency comments on GAO-16-243 concurring with the recommendation and identifying related actions. Specifically, DOE reported collaboration with the Electric Power Research Institute to develop a joint DOE/Industry EMP Strategy to include key goals and objectives and identification of R&D priorities. The Strategy is expected to be completed by August 31, 2016 to be followed by more detailed action plans. DOE reported that they will collaborate with DHS and DOD in development of the Strategy and action plans. DOE further noted that a report by the Idaho National Laboratory report also identifies potential technology gaps and includes recommendations for further R&D efforts, which will be incorporated when developing the forthcoming action plans.
    Director: Marcia Crosse
    Phone: (202) 512-7114

    28 open recommendations
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should revise existing department policies for managing hazardous biological agents in high-containment laboratories to contain specific requirements for reporting laboratory incidents to senior department officials, including the types of incidents that should be reported, to whom, and when, or direct the Administrator of the Food Safety and Inspection Service to develop agency policies that contain these requirements.

    Agency: Department of Agriculture
    Status: Open

    Comments: In October 2016 USDA reported that its science and safety councils chartered a joint biorisk management policy committee to oversee the revisions of existing policies to include department-wide incident reporting requirements and time frames. USDA also reported that FSIS will collaborate with the department to ensure that FSIS policies comply with USDA reporting requirements. USDA did not provide an anticipated completion date for revising departmental polices.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should review and update outdated department policies for managing hazardous biological agents in high-containment laboratories and direct the Administrators of the Animal and Plant Health Inspection Service (APHIS) and Agricultural Research Service to update their policies and, in the case of APHIS, establish a regular review schedule.

    Agency: Department of Agriculture
    Status: Open

    Comments: In October 2016, USDA reported that the science and safety councils' joint biorisk management policy committee will review and update the existing outdated USDA policies. In addition, USDA reported that APHIS will review agency policies for biological laboratories every 3-5 years or sooner, if necessary, and that this schedule will be reflected in USDA policy. USDA did not provide an anticipated completion date for reviewing and updating departmental polices. USDA reported that ARS has finalized its policies for its institutional biological safety committee in April 2016. Once all USDA and component agency policies have been updated and review schedules established, we will close this recommendation.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should routinely analyze results of the department's laboratory inspections and incident reports to identify potential trends that may highlight recurring laboratory safety or security issues and share lessons learned with laboratory personnel.

    Agency: Department of Agriculture
    Status: Open

    Comments: In October 2016, USDA reported that the joint biorisk management policy committee will oversee efforts to collect and analyze laboratory inspection and incident reports and share these reports and critical analyses with USDA senior leadership. USDA did not provide an anticipated start date for analyzing reports and sharing analyses with senior departmental officials. USDA stated that the joint biorisk committee also serves as an information-sharing platform across USDA agencies and, as such, is positioned to share lessons learned from analyses of inspection and incident reports with laboratory personnel as necessary. USDA also provided additional information on APHIS, ARS, and FSIS planned or ongoing inspection and incident report analyses.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should require routine reporting of the results of department, agency, and select agent laboratory inspections to senior department officials.

    Agency: Department of Agriculture
    Status: Open

    Comments: In October 2016, USDA reported that the joint biorisk management policy committee will oversee efforts to revise existing departmental regulations to include requirements for routine reporting of inspection results to senior USDA officials. USDA did not provide an anticipated completion date for revising existing departmental regulations. USDA also provided additional information on APHIS, ARS, and FSIS planned or ongoing reporting of inspection results or revisions of agency policies to require such reporting.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should require routine reporting of incidents at agency laboratories to senior department officials.

    Agency: Department of Agriculture
    Status: Open

    Comments: In October 2016, USDA reported that the joint biorisk management policy committee will oversee efforts to revise existing departmental regulations to include requirements for routine reporting of laboratory incidents to senior USDA officials. USDA did not provide an anticipated completion date for revising existing departmental regulations. USDA also provided additional information on APHIS, ARS, and FSIS planned or ongoing incident reporting or revisions of agency policies to require such reporting.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should revise existing department policies for managing hazardous biological agents in high-containment laboratories to contain specific requirements for inventory control for all of DOD's high-containment laboratories, not just for its select agent-registered laboratories, or direct the Secretaries of the Air Force, Army, and Navy to revise their existing, respective policies to contain these requirements.

    Agency: Department of Defense
    Status: Open

    Comments: In June 2016, DOD noted that its comments on the final report--in which it agreed with all of our findings and recommendations for the department--had not changed. However, DOD did not provide us with an update on its status in implementing these recommendations.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should direct the Secretaries of the Air Force and Army to review and update their respective outdated policies for managing hazardous biological agents in high-containment laboratories.

    Agency: Department of Defense
    Status: Open

    Comments: In June 2016, DOD noted that its comments on the final report--in which it agreed with all of our findings and recommendations for the department--had not changed. However, DOD did not provide us with an update on its status in implementing these recommendations.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should routinely analyze agencies' inspection results and incident reports to identify potential trends that may highlight recurring laboratory safety or security issues and share lessons learned with laboratory personnel, or direct the Secretaries of the Army and Navy to do so.

    Agency: Department of Defense
    Status: Open

    Comments: In June 2016, DOD noted that its comments on the final report--in which it agreed with all of our findings and recommendations for the department--had not changed. However, DOD did not provide us with an update on its status in implementing these recommendations.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should require routine reporting of the results of Air Force, Army, and Navy inspections of non-select agent registered laboratories to senior department officials.

    Agency: Department of Defense
    Status: Open

    Comments: In June 2016, DOD noted that its comments on the final report--in which it agreed with all of our findings and recommendations for the department--had not changed. However, DOD did not provide us with an update on its status in implementing these recommendations.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should require routine reporting of laboratory incidents at Air Force, Army, and Navy non-select agent registered laboratories to senior department officials.

    Agency: Department of Defense
    Status: Open

    Comments: In June 2016, DOD noted that its comments on the final report--in which it agreed with all of our findings and recommendations for the department--had not changed. However, DOD did not provide us with an update on its status in implementing these recommendations.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should direct the Secretaries of the Army and Navy to require reporting of agency and select agent laboratory inspection results to senior agency officials.

    Agency: Department of Defense
    Status: Open

    Comments: In June 2016, DOD noted that its comments on the final report--in which it agreed with all of our findings and recommendations for the department--had not changed. However, DOD did not provide us with an update on its status in implementing these recommendations.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should develop time frames for the 19 specific recommendations from the July 2015 review, or direct the Secretary of the Army to do so.

    Agency: Department of Defense
    Status: Open

    Comments: In June 2016, DOD noted that its comments on the final report--in which it agreed with all of our findings and recommendations for the department--had not changed. However, DOD did not provide us with an update on its status in implementing these recommendations.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Energy should revise existing department policies for managing hazardous biological agents in high-containment laboratories to contain specific requirements for inspections, or direct the Administrator of the National Nuclear Security Administration and the Director of the Office of Science to develop agency policies that contain this requirement.

    Agency: Department of Energy
    Status: Open

    Comments: In August 2016, DOE reported that it is revising department policy for its select agent and toxin work to highlight oversight of facilities working with these agents and toxins. DOE will solicit input from NNSA, the Office of Science, and its biosurety executive team to determine if specific inspection requirements should be included in the select agent, or other department or agency policies. DOE provided us with information as to other department policies and regulations that allow for inspections. DOE plans to complete its efforts by the end of July 2017. We maintain that DOE should make laboratory inspection requirements explicit and that these requirements apply to all high-containment laboratories, not just those registered with the select agent program.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Energy should review and update its outdated policies for managing hazardous biological agents in high-containment laboratories.

    Agency: Department of Energy
    Status: Open

    Comments: In August 2016, DOE reported that it is updating its outdated select agent policy and plans to complete this update by the end of July 2017.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Administrator of the Environmental Protection Agency (EPA) should revise existing EPA policies for managing hazardous biological agents in high-containment laboratories to contain specific requirements for inventory control, or direct the Director of the Office of Pesticide Programs to incorporate this requirement into its policy.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA agreed with this recommendation in its February 2016 comments on the draft report, but maintains that agency, or senior-level policies, exist that include this requirement. EPA officials cited a Microbiology Laboratory Branch standard operating procedure (SOP) as containing inventory control requirements for the agency's one high-containment laboratory. However, in July 2016, EPA officials told us that it disagreed with our assessment that the SOP, as a laboratory-level document, was insufficient to meet our expectations for senior-level policies. In November 2016, EPA officials reiterated its position stating that the SOP had been approved by senior agency management and, as the requirements in it are universally applied by all laboratory staff, appropriately represents an agency-level policy. EPA further noted that the Office of Pesticide Policy, in which the Microbiology Laboratory Branch is located, is a sub-office within EPA's Office of Chemical Safety and Pollution Prevention (OCSPP), an Assistant Administrator-level office. We continue to believe that senior-level policies--in this case, either those policies issued at the EPA level or at the OCSPP/OPP level--that include all of the policy elements we analyzed reflect critical management commitment to and support for a culture of laboratory safety throughout the organization, regardless of the number of agency laboratories.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Administrator of EPA should review and update EPA's outdated policies for managing hazardous biological agents in high-containment laboratories and establish a regular schedule for reviewing and updating EPA and Office of Pesticide Programs policies.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In July 2016, EPA reported that the policies and procedures for both the facility that houses its microbiology laboratory and the laboratory itself are reviewed and updated on a bi-yearly or yearly basis consistent with the EPA schedules for biosafety and laboratory plans set in policy. However, EPA did not provide us with the policy that sets the EPA schedules. In addition, our analysis focused on policy documents issued by EPA or its senior-level offices, such as EPA's Safety, Health, and Environmental Management Program manual, dated November 2012. When we analyzed that policy for the report, we were unable to determine whether it was up-to-date because it did not include a review and update schedule or a specific recertification date. As of November, 2016, EPA maintains that this recommendation has been completed, because the office revised the standard operating procedure that provides guidance for establishing the receipt, expiration dates, and disposal of biological inventory used in the laboratory. As of April 2017, we have reached out to EPA for documentation of the actions the agency stated it has taken. Until received, we continue to believe that EPA action on this recommendation is still needed, such as by providing an updated EPA-level safety manual that includes a schedule for reviewing and updating, or providing EPA's schedule set in policy, so long as it also applies to agency- or senior office-level policies.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Administrator of EPA should require routine reporting of the results of department, agency, and select agent laboratory inspections to senior department officials.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA agreed with this recommendation in its February 2016 comments on the draft report. ?In July 2016, EPA reported that its high-containment laboratory will notify senior officials within 3 weeks of any laboratory inspection findings. ?This is a positive step. We are waiting for EPA to provide us with supporting documentation.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should develop department policies for managing hazardous biological agents in high-containment laboratories that contain specific requirements for reporting laboratory incidents to senior department officials, including the types of incidents that should be reported, to whom, and when, or direct the Director of CDC and the Commissioner of FDA to incorporate these requirements into their respective policies.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In August 2016, HHS reported that both CDC and FDA were working to incorporate incident reporting requirements and time frames into formal agency policies and practices but did not provide an anticipated completion date. In summer 2017, CDC and FDA reported that they were continuing to incorporate incident reporting, which includes all laboratory incidents, accidents, injuries, infections, and near-misses, into formal agency policies. CDC did not provide an anticipated completion date. FDA anticipated completing the policy revisions/updates by summer 2018.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should develop department policies for managing hazardous biological agents in high-containment laboratories that contain specific requirements for training and inspections for all high-containment component agency laboratories and not just for their select-agent-registered laboratories; or direct the Director of CDC to provide these requirements in agency policies.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In August 2016, HHS reported that CDC plans to revise its policies to include training and inspection requirements for inspections for all high-containment laboratories but did not provide an anticipated completion date. In June 2017, HHS reported that CDC was in the process of revising its formal policies to ensure they included requirements for training and inspections for all of the agency's high-containment laboratories but did not provide an anticipated completion date.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should require routine reporting of the results of agency and select agent laboratory inspections to senior department officials.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In August 2016, HHS reported that CDC was working with FDA and NIH to establish a process for notifying HHS leadership of inspection results through the department's Biosafety and Biosecurity Coordinating Council. HHS did not provide us with an anticipated time frame for implementing this notification practice or when the agencies plan to begin notifying HHS of inspection results.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should direct the Director of NIH and the Commissioner of FDA to require routine reporting of the results of agency laboratory inspections--and in the case of FDA, require routine reporting of select agent inspection results--to senior agency officials.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In August 2016, HHS reported that FDA is working to establish a process for notifying senior agency officials of inspection results, and in August 2017, FDA reported that it was in the process of updating its policies to reflect such a notification process. FDA anticipated that the updated policies and processes would be in place by summer 2018. In August 2016, HHS reported that NIH's ongoing practice is to report the results of external inspections to senior agency officials and, in May 2016, developed a standard operating procedure that outlines this reporting process. In March 2017, NIH officials provided assurance that its Division of Occupational Safety and Health provides NIH's intramural governing body with information about NIH's safety performance at least annually; officials further assured that this information includes the overall results of annual inspections (or audits, as NIH calls them) of all NIH laboratories and discussion of the top 10 most report safety infractions for the year. GAO considers NIH to have implemented the recommended action. GAO will close the overall recommendation once FDA has taken equivalent, appropriate action.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should require routine reporting of incidents at CDC, FDA, and NIH laboratories to senior department officials.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In August 2016, HHS reported that its Biosafety and Biosecurity Council is working to establish incident reporting requirements for CDC, FDA, and NIH but did not provide an anticipated completion date. HHS noted that NIH formally adopted a standard operating procedure that lays out the agency's requirements for reporting incidents to senior officials.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of the Interior should develop department policies, or direct the Directors of Fish and Wildlife Service and U.S. Geological Survey to develop agency policies for managing hazardous biological agents in high-containment laboratories that contain specific requirements for reporting laboratory incidents to senior department officials--including the types of incidents that should be reported, to whom, and when--and specific requirements for roles and responsibilities, training, inventory control, and inspections.

    Agency: Department of the Interior
    Status: Open

    Comments: In July 2016, DOI reported that the Fish and Wildlife Service and U.S. Geological Survey will develop agency-level policies that contain the key elements GAO identified. DOI did not provide us with a time frame for these activities.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of the Interior should routinely analyze the results of the agency's laboratory inspections and incident reports to identify potential trends that may highlight recurring laboratory safety or security issues and share lessons learned with laboratory personnel, or direct the Directors of Fish and Wildlife Service and U.S. Geological Survey to do so.

    Agency: Department of the Interior
    Status: Open

    Comments: In July 2016, DOI reported that its Biosafety Working Group, composed of officials across the department, including Fish and Wildlife Service and U. S. Geological Survey, is developing an automated process for analyzing results of laboratory inspections and incident reports to identify safety and security trends. The working group is also developing a process to share information gleaned from these analyses, including lessons learned, with laboratory personnel in a timely manner. DOI did not provide us with a time frame for these activities.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of the Interior should require routine reporting of the results of agency and select agent inspections to senior department officials.

    Agency: Department of the Interior
    Status: Open

    Comments: In July 2016, DOI reported that in according with the reporting requirements it plans to incorporate into agency-level policies in response to our first recommendation, Fish and Wildlife Service and U. S. Geological survey will be required to submit routine or periodic reports of the results of agency and select agent inspections to the department's designated agency safety and health official.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of the Interior should direct the Director of the U.S. Geological Survey to require routine reporting of the results of agency and select agent laboratory inspections to senior agency officials.

    Agency: Department of the Interior
    Status: Open

    Comments: In July 2016, DOI reported that the U. S. Geological Survey will modify and expand its existing policies to require reporting of agency and select agent inspection results to senior USGS officials.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Veterans Affairs should develop department policies for managing hazardous biological agents in high-containment laboratories that contain specific requirements for reporting laboratory incidents to senior department officials--including the types of incidents that should be reported, to whom, and when--and requirements for inventory control for all of its high-containment laboratories, including its select agent-registered clinical laboratory, or direct the Under Secretary of Health to incorporate these requirements into its policies.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In June 2016, VA reported that while it has policies for reporting laboratory incidents at the local level (VA medical center or laboratory level), VA plans to develop a national level policy for reporting laboratory incidents to senior department officials, including the types of incidents to report, to whom, and when. VA will convene a task force for the purposes of developing such a policy and anticipates that the task force will finalize its policy by March 2018. In June 2017, VA reported that the task force concluded that VA's existing emergency management plan contained all of the necessary requirements for laboratory incident reporting. However, VA has not provided GAO with the emergency management plan. VA further noted that a intradepartmental memorandum was sufficient for making employees aware of such policy requirements in the emergency plan and that such a memorandum was drafted and was being processed for dissemination throughout VA, with an anticipated completion date of August 2017.
    Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Veterans Affairs should direct the Under Secretary of Health to review and update outdated agency policies for managing hazardous biological agents in high-containment laboratories.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA updated and finalized its outdated policy for its clinical laboratories in February 2016. In July 2016, VA reported that it has begun updating its policies for its research laboratories and anticipated finalizing them in 6 months. In June 2017, VA reported that its policies for its research laboratories remain under review and revision, with an anticipated completion date of December 2017.
    Director: David J. Wise
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: To improve risk assessments for repair and alteration projects, the Administrator of GSA should develop and implement a plan to periodically analyze information GSA already collects, for example, based on a representative sample of repair and alterations projects, in order to: (1) identify the specific impacts unforeseen conditions have had on project costs, schedules, and scope of work; (2) analyze the causes of these conditions for those projects that experienced unforeseen site conditions; and (3) identify actions that will be taken to address the potential causes of unforeseen site conditions.

    Agency: General Services Administration
    Status: Open

    Comments: GSA said it is working to study potential unforeseen site conditions on repair and alteration projects. Based on the identification of new categories of unforeseen site conditions, GSA will implement plans to prevent and mitigate such unforeseen site conditions on future projects. Specifically, GSA will conduct a study of change orders. GSA will then analyze conditions and identify possible categories of unforeseen site conditions. GSA will include assessment of causes and impact on schedule and budget, and also assess potential causes of unforeseen site conditions. Finally, GSA will develop plans to address potential causes and mitigate risks of unforeseen site conditions. We will continue to follow-up with GSA to confirm that it follows through with these actions.
    Director: Mark Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: To further build on the efforts to improve emergency communications interoperability in the NCR, as part of its efforts to restructure the JFC, the Federal Emergency Management Agency Administrator should direct the Director of ONCRC to clearly articulate in a written agreement the roles and responsibilities of the participating agencies and specify how these agencies are to work together across agency boundaries.

    Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Jacqueline M. Nowicki
    Phone: (202) 512-7215

    1 open recommendations
    including 1 priority recommendation
    Recommendation: Using its general authority to collaborate with other federal agencies, the Secretary of Education should convene its federal interagency partners to develop a strategic approach to interagency collaboration on school emergency preparedness. This group could include designees or delegates from the Secretaries of DHS, HHS, and the Attorney General, including representatives from relevant agency components, such as the Federal Emergency Management Agency, Transportation Security Administration, and the Federal Bureau of Investigation, and others as appropriate, and should incorporate leading federal interagency collaboration practices, for example, by: (1) identifying leadership, (2) defining outcomes and assigning accountability, (3) including all relevant participants, and (4) identifying necessary resources.

    Agency: Department of Education
    Status: Open
    Priority recommendation

    Comments: The Department of Education agrees that improved federal coordination will better assist K-12 schools in preparing for emergencies, and noted that other federal agencies, including especially FEMA, play a significant role in school emergency preparedness. Additionally, Education cited the importance of involving other relevant agencies in obtaining agreement on the assignment of roles and responsibilities, including selecting a lead agency charged with primary responsibility for coordinating federal emergency preparedness assistance to K-12 schools. In August 2016, Education convened a committee of Assistant Secretary-level representatives from relevant agencies, including DHS, FEMA, and TSA, among others, to develop a strategic approach to interagency collaboration on school emergency management efforts. Subsequently, in October 2016, it convened a task force consisting of program staff from the relevant agencies to draft a plan for organizational structure, goals, and objectives for the next five years, which it expects will be approved for implementation beginning in January 2017. We are encouraged by these actions and will monitor the group's progress towards developing a strategic approach to school emergency preparedness. Education stated that it expects to complete these efforts very soon. At that time, we will await documentation showing that it has finalized and implemented its strategic approach for interagency collaboration around school emergency management.
    Director: Gerald L. Dillingham, Ph.D.
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To help FAA better manage and understand the uncertainties of its forecasts, the Secretary of Transportation should direct the FAA to apply risk-management practices to analyze and report on uncertainty. Specifically, the FAA should, for both the Aerospace and TAF forecasts, analyze and report the forecast's uncertainty, establish forecast error thresholds, and develop an approach that will prompt forecast review when error thresholds are exceeded, and, for TAF forecasts, monitor and publish multi-year historical error performance, as FAA does for the Aerospace Forecast.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help FAA better manage and understand the uncertainties of its forecasts, the Secretary of Transportation should direct the FAA to fully document its methods and assumptions in developing the Aerospace and TAF forecasting models to provide greater transparency to internal users and external stakeholders.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Lawrance Evans, Jr.
    Phone: (202) 512-8678

    6 open recommendations
    Recommendation: Congress should consider whether additional changes to the financial regulatory structure are needed to reduce or better manage fragmentation and overlap in the oversight of financial institutions and activities to improve (1) the efficiency and effectiveness of oversight; (2) the consistency of consumer and investor protections; and (3) the consistency of financial oversight for similar institutions, products, risks, and services. For example, Congress could consider consolidating the number of federal agencies involved in overseeing the safety and soundness of depository institutions, combining the entities involved in overseeing the securities and derivatives markets, transferring the remaining prudential regulators' consumer protection authorities over large depository institutions to the Consumer Financial Protection Bureau, and the optimal role for the federal government in insurance regulation, among other considerations.

    Agency: Congress
    Status: Open

    Comments: One bill has been introduced in the 115th Congress that would change the financial regulatory structure to address fragmented and overlapping regulatory authorities among agencies, as GAO suggested in February 2016. H.R. 594 was introduced on January 20, 2017, and calls for the functions of the Commodity Futures Trading Commission and the Securities and Exchange Commission to be combined in a single independent regulatory commission. Such an action could help to address fragmentation and overlap between the two agencies, and reduce opportunities for inefficiencies in the regulatory process and inconsistencies in how regulators conduct oversight activities over similar types of institutions, products, and risks.
    Recommendation: Congress should consider whether legislative changes are necessary to align FSOC's authorities with its mission to respond to systemic risks. Congress could do so by making changes to FSOC's mission, its authorities, or both, or to the missions and authorities of one or more of the FSOC member agencies to support a stronger link between the responsibility and capacity to respond to systemic risks. In doing so, Congress could solicit information from FSOC on the effective scope of its collective designation authorities, including any gaps.

    Agency: Congress
    Status: Open

    Comments: No legislative action identified. As of March 1, 2017, no legislation had been introduced that would align FSOC's authorities with its mission to respond to systemic risks, as GAO suggested in February 2016. Without such legislative changes, FSOC may lack the tools it needs to comprehensively address systemic risks that may emerge, and a gap will continue to exist in the post Dodd-Frank Wall Street Reform and Consumer Protection Act mechanisms for the mitigation of systemic risks.
    Recommendation: To help regulators address regulatory fragmentation and improve FSOC's ability to identify emerging systemic risks, as OFR develops and refines its financial stability monitoring tools, it should work with FSOC to determine ways in which to fully and regularly incorporate current and future monitors and assessments into Systemic Risk Committee deliberations, including, where relevant, those that present disaggregated or otherwise confidential supervisory information.

    Agency: Department of the Treasury: Financial Stability Oversight Council: Office of Financial Research
    Status: Open

    Comments: At the FSOC Systemic Risk Committee meeting held in December 2016, Treasury indicated that Office of Financial Research staff presented on the agency's Financial Stability Report. Officials indicated that they provided an assessment on potential financial stability risks, including macroeconomic, market, credit, funding and liquidity, and contagion risks. Systemic Risk Committee meeting attendees were able to compare and contrast these with the results from the Federal Reserve's systemic risk monitoring activities, which were also presented at the meeting. Office of Financial Research officials stated that there was general consensus at the meeting that these discussions were useful and that they should continue. GAO does not believe that this action is consistent with the intent of if February 2016 recommendation to fully and regularly incorporate current and future monitors and assessments into FSOC's Systemic Risk Committee deliberations. While GAO encourages sharing this type of information, the Office of Financial Research's Financial Stability Report is a publicly-available report. The intent of GAO's recommendation was to encourage the agency to fully incorporate all of its monitors into Systemic Risk Committee discussions, including its Financial Stability Monitor--its benchmark tool for assessing risks across the financial system. In addition, in its February 2016 report, GAO encouraged the agency to seek ways in which monitors that present disaggregated or otherwise confidential supervisory information can be incorporated in committee discussions. Without sharing such monitors and information, the Systemic Risk Committee may identify and advance the analysis of only a subset of systemic risks in a timely manner and may identify others too late or miss others altogether. The Financial CHOICE Act of 2016 was introduced in the 114th Congress. The act called for the Office of Financial Research to be eliminated. It was not passed before the end of the 114th Congress.
    Recommendation: To help regulators address regulatory fragmentation and improve FSOC's ability to identify emerging systemic risks, the Federal Reserve should work with FSOC to regularly incorporate the comprehensive results of its systemic risk monitoring activities into Systemic Risk Committee deliberations.

    Agency: Federal Reserve System
    Status: Open

    Comments: As of March 1, 2017, Federal Reserve officials indicated that they provided a presentation to FSOC's Systemic Risk Committee in December 2016, which included comprehensive results from its systemic risk monitoring activities. This action appears to be consistent with GAO's February 2016 recommendation, but the documentation provided by the Federal Reserve did not provide sufficient evidence that the agency has regularly incorporated these results into Systemic Risk Committee meetings. GAO will continue to monitor the Federal Reserve's participation in Systemic Risk Committee meetings to ensure that the agency continues to provide both regular and comprehensive results to the committee. Without better access to systemic risk monitoring tools and other outputs, the Systemic Risk Committee may identify and advance the analysis of only a subset of systemic risks in a timely manner and may identify others too late or miss others altogether.
    Recommendation: To more efficiently and effectively monitor the financial system for systemic risks and reduce the risk of unnecessary duplication, OFR and the Federal Reserve should jointly articulate individual and common goals for their systemic risk monitoring activities, including a plan to monitor progress toward articulated goals, and formalize regular strategic and technical discussions around their activities and outputs to support those goals.

    Agency: Department of the Treasury: Financial Stability Oversight Council: Office of Financial Research
    Status: Open

    Comments: As of March 1, 2017, the Federal Reserve and the Office of Financial Research had coordinated to organize semi-annual meetings to jointly discuss views from their respective monitoring of the financial system for risks; but these meetings had not yet taken place. The first of these meetings is to be held in May 2017 following the agencies' respective systemic risk exercises. Initiating these discussions addresses part of GAO's February 2016 recommendation. GAO plans to review documentation from these meetings in 2017 to further assess if the agencies will use these meetings to jointly articulate individual and common goals, including developing a plan to monitor progress toward the goals. Fully addressing GAO's recommendation could help to ensure comprehensiveness in systemic risk surveillance and reduced risk of duplication. On September 9, 2016, the Financial CHOICE Act of 2016 was introduced. It called for the Office of Financial Research to be eliminated. The legislation did not pass before the 114th Congress ended.
    Recommendation: To more efficiently and effectively monitor the financial system for systemic risks and reduce the risk of unnecessary duplication, OFR and the Federal Reserve should jointly articulate individual and common goals for their systemic risk monitoring activities, including a plan to monitor progress toward articulated goals, and formalize regular strategic and technical discussions around their activities and outputs to support those goals.

    Agency: Federal Reserve System
    Status: Open

    Comments: As of March 1, 2017, the Federal Reserve and the Office of Financial Research had coordinated to organize semi-annual meetings to jointly discuss views from their respective monitoring of the financial system for risks; but these meetings had not yet taken place. The first of these meetings is to be held in May 2017 following the agencies' respective systemic risk exercises. Initiating these discussions addresses part of GAO's February 2016 recommendation. GAO plans to review documentation from these meetings in 2017 to further assess if the agencies will use these meetings to jointly articulate individual and common goals, including developing a plan to monitor progress toward the goals. Fully addressing GAO's recommendation could help to ensure comprehensiveness in systemic risk surveillance and reduced risk of duplication. On September 9, 2016, the Financial CHOICE Act of 2016 was introduced. It called for the Office of Financial Research to be eliminated. The legislation did not pass before the 114th Congress ended.
    Director: Seto J. Bagdoyan
    Phone: (202) 512-6722

    8 open recommendations
    including 8 priority recommendations
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to conduct a comprehensive feasibility study on actions that CMS can take to monitor and analyze, both quantitatively and qualitatively, the extent to which data hub queries provide requested or relevant applicant verification information, for the purpose of improving the data-matching process and reducing the number of applicant inconsistencies; and for those actions identified as feasible, create a written plan and schedule for implementing them.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported that it considered this recommendation open and it was reviewing options for conducting a feasibility study to monitor and analyze information received from the Hub as recommended. HHS plans to examine the hub process in delivering usable information for applicant verification and analyzing data to identify trends or patterns that could suggest improvements in verification or actions that could reduce the number of inconsistencies that require further attention. HHS reported that this effort began March 2016. In March 2017, the agency said it is making significant progress towards implementing the recommendation. We will continue to monitor HHS's progress in this area.
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to track the value of advance premium tax credit and cost-sharing reduction (CSR) subsidies that are terminated or adjusted for failure to resolve application inconsistencies, and use this information to inform assessments of program risk and performance. (See related recommendation 7.)

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported it considers this recommendation closed because it expanded the use of analytics to analyze the value of premium tax credit and CSR subsidies that are eliminated or adjusted for 2015 actions at the policy level, and that CMS continues to analyze the data to develop future operations changes. In May 2016, we requested documentation of these actions, including (1) information produced using the capability described; (2) ways in which this information is being used for analysis for purposes such as program operations, monitoring, risk assessment, or fraud cleaning; and (3) a description of the future operational changes contemplated based on the analyses done. Once received, we will review to determine whether the efforts taken warrant closing the recommendation. In March 2017, HHS provided us information on their response to this and other recommendations from this report. However, HHS has not provided sufficient documentation to show that they have implemented this recommendation. We will continue to monitor the agency's progress in this area.
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to, in the case of CSR subsidies that are terminated or adjusted for failure to resolve application inconsistencies, consider and document, in conjunction with other agencies as relevant, whether it would be feasible to create a mechanism to recapture those costs, including whether additional statutory authority would be required to do so; and for actions determined to be feasible and reasonable, create a written plan and schedule for implementing them.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported it considers this recommendation closed because CMS has considered whether it would be feasible to create a mechanism to recapture CSRs and determined that this is not possible under the current statute. HHS also noted that as currently written, the statute does not provide this authority and to pursue developing a mechanism to do so would require Congress to change the statute. In May 2016, we agreed to consider the recommendation closed upon HHS advising us if it made any review or inquiry into the feasibility of recapture apart from statutory authority and providing documentation of such consideration so that we have a full record of the agency's consideration prior to closing the recommendation. In March 2017, HHS provided us information on their response to this and other recommendations from this report. However, HHS has not provided sufficient documentation to show that they have implemented this recommendation. We will continue to monitor the agency's progress in this area.
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to identify and implement procedures to resolve Social Security number inconsistencies where the Marketplace is unable to verify Social Security numbers or applicants do not provide them.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported that it considered this recommendation open and was working on implementing functionality for updating consumers' Social Security numbers (SSN) and their eligibility based on the correct SSN. HHS reported that is it targeting deployment of the SSN update functionality in 2017. In March 2017, HHS provided us information on their response to this and other recommendations from this report. However, HHS has not provided sufficient documentation to show that they have implemented this recommendation. We will continue to monitor the agency's progress in this area.
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to reevaluate CMS's use of Prisoner Update Processing System (PUPS) incarceration data and make a determination to either (a) use the PUPS data, among other things, as an indicator of further research required in individual cases, and to develop an effective process to clear incarceration inconsistencies or terminate coverage, or (b) if no suitable process can be identified to verify incarceration status, accept applicant attestation on status in all cases, unless the attestation is not reasonably compatible with other information that may indicate incarceration, and forego the inconsistency process.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported it considers this recommendation closed because in 2015, it made the determination to no longer require application filers to submit documentation regarding incarceration status. We were aware of that determination, but the recommendation was to reevaluate use of PUPS from the specific standpoint of using the data as it was intended to be used as in indicator of further research and then draw a conclusion on the use of the data. In May 2016, we requested documentation demonstrating that in the period since we made this recommendation, CMS has undertaken the reevaluation in the fashion that we indicated. Once received, we will review to determine whether the efforts taken warrant closing the recommendation. In March 2017, HHS provided us information on their response to this and other recommendations from this report. However, HHS has not provided sufficient documentation to show that they have implemented this recommendation. We will continue to monitor the agency's progress in this area.
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to create a written plan and schedule for providing Marketplace call center representatives with access to information on the current status of eligibility documents submitted to CMS's documents processing contractor.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported it considers this recommendation closed because since May 2015, call center representatives have received daily updates on the status of eligibility documentation. It is working to provide call center representatives with real-time data that is tentatively scheduled for later in 2016. In May 2016, we noted that our recommendation was focused on providing such real-time capability and requested (1) confirmation that call center representatives currently have on-demand, real-time access to up-to-date, application-level document status; and documentation showing development and implementation of this capability; or (2) a written plan and schedule for providing this capability as recommended. Once received, we will review to determine whether the efforts taken warrant closing the recommendation. In March 2017, HHS provided us information on their response to this and other recommendations from this report. However, HHS has not provided sufficient documentation to show that they have implemented this recommendation. We will continue to monitor the agency's progress in this area.
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to conduct a fraud risk assessment, consistent with best practices provided in GAO's framework for managing fraud risks in federal programs, of the potential for fraud in the process of applying for qualified health plans through the federal Marketplace.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported that it considered this recommendation open. It noted that CMS has launched a Marketplace Integrated Project Team (IPT) through the Program Integrity Board, which includes senior staff from across CMS. An objective of the IPT is to complete the fraud risk assessment of Marketplace eligibility and enrollment based on GAO's Fraud Risk Framework, as required by the recommendation. HHS said the first three steps of GAO's framework for this part were to be completed by early summer. Once HHS has completed all relevant steps of the framework, and the agency has fully documented its implementation efforts-including discussion of any items contemplated by the framework that HHS elected not to follow-we will review to determine whether the efforts taken warrant closing the recommendation. In March 2017, HHS provided us information on their response to this and other recommendations from this report. However, HHS has not provided sufficient documentation to show that they have implemented this recommendation. We will continue to monitor the agency's progress in this area.
    Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to fully document prior to implementation, and have readily available for inspection thereafter, any significant decision on qualified health plan enrollment and eligibility matters, with such documentation to include details such as policy objectives, supporting analysis, scope, and expected costs and effects.

    Agency: Department of Health and Human Services
    Status: Open
    Priority recommendation

    Comments: In April 2016, HHS reported it considers this recommendation closed because CMS prepares an annual Marketplace and Related Programs Cycle Memo to fulfill reporting requirements for internal control. The Memo describes all significant eligibility and enrollment policy and process changes, including new internal key controls associated with these changes, and the 2015 Memo was released in September 2015. In May 2016, we notified HHS that its actions do not close the recommendation. Information contained in the Memos is after-the-fact and while useful, does not meet the full range of documentation contemplated by our recommendation, especially development and analysis of changes prior to implementation. In March 2017, HHS provided us information on their response to this and other recommendations from this report. However, HHS has not provided sufficient documentation to show that they have implemented this recommendation. We will continue to monitor the agency's progress in this area.
    Director: James R. McTigue, Jr.
    Phone: (202) 512-9110

    7 open recommendations
    Recommendation: To help ensure SB/SE's audit selection program meets its mission and selects returns fairly, the Commissioner of Internal Revenue should clearly define and document the key term "fairness" for return selection activities.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed to incorporate a definition of fairness into the Internal Revenue Manual (IRM), which serves as a single point of reference for guidance to IRS examiners. In February 2016, the Deputy Commissioner of Services and Enforcement (S&E) reiterated IRS's definition of fairness in the examination process to S&E employees. In January 2017, IRS issued interim guidance on fairness in examination case selection. IRS officials said that this guidance is considered "final" until the IRM is updated, no later than January 2019. In February 2017, IRS issued an article on its IRWeb and a message from the Deputy Commissioner S&E on defining fairness in the exam process. We are awaiting resolution of how this definition will be used in three other recommendations on communicating examples as well as developing both a related objective and measure.
    Recommendation: To help ensure SB/SE's audit selection program meets its mission and selects returns fairly, the Commissioner of Internal Revenue should clearly communicate examples of fair selections to staff to better assure consistent understanding.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed to communicate examples of fairness to managers and examiners involved in selecting tax returns for examination. In March 2017, the Director of IRS Small Business/Self Employed (SB/SE) Examination-Headquarters issued a memo to SB/SE examination directors that included examples illustrating the fairness definition in return selection. The examples were to be shared with directors, management, and examiners involved in return selection. To close this recommendation, we are waiting for resolution of how the fairness definition will be implemented through related recommendations on developing program objectives and measures assessing fairness in return selection.
    Recommendation: To help ensure SB/SE's audit selection program meets its mission and selects returns fairly, the Commissioner of Internal Revenue should develop, document, and implement program-level objective(s) to evaluate whether the return selection process is meeting its mission of applying the tax law with integrity and fairness to all.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed to review its current objectives for the SB/SE examination program and found that an additional program-level objective to evaluate fairness in the return selection was necessary. The new objective is "Ensure examinations are initiated based on indicators of noncomplicance. In addition, ensure a review of the decisions to survey a return (i.e., not initiate an examination) are based on upon factors outlined in the Internal Revenue Manual (IRM) and approved by an appropriate level of management." In March 2017, IRS issued interim guidance communicating the new objective, which was sent to Examination Directors. The guidance and objective were also posted on the IRweb, which is available to all IRS employees. IRS officials said that the interim guidance is considered final until it can be incorporated into the IRM, which should be done within 2 years of when the interim guidance is issued. We are awaiting IRS's response to a related recommendation on developing a measure for this selection objective before deciding to close this recommendation.
    Recommendation: To help ensure that SB/SE's audit selection objective(s) on fairness are used and met, the Commissioner of Internal Revenue should develop, document, and implement related performance measures that would allow SB/SE to determine how well the selection of returns for audit meets the new objective(s).

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed to develop, document, and implement additional performance measures if new objectives related to fair return selection were implemented. In March 2017, IRS developed a new objective on fair return selection. In April 2017, IRS officials said that they were working on performance measures related to the new objective on fair return selection. They plan to meet with GAO in 1-2 months to obtain our feedback on the measures.
    Recommendation: To help ensure that SB/SE's audit selection objective(s) on fairness are used and met, the Commissioner of Internal Revenue should incorporate the new objective(s) for fair return selection into the SB/SE risk management system to help identify and analyze potential risks to fair selections.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed to consider any new objectives related to fair return selection within SB/SE's current risk management process framework. In March and April 2017, SB/SE developed a tool (RAFT) to include the fair selection objective (and related activities) into its risk register, which is monitored quarterly. IRS provided documentation from the Exam Risk Council meeting that they have discussed and assessed these risks. IRS is still working on documentation to show they are addressing our recommendations and the associated risks. IRS officials said the documentation is due in August 2017.
    Recommendation: The Commissioner of Internal Revenue should develop and implement consistent documentation requirements to clarify the reasons for selecting a return for audit and who reviewed and approved the selection decision.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed to evaluate the need to improve its documentation of return selection decisions and the review and approval process. In March 2017, various IRS functions completed templates showing the current status of return selection documentation requirements. As a result, they found that they could improve the consistency and clarity in documentation, approval and review requirements across workstreams by clearly defining procedures and ensuring they are formally documented in the IRM. The Director of Exam Case Selection issued a memo directing that documentation requirements be made consistent in the IRM. IRS officials said that revised documentation requirements are due in August 2017, with IRM incorporation at a later date.
    Recommendation: The Commissioner of Internal Revenue should develop, document, and implement monitoring procedures to ensure that decisions made and coding used to select returns for audit are appropriate.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed to review its current procedures for monitoring return selection decisions and coding used to select returns. In April 2017, IRS officials provided documentation showing they had reviewed campus examination selection dollar thresholds and campus source code definitions. They found that improvements could be made in clarifying source code definitions and reviewing dollar thresholds used to categorize and select, respectively, returns for examination. IRS has issued an IRM procedural update to implement these changes. During our meeting with IRS, we clarified that our recommendation covered monitoring selection decisions more broadly, which IRS acknowledged. Officials said that additional documentation on monitoring selection decisions will be due by August 2017.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    6 open recommendations
    including 3 priority recommendations
    Recommendation: To provide reasonable assurance that EOIR's fraud prevention controls are adequate, the Attorney General should direct EOIR to conduct regular fraud risk assessments across asylum claims in the immigration courts.

    Agency: Department of Justice
    Status: Open

    Comments: In April 2017, the Executive Office for Immigration Review (EOIR) reported that it is taking several steps toward implementing this recommendation. First, EOIR undertook a review of all asylum fraud complaints that the office received since 2007. Second, EOIR reported that, beginning in June 2016, it conducted a series of trainings and in-person "listening sessions" to discuss issues related to asylum fraud with immigration judges and court staff. Third, EOIR reported that it is in the process of creating a written assessment for all personnel at immigration courts and the Board of Immigration Appeals to determine the magnitude of asylum fraud issues at each respective location. Fourth, EOIR reported that it is designing a statistical analysis of asylum fraud. On the basis of these actions, EOIR reported that it will subsequently to move to the next phases of the fraud risk assessment, consistent with GAO's Fraud Risk Management Framework. To fully address this recommendation, EOIR should conduct regular fraud risk assessments across asylum claims in immigration courts.
    Recommendation: To provide reasonable assurance that USCIS's fraud prevention controls are adequate and effectively implemented, and ensure that asylum officers and FDNS immigration officers have the capacity to detect and prevent fraud, the Secretary of Homeland Security should direct USCIS to conduct regular fraud risk assessments across the affirmative asylum application process.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: In October 2016, DHS indicated that USCIS had established a working group and collected fraud trend information from all eight asylum offices that will be used to inform the development of a risk assessment framework. As of January 2017, USCIS reported that the Asylum Division is continuing to develop the risk assessment framework and is working on an initial draft. According to USCIS, the Asylum Division, in cooperation with other relevant internal stakeholders such as USCIS's Fraud Detection and National Security Directorate, plans to develop an assessment tool and implementation plan for completing regular fraud risk assessments of the affirmative asylum process, with the first assessment to be completed no later than the end of fiscal year 2017. Regularly assessing fraud risks across the affirmative asylum process would provide USCIS more complete information on risks that may affect the integrity of the process and therefore help USCIS target its fraud prevention efforts to those areas that are of highest risk.
    Recommendation: To provide reasonable assurance that USCIS's fraud prevention controls are adequate and effectively implemented, and ensure that asylum officers and FDNS immigration officers have the capacity to detect and prevent fraud, the Secretary of Homeland Security should direct USCIS to develop and implement a mechanism to collect reliable data, such as the number of referrals to FDNS from asylum officers, about FDNS's efforts to combat asylum fraud.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In January 2016, USCIS reported that FDNS is making improvements in its database for maintaining data and information on all FDNS activities, including activities associated with asylum fraud investigations. USCIS reported that FDNS planned to update database system guides and associated training materials, and conduct training for all users by September 2016. As of October 20, 2016, USCIS had not provided GAO with additional updates to the status of this recommendation. Developing and implementing a mechanism to collect reliable data, such as the number of referrals to FDNS from asylum officers, should help FDNS's efforts to combat asylum fraud.
    Recommendation: To provide reasonable assurance that USCIS's fraud prevention controls are adequate and effectively implemented, and ensure that asylum officers and FDNS immigration officers have the capacity to detect and prevent fraud, the Secretary of Homeland Security should direct USCIS to identify and implement tools that asylum officers and FDNS immigration officers can use to detect potential fraud patterns across affirmative asylum applications.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: In February 2016, DHS indicated that USCIS had allotted fiscal year 2016 funds in support of initial acquisition activities for tools to detect potential fraud patterns across affirmative asylum applications. USCIS reported that FDNS and DHS's Homeland Security Advanced Research Projects Agency are conducting an Analysis of Alternatives (AoA) to evaluate and compare operational effectiveness, suitability, costs, and risks associated with alternative solutions. In October 2016, DHS officials indicated that FDNS and DHS's Homeland Security Advanced Research Projects Agency have completed an AoA and presented the results to FDNS leadership. According to USCIS, FDNS identified a hardware solution and began acquisition planning for this hardware in September 2016. As of October 2016, RAIO FDNS is working with USCIS's Office of Information Technology and other DHS components, including the DHS Science and Technology Directorate, to study options. Based upon this additional work, and dependent on securing necessary funding, USCIS reported that it expects to complete the analysis of additional tools by September 30, 2017. Identifying and implementing new tools to detect fraud patterns would help USCIS ensure that asylum officers and FDNS immigration officers have the capacity to detect and prevent asylum fraud.
    Recommendation: To provide reasonable assurance that USCIS's fraud prevention controls are adequate and effectively implemented, and ensure that asylum officers and FDNS immigration officers have the capacity to detect and prevent fraud, the Secretary of Homeland Security should direct USCIS to require FDNS immigration officers to prescreen all asylum applications for indicators of fraud to the extent that it is cost-effective and feasible.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: We reported that some asylum offices have strengthened their capability to detect and prevent fraud by using immigration officers from USCIS's Fraud Detection and National Security Directorate (FDNS) to prescreen affirmative asylum applications; however, the use of this practice varied across asylum offices. In October 2016, DHS stated that FDNS had completed an initial review of all locally-developed prescreening policies and was working to analyze them comprehensively. Since completing this analysis, USCIS has been drafting a memorandum and companion guidance to be provided to the asylum offices, which USCIS officials stated will establish the framework for a national prescreening program. As of March 2017, USCIS reported that it expects to complete the guidance by September 30, 2017. Greater use of prescreening could allow FDNS to identify fraud trends and detect patterns that may not be evident in a small sample of asylum applications.
    Recommendation: To provide reasonable assurance that USCIS's fraud prevention controls are adequate and effectively implemented, and ensure that asylum officers and FDNS immigration officers have the capacity to detect and prevent fraud, the Secretary of Homeland Security should direct USCIS to include a review of potential fraud indicators in future random quality assurance reviews of asylum applications.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In December 2015, GAO reported that U.S. Citizenship and Immigration Services (USCIS) had implemented some quality assurance procedures for asylum decisions that are designed to ensure asylum officers' decisions are legally sufficient. However, GAO found that USCIS's random quality assurance reviews of asylum cases did not include an examination of potential indicators of fraud in the case file. Thus, GAO recommended that USCIS include a review of potential fraud indicators in future random quality assurance reviews of asylum applications. As of January 2016, USCIS's Asylum Division had revised its quality assurance checklist to include a fraud-specific section that will help the reviewers evaluate whether any fraud indicators were properly identified, analyzed, and processed by asylum officers. According to Asylum Division officials, the revised checklist will be used for all general random quality assurance reviews of asylum cases, and officials stated that the next such random review is scheduled for fiscal year 2017. To fully address this recommendation, upon completion of the fiscal year 2017 review, USCIS plans to provide GAO with documentation that the revised checklist was used.
    Director: J. Alfredo Gómez
    Phone: (202) 512-3841

    2 open recommendations
    Recommendation: To help federal, state, local, and private sector decision makers access and use the best available climate information, the Executive Office of the President should designate a federal entity to develop and periodically update a set of authoritative climate change observations and projections for use in federal decision making, which state, local, and private sector decision makers could also access to obtain the best available climate information.

    Agency: Executive Office of the President
    Status: Open

    Comments: As of 6/7/17, the Executive Office of the President has yet to take action in response to this recommendation.
    Recommendation: To help federal, state, local, and private sector decision makers access and use the best available climate information, the Executive Office of the President should designate a federal entity to create a national climate information system with defined roles for federal agencies and nonfederal entities with existing statutory authority.

    Agency: Executive Office of the President
    Status: Open

    Comments: As of 6/7/17, the Executive Office of the President has yet to take action in response to this recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    7 open recommendations
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of Homeland Security should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear sectors' cybersecurity progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS has released updated sector-specific plans for the chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear reactors sectors. The plans include a section on measuring effectiveness based on the plan development guidance. The plans provide expected metrics to track the progress of sector activities and state that the outcomes will be reported through the National Annual Reporting process as well as through the quadrennial plan update. Because the metrics are new and annual reporting has not yet occurred, DHS has not provided evidence of metrics data collected and reported to address the challenges. We will continue to follow-up to determine how performance measures have been implemented and what reporting is available based on those measures.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of the Treasury should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the financial services sector's cybersecurity progress.

    Agency: Department of the Treasury
    Status: Open

    Comments: The 2015 sector-specific plan for the financial services sector includes a section on measuring the effectiveness of sector activities; however, the plan does not include specific metrics. The plan refers to working groups and meetings of sector stakeholders as mechanisms to track sector progress. No specific metrics and associated reports of outcomes have been provided to address overcoming the challenges of monitoring the sector's cybersecurity progress. We will continue to monitor financial services sector activities and determine any specific metrics and related reports developed and implemented to track and report on the sector's cybersecurity progress.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Departments of Agriculture and Health and Human Services released an update to the food and agriculture sector-specific plan for 2015. The plan states the sector's lack of an overarching mechanism to measure and evaluate risk mitigation activities and the challenge of obtaining performance measurement data from non-federal partners. However, the plan notes a goal of evaluating the progress of individual protective programs and strategies. No metrics or reports of outcomes have been provided to address the challenge of monitoring the sector's cybersecurity progress. We will continue to follow up to determine whether USDA and HHS have developed and implemented mechanisms to measure the outcomes of their sector cybersecurity-related activities.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Departments of Agriculture and Health and Human Services released an update to the food and agriculture sector-specific plan for 2015. The plan states the sector's lack of an overarching mechanism to measure and evaluate risk mitigation activities and the challenge of obtaining performance measurement data from non-federal partners. However, the plan notes a goal of evaluating the progress of individual protective programs and strategies. No metrics or reports of outcomes have been provided to address the challenge of monitoring the sector's cybersecurity progress. We will continue to follow up to determine whether HHS has developed and implemented mechanisms to measure the outcomes of its sector cybersecurity-related activities.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Homeland Security and Transportation (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the transportation systems sector's cybersecurity progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The co-Sector-Specific Agencies (SSAs) for the Transportation Systems Sector, DHS (TSA and Coast Guard) and the Department of Transportation, provided an update on efforts to develop sector cybersecurity metrics. The update described measures under consideration such as tracking the number of sector stakeholders receiving cybersecurity products, monitoring the usefulness of products through satisfaction surveys, and tracking attendance at sector events and seminars encompassing cybersecurity. The co-SSAs plan to report sector cyber activities, progress, and relevant metrics annually through the Critical Infrastructure National Annual Report and through quadrennial updates to the sector-specific plan. The latest sector-specific plan was released in 2015. The proposed metrics have not been formalized in a strategy or plan. We will continue to monitor and evaluate efforts to formalize and implement the proposed metrics to determine whether they address the intent of the recommendation.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Homeland Security and Transportation (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the transportation systems sector's cybersecurity progress.

    Agency: Department of Transportation
    Status: Open

    Comments: The co-Sector-Specific Agencies (SSAs) for the Transportation Systems Sector, DHS (TSA and Coast Guard) and the Department of Transportation, provided an update on efforts to develop sector cybersecurity metrics. The update described measures under consideration such as tracking the number of sector stakeholders receiving cybersecurity products, monitoring the usefulness of products through satisfaction surveys, and tracking attendance at sector events and seminars encompassing cybersecurity. The co-SSAs plan to report sector cyber activities, progress, and relevant metrics annually through the Critical Infrastructure National Annual Report and through quadrennial updates to the sector-specific plan. The latest sector-specific plan was released in 2015. The proposed metrics have not been formalized in a strategy or plan. We will continue to monitor and evaluate efforts to formalize and implement the proposed metrics to determine whether they address the intent of the recommendation.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Administrator of the Environmental Protection Agency should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the water and wastewater systems sector's cybersecurity progress.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The 2015 water and wastewater sector-specific plan includes a segment on measuring the effectiveness of sector activities that describes the overall principles for collecting data and using the National Annual Report data calls as a tool for assessing performance and reporting on progress within the sector. However, the plan does not state specific measures and the agency acknowledged in its response to our report that it does not collect performance metrics on the effectiveness of its cybersecurity programs for the sector. According to agency officials, the development of performance metrics in collaboration with sector partners is underway. We will continue to follow up to identify any specific metrics developed and implemented and resulting outcome-based reports.
    Director: Brenda S. Farrell
    Phone: (202) 512-3604

    5 open recommendations
    Recommendation: To improve the effectiveness of DOD's strategy for preventing sexual assault in the military, as part of the department's next biennial update to the 2014-16 sexual-assault prevention strategy, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in conjunction with the Secretaries of the military departments, to link sexual-assault prevention activities with desired outcomes.

    Agency: Department of Defense
    Status: Open

    Comments: DOD action in progress. DOD is conducting assessments at large installations that reflect a cross-section of each of the service's cultures and result in the development of the 2017-2021 DOD Sexual Assault Prevention Plan of Action. According to department officials, the plan will link risks and protective factors.
    Recommendation: To improve the effectiveness of DOD's strategy for preventing sexual assault in the military, as part of the department's next biennial update to the 2014-16 sexual-assault prevention strategy, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in conjunction with the Secretaries of the military departments, to identify risk and protective factors for all of its domains, including the military community and its leaders.

    Agency: Department of Defense
    Status: Open

    Comments: DOD action in progress. DOD is conducting assessments at large installations that reflect a cross-section of each of the service's cultures and will inform the development of the 2017-2021 DOD Sexual Assault Prevention Plan of Action. According to department officials, the plan will identify risk and protective factors for all domains, including military community and leaders.
    Recommendation: To help ensure widespread adoption and implementation of DOD's sexual-assault prevention strategy and to fulfill its role as a framework that can assist leaders and planners in the development of appropriate tasks, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in conjunction with the Secretaries of the military departments, to communicate and disseminate DOD's prevention strategy and its purpose to the appropriate levels of program personnel as well as their roles and responsibilities for its implementation.

    Agency: Department of Defense
    Status: Open

    Comments: DOD action in progress. According to DOD officials, DOD's 2017-2021 Sexual Assault Prevention Plan of Action will include a comprehensive communications roll-out plan to ensure every level of DOD understands its role in prevention.
    Recommendation: To help improve DOD's ability to measure the effectiveness of the department's efforts in preventing sexual assault in the military, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in collaboration with the Secretaries of the military departments, to fully develop the department's performance measures for the prevention of sexual assault so that the measures include all key attributes of successful performance measures.

    Agency: Department of Defense
    Status: Open

    Comments: DOD action in progress. DOD is conducting a feasibility assessment to identify metrics that will detect impacts of prevention efforts and show progress on reducing risk and prevalence of sexual assault. The results will be included in the 2017-2021 DOD Sexual Assault Prevention Plan of Action.
    Recommendation: To help ensure widespread adoption and implementation of DOD's sexual-assault prevention strategy and to fulfill its role as a framework that can assist leaders and planners in the development of appropriate tasks, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in conjunction with the Secretaries of the military departments, to ensure the military services' Sexual Assault Prevention and Response policies are aligned with the department's prevention strategy.

    Agency: Department of Defense
    Status: Open

    Comments: DOD action in progress. As part of its development of the department's 2017-2021 Sexual Assault Prevention Plan of Action, DOD is working to align military service sexual assault prevention policies with the department's overarching sexual assault prevention strategy.
    Director: J. Alfredo Gómez
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To enhance HHS's ability to protect public health from the impacts of climate change, the Secretary of HHS should direct CDC to develop a plan describing when it will be able to issue climate change communication guidance to state and local health departments, to better position relevant officials to effectively communicate about the risks that climate change poses to public health and address requirements of the Climate Ready States and Cities Initiative.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: As of December 2016, CDC has taken steps to start developing a communications strategy, and expects this process to include the development of guidance for public health officials to help them more effectively communicate about the health effects of climate change. CDC expects the strategy to be completed by the fall of 2017.
    Director: William Shear
    Phone: (202) 512-8678

    6 open recommendations
    including 1 priority recommendation
    Recommendation: To improve management of the Small Business Administration and to ensure that SBA assesses the effectiveness of its programs, the SBA Administrator should prioritize resources to conduct additional program evaluations.

    Agency: Small Business Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management of the Small Business Administration and to ensure that SBA fully meets GPRAMA requirements, the SBA Administrator should use the results of additional evaluations it conducts in its strategic planning process and ensure the agency's next strategic plan includes required information on program evaluations, including a schedule of future evaluations.

    Agency: Small Business Administration
    Status: Open
    Priority recommendation

    Comments: SBA officials stated that, as of October 2016, the agency had taken several steps to prioritize resources and establish an implementation plan for future evaluations, including hiring its first lead program evaluator to develop a long-term evaluation agenda and initiating four program evaluations. They stated that once completed, the evaluations would be incorporated into the agency's fiscal year 2018-2022 strategic plan. As of May 2017, SBA had started reviewing guidance on drafting this plan, which is due in February 2018.
    Recommendation: To improve management of the Small Business Administration and to improve SBA's human capital management, the SBA Administrator should incorporate into its next training plan key principles such as goals and measures for its training programs and input on employee development goals.

    Agency: Small Business Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management of the Small Business Administration and to ensure that SBA's organizational structure helps the agency meet its mission, the SBA Administrator should document the assessment of the agency's organizational structure, including any necessary changes to, for example, better ensure areas of authority, responsibility, and lines of reporting are clear and defined.

    Agency: Small Business Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management of the Small Business Administration and to improve SBA's program and management guidance, the SBA Administrator should set time frames for periodically reviewing and updating its SOPs as appropriate.

    Agency: Small Business Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve management of the Small Business Administration and to help ensure that SBA's IT operations and maintenance investments are continuing to meet business and customer needs and the agency's strategic goals, the SBA Administrator should direct the appropriate officials to perform an annual operational analysis on all SBA investments in accordance with OMB guidance.

    Agency: Small Business Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Mark Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: To ensure that NTIA's evaluation of the Internet multistakeholder community's transition proposal fully considers whether the proposal provides reasonable assurance that NTIA's core goals for the transition will be met, the NTIA Administrator should review relevant frameworks for evaluation, such as the Committee of Sponsoring Organizations of the Treadway Commission framework and the International Organization for Standardization quality management principles, and use the relevant portions of the frameworks to help evaluate and document whether and how the transition proposal meets NTIA's core goals.

    Agency: National Telecommunications and Information Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Mctigue Jr, James R
    Phone: (202) 512-9110

    5 open recommendations
    Recommendation: To help ensure the IRS collection program meets its mission and selects cases fairly, the Commissioner of Internal Revenue should establish, document, and implement clear objectives for the collection program and enterprise-wide case categorization and routing processes, and define key terms, such as "fairness" and "risk."

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed with the recommendation. In March 2017, IRS provided a document intended define the objectives and "fairness," but it did not clearly define objectives for the collection program and enterprise-wide case categorization and routing processes, but instead identified division-level objectives and fiscal year 2017 collection strategies. The document also did not clearly define and communicate objectives--to include fairness--to staff in measurable terms that would be easily understood. Further, the objectives definitions were not were not clear and sufficient to support the design of internal control for related risks, the development of performance measures to determine whether objectives were achieved, and control assessments to assure case selections effectively support the collection program mission over time, including fairness. In August 2017, we shared this assessment with IRS and asked whether or when Collection plans to develop or provide additional documents.
    Recommendation: To help ensure the IRS collection program meets its mission and selects cases fairly, the Commissioner of Internal Revenue should build upon existing Enterprise Risk Management (ERM) guidance to help managers identify internal and external risks to collection program objectives, and better understand how long-standing risk processes integrate with new ERM approaches; incorporate this guidance into existing or future ERM or collection program risk assessment processes.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed with the recommendation and said it would continue to build upon existing risk management guidance by finalizing and making available training for managers, which would assist them in understanding their responsibilities for identifying internal and external risks to Collection program objectives. In November 2016, IRS provided documentation of risk management training for managers. However, since objectives for the collection program, enterprise-wide case categorization and routing processes, and fairness were not yet clearly defined, such guidance cannot be effectively incorporated into risk assessment processes to identify internal and external risks to collection program objectives. In August 2017, we shared this assessment with IRS and asked whether or when Collection plans to develop or provide additional documents.
    Recommendation: To help ensure the IRS collection program meets its mission and selects cases fairly, the Commissioner of Internal Revenue should clearly establish, document, and implement case categorization and routing procedures--such as those for IDS, high priority case selection, and any other important processes--to support collection program objectives and IRS goals.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed with the recommendation and said it would review its case prioritization and selection processes and implement and communicate clear guidance and documentation to appropriate IRS staff. In November 2016, IRS provided documents on collection processes, but the information was either technical or covered Automated Collection System (ACS) or Field Collection processes rather than enterprise-wide processes to support collection program objectives and IRS goals. More specifically, the documents did not provide corrected guidance on the role of the Inventory Delivery System and modeling in shelving or routing cases to either ACS or the Field, or provide guidance on how management is to select priority area cases. In August 2017, we shared this assessment with IRS and asked whether or when Collection plans to develop or provide additional documents.
    Recommendation: To help ensure the IRS collection program meets its mission and selects cases fairly, the Commissioner of Internal Revenue should establish, document, and implement procedures for the periodic evaluation of the efficiency and effectiveness of collection-wide case categorization, routing rules, and case selection processes.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS said agreed that continually improving its performance is important and said that Collection would review and, if needed, update its internal management documents. In July 2017, IRS provided documents that identified and established responsibilities for periodic, regular review procedures to potentially update dollar thresholds used in routing collection inventory for potential selection, including IDS and its decision rules to route cases to one collections function instead of another (i.e., the Automated Collection System versus Field Collection. In August 2017, we asked IRS when it plans to conduct the first such evaluations and requested that it provide documentation of results of those implemented evaluations when available.
    Recommendation: To help ensure the IRS collection program meets its mission and selects cases fairly, the Commissioner of Internal Revenue should establish, document, and implement procedures for periodic updates of dollar thresholds for categorizing case selection, including those identified as "high risk."

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed that continually improving its performance is important and said that Collection would review and, if needed, update its internal management documents. In July 2017, IRS provided documents that identified and established responsibilities for periodic, regular review procedures to potentially update dollar thresholds used in systems that use a dollar threshold to prioritize Collection cases. In August 2017, we asked IRS when it plans to conduct the first such evaluations and requested that it provide documentation of results of those implemented evaluations when available.
    Director: Goldstein, Mark L
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To strengthen the Washington Metropolitan Area Transit Authority's (WMATA) risk assessment and monitoring components of internal control, WMATA's board of directors, working with the General Manager and Chief Executive Officer of WMATA, should direct the appropriate WMATA officials to develop and implement a policy and related procedures for assessing WMATA's financial management-related risks.

    Agency: Washington Metropolitan Area Transit Authority
    Status: Open

    Comments: In July and August 2016, WMATA officials described to GAO the steps they have taken to address this recommendation. However, WMATA did not provide sufficient supporting documentation for GAO to verify that the recommendation was implemented. GAO continues to work with WMATA to understand the steps it has taken to address this recommendation.
    Recommendation: To strengthen the WMATA's risk assessment and monitoring components of internal control, WMATA's board of directors, working with the General Manager and Chief Executive Officer of WMATA, should direct the appropriate WMATA officials to develop and implement a policy and related written procedures for the Office of Internal Compliance to monitor the design and operating effectiveness of the five components of internal control related to financial management.

    Agency: Washington Metropolitan Area Transit Authority
    Status: Open

    Comments: In July and August 2016, WMATA officials described to GAO the steps they have taken to address this recommendation. However, WMATA did not provide sufficient supporting documentation for GAO to verify that the recommendation was implemented. GAO continues to work with WMATA to understand the steps it has taken to address this recommendation.
    Director: Debra A. Draper
    Phone: (202) 512-7114

    3 open recommendations
    Recommendation: To eliminate the fragmentation and duplication in the storage of unclassified OEHS data, the Secretary of Defense should determine which IT system--DOEHRS or MESL--should be used to store specific types of unclassified OEHS data, clarify the department's policy accordingly, and require all other departmental and military-service-specific policies to be likewise amended and implemented to ensure consistency.

    Agency: Department of Defense
    Status: Open

    Comments: In November 2016, officials told us that draft versions of the revised DoDI 6490.03, Deployment Health, and the new Defense Health Agency Procedural Instruction (DHA PI) 6490.03, Deployment Health, are still under review with DOD components. These revised and updated documents will address the recommendation on OEHS data storage. Additionally, DoDI 6055.05, Occupational and Environmental Health (OEH), and Military Service and Combatant Command policy and guidance documents are still being revised to be consistent with DoDI 6490.03 and DHA PI 6490.03 after they are published. These revisions will ensure the consistency among policies. As of November 2016, the entire process is expected to be complete within 10 to 14 months.
    Recommendation: To ensure the reliability of OEHS data, the Secretary of Defense should establish clear policies and procedures for performing quality assurance reviews of the OEHS data collected during deployment, to include verifying the completeness and the reasonableness of these data, and require that all other related military-service-specific policies be amended and implemented to ensure consistency.

    Agency: Department of Defense
    Status: Open

    Comments: In August 2016, officials told us that draft versions of the revised DoDI 6490.03, Deployment Health, and the new Defense Health Agency Procedural Instruction (DHA PI) 6490.03, Deployment Health, are in review among the DOD Components. Further, DoDI 6055.05, Occupational and Environmental Health (OEH) and Military Service and Combatant Command policy and guidance documents will be revised to be consistent with DoDI 6490.03 and DHA PI 6490.03 after they are published. In addition, DOD is exploring improvement to the data quality assurance functionality within the Defense Occupational and Environmental Health Readiness System Industrial Hygiene (DOEHRS-IH). A new DOEHRS-IH version (2.0.18.1) was released on August 19, 2016 that contained several system enhancements and defect corrections to improve overall data quality in the system. DOD anticipates additional releases in FY 2017 that will further improve DOEHRS-IH data quality. The revised policies and the new DOEHRS-IH functionality will appropriately address the recommendation on quality assurance of OEHS data.
    Recommendation: To ensure that potential occupational and environmental health risks are mitigated for servicemembers deployed to Iraq and Afghanistan, the Secretary of Defense should require CENTCOM to revise its policy to ensure that base commanders' decisions on whether to implement risk mitigation recommendations identified in OEHSAs are adequately documented and consistently monitored by the appropriate command.

    Agency: Department of Defense
    Status: Open

    Comments: In August 2016, officials told us that the current DoDI 6055.01, DoD Safety and Occupational Health Program, requires DoD components to establish procedures that document, archive, and reevaluate risk management decisions on a recurring basis. Draft versions of the revised DoDI 6490.03, Deployment Health, and the new Defense Health Agency Procedural Instruction (DHA PI) 6490.03, Deployment Health, include language that is consistent with DoDI 6055.01. Additionally, U.S. Central Command Regulation 40-2 (CCR 40-2), which was updated as of March 8, 2016, references the requirement to establish procedures to assure risk management decisions are documented, archived, and reevaluated on a recurring basis. The DOD is also exploring a risk management decision and monitoring functionality in DOEHRS-IH. It has identified and approved the necessary system change requests required to improve risk management decisions and monitoring functionality. These functionalities are primarily focused around the Occupational & Environmental Health Site Assessment (OEHSA) and associated exposure pathways, sampling plans, and assessments. Subject to the availability of FY 2017 funding, DOD will implement the system change requests, and achieve the required enhancements to DOEHRS-IH. These policies once published and the new DOEHRS-IH functionality will appropriately address the recommendation on documenting and monitoring risk management decisions.
    Director: A. Nicole Clowers
    Phone: (202) 512-8678

    1 open recommendations
    Recommendation: To improve SEC's FINRA oversight program, the SEC Chair should direct the appropriate offices and divisions to incorporate additional risk-management practices by taking several actions, including: (1) establishing specific performance goals for the program and performance measures and related targets to assess Market Oversight's progress in meeting those goals; (2) formalizing documentation of procedures, including procedures for making changes to the annual planned oversight activities and decision-making rationales; and (3) modifying existing risk-assessment procedures to require an assessment of internal risks to successfully meeting the FINRA oversight program's goals and objectives.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: On August 26, 2016, SEC staff said that they had put together proposals to address the recommendation shortly after the report was issued and was awaiting management approval. However, in the meantime, SEC reorganized its examination staff and created a dedicated FINRA oversight group. The reorganization was expected to be complete by October 2016. SEC staff planned to incorporate, for management's approval, the elements in the proposals into the new policies and procedures for the FINRA oversight group. Subsequently, on February 13, 2017, SEC staff said that SEC now has new management in place that are learning about the risk management framework, and are assessing how best to incorporate GAO's recommendations into the framework.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Secretary of the Department of Homeland Security should direct FPS to develop and implement a strategy for using covert-testing data and data on prohibited items to improve FPS's security-screening efforts. The strategy should, at a minimum, aim to ensure that: (1) covert-testing data are used to systematically monitor, review, and improve performance nationwide; (2) covert-testing data are used to determine which testing scenarios will be implemented or reinstated; and (3) data on prohibited items are analyzed to determine the reasons for wide variations in the number of reported prohibited-items detected across buildings and to assist with managing the screening process and informing policy.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, implementation of this recommendation was in process, according to the Federal Protective Service (FPS). FPS provided no additional information, but plans to update GAO in the coming weeks on the status of this and other open recommendations.
    Director: Brenda S. Farrell
    Phone: (202) 512-3604

    6 open recommendations
    Recommendation: To improve DOD's ability to prevent sexual assaults of male servicemembers, to increase its responsiveness to male servicemembers who are sexually assaulted, and to help DOD's sexual assault prevention and response program realize the full benefit of the data it collects on sexual assault incidents, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in collaboration with the Secretaries of the military services, to develop a plan for data-driven decision making to prioritize program efforts.

    Agency: Department of Defense
    Status: Open

    Comments: DOD was contacted on July 26, 2016 for an update on efforts to address this recommendation and responded that they are working on the report required by the NDAA on male victims of sexual assault and they believe that the report will, at a minimum, take some steps to address this recommendation. DOD also noted that the report required by the NDAA is due in the first quarter of FY 17 and that they will provide us with a copy once it has been approved. We will provide updated information when we confirm any actions the agency has taken in response to this recommendation.
    Recommendation: To improve DOD's ability to prevent sexual assaults of male servicemembers, to increase its responsiveness to male servicemembers who are sexually assaulted, and to address challenges faced by male servicemembers as DOD continues to seek to transform its culture to address sexual assault, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in collaboration with the Secretaries of the military services, to develop clear goals with associated metrics to drive the changes needed to address sexual assaults of males and articulate these goals, for example in the department's next sexual assault prevention strategy.

    Agency: Department of Defense
    Status: Open

    Comments: DOD was contacted on July 26, 2016 for an update on efforts to address this recommendation and responded that they are working on the report required by the NDAA on male victims of sexual assault and they believe that the report will, at a minimum, take some steps to address this recommendation. DOD also noted that the report required by the NDAA is due in the first quarter of FY 17 and that they will provide us with a copy once it has been approved. We will provide updated information when we confirm any actions the agency has taken in response to this recommendation.
    Recommendation: To improve DOD's ability to prevent sexual assaults of male servicemembers, to increase its responsiveness to male servicemembers who are sexually assaulted, and to address challenges faced by male servicemembers as DOD continues to seek to transform its culture to address sexual assault, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in collaboration with the Secretaries of the military services, to include information about the sexual victimization of males in communications to servicemembers that are used to raise awareness of sexual assault and the department's efforts to prevent and respond to it.

    Agency: Department of Defense
    Status: Open

    Comments: DOD was contacted on July 26, 2016 for an update on efforts to address this recommendation and responded that they are working on the report required by the NDAA on male victims of sexual assault and they believe that the report will, at a minimum, take some steps to address this recommendation. DOD also noted that the report required by the NDAA is due in the first quarter of FY 17 and that they will provide us with a copy once it has been approved. We will provide updated information when we confirm any actions the agency has taken in response to this recommendation.
    Recommendation: To improve DOD's ability to prevent sexual assaults of male servicemembers, to increase its responsiveness to male servicemembers who are sexually assaulted, and to address challenges faced by male servicemembers as DOD continues to seek to transform its culture to address sexual assault, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in collaboration with the Secretaries of the military services, to revise sexual assault prevention and response training to more comprehensively and directly address the incidence of male servicemembers being sexually assaulted and how certain behavior and activities--like hazing--can constitute a sexual assault.

    Agency: Department of Defense
    Status: Open

    Comments: DOD was contacted on July 26, 2016 for an update on efforts to address this recommendation and responded that they are working on the report required by the NDAA on male victims of sexual assault and they believe that the report will, at a minimum, take some steps to address this recommendation. DOD also noted that the report required by the NDAA is due in the first quarter of FY 17 and that they will provide us with a copy once it has been approved. We will provide updated information when we confirm any actions the agency has taken in response to this recommendation.
    Recommendation: To improve DOD's ability to prevent sexual assaults of male servicemembers, to increase its responsiveness to male servicemembers who are sexually assaulted, and to help ensure that all of DOD's medical and mental health providers are generally aware of any gender-specific needs of sexual assault victims, and that victims are provided the care that most effectively meets those needs, the Assistant Secretary of Defense for Health Affairs should, in collaboration with the services' Surgeons General, systematically evaluate the extent to which differences exist in the medical and mental health-care needs of male and female sexual assault victims, and the care regimen, if any, that will best meet those needs.

    Agency: Department of Defense: Office of the Assistant Secretary of Defense (Health Affairs)
    Status: Open

    Comments: DOD was contacted on July 26, 2016 for an update on efforts to address this recommendation and responded that they are working on the report required by the NDAA on male victims of sexual assault and they believe that the report will, at a minimum, take some steps to address this recommendation. DOD also noted that the report required by the NDAA is due in the first quarter of FY 17 and that they will provide us with a copy once it has been approved. We will provide updated information when we confirm any actions the agency has taken in response to this recommendation.
    Recommendation: To improve DOD's ability to prevent sexual assaults of male servicemembers, to increase its responsiveness to male servicemembers who are sexually assaulted, and to help ensure that all of DOD's medical and mental health providers are generally aware of any gender-specific needs of sexual assault victims, and that victims are provided the care that most effectively meets those needs, the Assistant Secretary of Defense for Health Affairs should, in collaboration with the services' Surgeons General, develop and issue guidance for the department's medical and mental health providers--and other personnel, as appropriate--based on the results of this evaluation that delineates these gender-specific distinctions and the care regimen that is recommended to most effectively meet those needs.

    Agency: Department of Defense: Office of the Assistant Secretary of Defense (Health Affairs)
    Status: Open

    Comments: DOD was contacted on July 26, 2016 for an update on efforts to address this recommendation and responded that they are working on the report required by the NDAA on male victims of sexual assault and they believe that the report will, at a minimum, take some steps to address this recommendation. DOD also noted that the report required by the NDAA is due in the first quarter of FY 17 and that they will provide us with a copy once it has been approved. We will provide updated information when we confirm any actions the agency has taken in response to this recommendation.
    Director: Anne-Marie Fennell
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To reduce the cost of the crop insurance program and achieve budgetary savings for deficit reduction or other purposes, Congress should consider reducing premium subsidies for the highest income participants.

    Agency: Congress
    Status: Open

    Comments: As of July 2017, we await Congressional action.
    Director: Michele Mackin
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: In order to help ensure consistent, effective oversight of DHS's acquisition programs, and to make the CASR more useful, starting with the report reflecting fiscal year 2015 program data, the Secretary of DHS should adjust the CASR to do the following: (1) report an individual rating for each program's cost, schedule, and technical risks; (2) report a best estimate of procurement quantities or indicate why this is not applicable, as appropriate; (3) report all programs' significant changes in acquisition cost, quantity, or schedule from the previous CASR report by determining a means to account for programs that lack acquisition program baselines; (4) report major program events that are included in acquisition program baselines, such as scheduled acquisition decision events; and (5) report the level at which the program's life-cycle cost estimate was approved.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation, and took some actions to address it. The Office of Program Accountability and Risk Management (PARM) updated its template for the Comprehensive Acquisition Status Report (CASR) to reflect the following changes: individual ratings for each program's cost, schedule, and technical risks; significant changes in programs' acquisition cost, quantity, or schedule; and major events included in the acquisition program baselines. In addition, PARM intended to revise the reporting information for the level at which a program's life-cycle cost estimate was approved and its estimate of procurement quantities. However, the 2017 Consolidated Appropriations Act discontinued the requirement to submit the CASR with future budget requests and DHS did not submit one for 2017. Recently introduced legislation would reestablish the CASR requirement and we will revisit this recommendation pending the outcome of that legislation.
    Director: Johana Ayers
    Phone: (202) 512-5741

    2 open recommendations
    Recommendation: To help manage the risks from changes in conference participation and any potential effects on the defense S&T enterprise, the Secretary of Defense should direct the Assistant Secretary of Defense for Research and Engineering, in consultation with the Office of the DCMO, to develop a plan to analyze and periodically reevaluate the risks from changes in participation at S&T conferences for any potential effects on DOD's ability to meet its scientific mission, including identifying and collecting additional information needed to conduct this analysis.

    Agency: Department of Defense
    Status: Open

    Comments: In September 2015, DOD updated its conference approval guidelines. According to DOD, these guidelines were designed to facilitate conference participation and attendance by DOD employees. The updated guidelines now treat conference attendance as Temporary Duty/Temporary Assigned Duty, and delegate approval authority to the lowest level possible. However, DOD has not yet implemented a requirement to develop a plan and periodically reevaluate the risks from changes in participation at S&T conferences as of June 2016 because officials in the Office of the Deputy Chief Management Officer believe this recommendation in GAO-15-278 is no longer applicable as a result of its updated conference approval guidelines. We disagree and believe this recommendation continues to have merit in order for DOD to better understand and manage the risks to achieving its S&T mission from any future changes in conference participation, and to determine if any future actions to adjust its conference approval guidelines are warranted.
    Recommendation: To help manage the risks from changes in conference participation and any potential effects on the defense S&T enterprise, the Secretary of Energy should direct the Administrator of NNSA and the relevant national lab directors, in consultation with DOE's Office of Management, to develop a plan to analyze and periodically reevaluate the risks from changes in participation at S&T conferences for any potential effects on NNSA's ability to meet its scientific mission, including identifying and collecting additional information needed to conduct this analysis.

    Agency: Department of Energy
    Status: Open

    Comments: In August 2015, DOE updated its conference management policies and procedures to, among other things, expedite the conference attendance approval process by establishing timeframes for review and approval. According to DOE, as of September 2016, streamlining the conference approval process eliminates the need to periodically evaluate risks from changes in participation at S&T conferences. We disagree and believe this recommendation continues to have merit in order for DOE to better understand and manage the risks to achieving its S&T mission from any future changes in conference participation, and to determine if any future actions to adjust its conference approval guidelines are warranted.
    Director: Carol R.Cha
    Phone: (202) 512-4456

    2 open recommendations
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics to require MAIS programs to establish their first acquisition program baseline within 2 years of beginning work on the programs.

    Agency: Department of Defense
    Status: Open

    Comments: The Department developed a draft process document that states that business system (e.g. financial management, logistics management) programs should start development on at least one release within 24 months after programs have identified the needed capabilities and received approval to conduct further analysis into the potential delivery of the capabilities. We will follow-up with the Department for the final process document and guidance, when available.
    Recommendation: The Secretary of Defense should direct the Secretary of the Army to direct the Army (Financial Management and Comptroller) to complete a plan for conducting auditability testing of LMP Increment 2 functionality to ensure that such testing occurs prior to the LMP program management office deploying future functionality.

    Agency: Department of Defense
    Status: Open

    Comments: According to DOD officials, in response to our recommendation, the department developed a plan to conduct system testing on LMP Increment 2 in accordance with the Federal Information System Controls Audit Manual. The officials stated that the department's plan was to conduct this testing both prior to and after the deployment of new functionality to users. We have requested additional information and documentation from DOD regarding these LMP Increment 2 test plans in order to determine whether the testing associated with auditability of the system was to be conducted before deployment to users.
    Director: Vijay A. D'Souza
    Phone: (202) 512-7114

    1 open recommendations
    Recommendation: In order to ensure that efforts to address prenatal opioid use and NAS are systematically and effectively planned and coordinated across the federal government, the Director of ONDCP should document the process, including discussions held and information considered, of developing action items on prenatal opioid use and NAS. This may include documenting gaps that were considered in developing action items.

    Agency: Executive Office of the President: Office of National Drug Control Policy
    Status: Open

    Comments: In May 2017 and July 2017, ONDCP officials described the process used to develop the action items related to prenatal opioid use and NAS for the 2015 National Drug Control Strategy report. Specifically, officials described working directly with federal agencies to identify proposals for action items and review proposals during an interagency working group meeting in March 2015. However, ONDCP officials could not provide us any formal documentation, such as meeting minutes, showing the process used or what gaps were considered in developing the action items. ONDCP officials also told us the action items related to prenatal opioid use and NAS for the 2015 Strategy have been generally completed. No action items related to prenatal opioid use and NAS were included in the 2016 Strategy and ONDCP officials said they did not know whether any related action items will be included for the 2017 Strategy. We will update the status of this recommendation after future Strategy reports are published.
    Director: Morris, Steve D
    Phone: (202) 512-3841

    2 open recommendations
    Recommendation: To better inform Congress in the future about crop insurance program costs, reduce present costs, and ensure greater actuarial soundness, the Administrator of the U.S. Department of Agriculture's Risk Management Agency should monitor and report on crop insurance costs in areas that have higher crop production risks.

    Agency: Department of Agriculture: Risk Management Agency
    Status: Open

    Comments: As of December 2016, the Department of Agriculture has not taken action to implement this recommendation.
    Recommendation: To better inform Congress in the future about crop insurance program costs, reduce present costs, and ensure greater actuarial soundness, the Administrator of the U.S. Department of Agriculture's Risk Management Agency should, as appropriate, increase its adjustments of premium rates in areas with higher crop production risks by as much as the full 20 percent annually that is allowed by law.

    Agency: Department of Agriculture: Risk Management Agency
    Status: Open

    Comments: As of December 2016, the Department of Agriculture has not taken action to implement this recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    12 open recommendations
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that all contractor staff complete annual security awareness training as required by federal law and FAA policy.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. However, as of July 2017, FAA has provided partial documentation, but has not yet provided GAO with sufficient evidence to validate FAA's actions to establish a mechanism to ensure that all contractor staff complete annual security awareness training as required by federal law and FAA policy. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that all staff with significant security responsibilities receive appropriate role-based training.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has provided partial documentation, but has not yet provided GAO sufficient evidence necessary to validate FAA's actions to establish a mechanism to ensure that all staff with significant security responsibilities receive appropriate role-based training. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that personnel with incident response roles and responsibilities take appropriate training, and that training records are retained.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has provided partial documentation, but has not yet provided GAO sufficient evidence necessary to validate FAA's actions to establish a mechanism to ensure that personnel with incident response roles and responsibilities take appropriate training, and that training records are retained. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to take steps to ensure that testing of security controls is comprehensive enough to determine whether security controls are in place and operating effectively, by, for example, examining artifacts such as audit reports, change tickets, and approval documents.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has updated its NAS testing policy and has provided evidence indicating that it has made progress toward ensuring that testing of security controls is comprehensive enough to determine whether security controls are in place and operating effectively. Subsequent to FAA providing additional evidence showing that its corrective actions have been fully implemented, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to take steps to ensure that identified corrective actions for security weaknesses are implemented within prescribed timeframes.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has updated its NAS Remediation Management Plan to include new risk management processes for identified security weaknesses. However, it has not yet provided GAO sufficient evidence necessary to show that the agency has taken steps to ensure that identified corrective actions for security weaknesses are implemented within prescribed timeframes. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NAS Cyber Operations (NCO) with full network packet capture capability for analyzing network traffic and detecting anomalies at major network interface points at FAA operational facilities.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by May 2018. As of July 2017, FAA has not provided GAO with documentation of the agency's actions to provide NCO with full network packet capture capability for analyzing network traffic and detecting anomalies at major network interface points at FAA operational facilities. Subsequent to FAA informing us that it has implemented the recommendation, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to integrate network traffic flow data into NCO's ad-hoc query systems.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by May 2018. As of July 2017, FAA has not provided GAO with documentation of the agency's actions to integrate network traffic flow data into NCO's ad-hoc query systems. Subsequent to FAA informing us that it has implemented the recommendation, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NCO with access to network sensors on key network gateways for reviewing intrusion detection, network traffic, and network session data.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by December 2018. As of July 2017, FAA had developed a coordinated procedure with the FTI Security Operations Center to provide packet capture information from network sensors based on identified incidents. However, it has not provided GAO with sufficient documentation to demonstrate that the procedure has been implemented. Subsequent to FAA providing additional evidence, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to ensure that NAS incident response capabilities are adequately tested, and that test results are sufficiently documented.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA provided evidence that it has taken steps to ensure that NAS incident response capabilities are adequately tested, and that test results are sufficiently documented. However, it has not yet provided sufficient evidence that it has fully implemented its corrective actions. Subsequent to FAA providing sufficient evidence, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to ensure that contingency plans for NAS systems are sufficiently documented, and that tests of contingency plans address key elements of the contingency plans, including notification procedures, recovering the system on an alternate platform, and system performance on alternate equipment.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it plans to implement the recommendation by September 2017. As of July 2017, FAA has not yet provided sufficient evidence that it has taken sufficient action to ensure that contingency plans for NAS systems are sufficiently documented and that tests of the plans address key plan elements. Subsequent to FAA providing additional evidence, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NCO with security event log data for all Internet Protocol (IP)-connected NAS systems.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by December 2018. As of August 2017, FAA has provided GAO with its planned actions to provide NCO with security event log data for all IP-connected NAS systems, which indicate that the agency still plans to complete its actions by December 2018. We plan to validate these actions subsequent to FAA informing us that it has completed them.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to finalize the incident response policy for the Air Traffic Organization and ensure that NAS system-level incident response policies specify incident reporting timeframes and the need for all incidents to be reported in accordance with FAA guidance.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has finalized the incident response policy for the Air Traffic Organization and updated one system-level incident response policy to specify incident reporting timeframes and the need for all incidents to be reported. However, it has not yet provided sufficient evidence showing that all system-level incident response policies specify reporting timeframes and the need for all incidents to be reported. Subsequent to FAA providing evidence that it has updated the remaining system-level incident response policies, we plan to validate FAA's actions.
    Director: Charles Jeszeck
    Phone: (202) 512-7215

    5 open recommendations
    Recommendation: To ensure that federal regulators have better information about lump sum windows and to better ensure that participants have ready access to key information they need to make a decision when presented with a lump sum offer, the Department of Labor should require plan sponsors to notify DOL at the time they implement a lump sum window offer, including the number and category of participants being extended the offer (e.g., separated vested; retiree) as well as examples of the materials provided to them.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor (DOL) agreed that this type of information may be helpful in determining the extent to which lump sum window offers are made, as well as the types of disclosures the participants receive. However, DOL reported that it has not identified authority under ERISA for it to impose such a requirement on plan sponsors either before or shortly after the plan offers the lump sum window. The agency states that ERISA expressly provides specific reporting and disclosure requirements. These include various filings, such as annual financial reports, reports upon plan termination, and reports upon making certain transfers of pension plan assets to health benefit accounts. The agency believes ERISA does not require plans to notify them regarding the benefit distribution options they offer or changes in those options, and does not read the broad rulemaking authority in ERISA in Section 505 (general regulations) and Section 110 (pension reporting and disclosure) as authorizing EBSA to establish the notice filing requirement GAO recommended. The agency also commented that ERISA expressly requires that most pension plans file a Form 5500 annual report with the statute specifying the required contents of this annual report in some detail and requiring ?such other financial and actuarial information as the Secretary may find necessary or appropriate.? Although the agency noted it could, by regulation, require reporting on lump sum window offers on the Form 5500, there would be a substantial time lag because ERISA by statute establishes the reporting cycle for the Form 5500 -- the report is not due until 210 days (7 months) after the plan year closes (e.g., for calendar year plans, July 31st of the following year). The agency recognizes that this might not be responsive to the recommendation, which appears to envision a notification system that is relatively contemporaneous with the lump sum window being offered to participants and beneficiaries.
    Recommendation: To ensure that federal regulators have better information about lump sum windows and to better ensure that participants have ready access to key information they need to make a decision when presented with a lump sum offer, the Department of Labor should coordinate with the Internal Revenue Service and the Pension Benefit Guaranty Corporation (PBGC) to clarify the guidance regarding the information sponsors should provide to participants when extending lump sum window offers and place the guidance on the agency's website. Guidance should include clear and understandable presentations of information, such as the relative value of the lump sum, the role and level of protections provided by PBGC, and the positive and negative ramifications of accepting the lump sum. Such guidance could also include promising practices for information materials from plan sponsors which are particularly effective in facilitating informed participant decision-making.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor agreed with this recommendation, noting it is important to coordinate with the Treasury Department/IRS and PBGC to clarify the guidance regarding the information sponsors and other plan fiduciaries should provide to participants and beneficiaries when extending lump sum window offers. In 2016, the agency noted that the manner of publishing that guidance would be part of that coordination process. They may consider some formal public request for input (such as publishing a Request for Information in the Federal Register) and focus group or other field testing work. In addition, the agency noted that the 2015 ERISA Advisory Council announced that one of its projects this year concerns how to give participants effective notices and disclosures concerning lump sum window offers, including possible development of model participant notices. The 2015 Council developed recommendations and model notices on lump sum window offers in "pension risk transfer transactions," and suggested that DOL make the Model Notices available on its web site to plan sponsors and participant advocates and that plan sponsors use the Model Notices when engaging in risk transfer transactions. Similar to other model communications developed by the 2015 Council, the agency believes the model notice could be further enhanced if subjected to broader public input from, for example, plan sponsors, participant advocates, communications experts, and academics. Subject to the limits on its authority in this area and resource constraints. They are considering efforts to obtain public input on the Council's recommendations and model notice. They also intend to contact the Treasury Department/IRS and PBGC to discuss the Council's recommendations.
    Recommendation: To provide participants with useful information and to provide for lump sums that are based on up-to-date assumptions, Treasury should review its regulations governing the information contained in relative value statements to ensure these statements provide a meaningful comparison of all benefit options, especially in instances where the loss of certain additional plan benefits may not be disclosed.

    Agency: Department of the Treasury
    Status: Open

    Comments: Treasury generally agreed with this recommendation but did not provide specific comments on plans to address it.
    Recommendation: To provide participants with useful information and to provide for lump sums that are based on up-to-date assumptions, Treasury should review the applicability and appropriateness of allowing sponsors to select a "lookback" interest rate for use in calculating lump sums associated with a lump sum window that can serve to advantage the interests of the sponsor.

    Agency: Department of the Treasury
    Status: Open

    Comments: Treasury generally agreed with this recommendation but did not provide specific comments on plans to address it.
    Recommendation: To provide participants with useful information and to provide for lump sums that are based on up-to-date assumptions, Treasury should establish a process and a timeline for periodically updating the mortality tables used to determine minimum required lump sums-- including a means for monitoring when experts' views may indicate that mortality tables may have become outdated, and for taking expedited action if warranted.

    Agency: Department of the Treasury
    Status: Open

    Comments: Treasury generally agreed with this recommendation but did not provide specific comments on plans to address it.
    Director: Maurer, Diana C
    Phone: (202) 512-8777

    8 open recommendations
    including 8 priority recommendations
    Recommendation: To better ensure that FBI whistleblowers have access to recourse under DOJ's regulations should the individuals experience retaliation, and to minimize the possibility of discouraging future potential whistleblowers, the Attorney General should clarify in all current relevant DOJ guidance and communications, including FBI guidance and communications, to whom FBI employees may make protected disclosures and, further, explicitly state that employees will not have access to recourse if they experience retaliation for reporting alleged wrongdoing to someone not designated in DOJ's regulations.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: As of March 1, 2017, the Department of Justice (DOJ) has not responded to GAO requests for information on any efforts DOJ has taken to address this recommendation.
    Recommendation: To ensure that complainants receive the periodic updates that they are entitled to and need to determine next steps for their complaint, such as whether or not to seek corrective action from OARM, Counsel, DOJ-OPR should tailor its new case management system or otherwise develop an oversight mechanism to capture information on the office's compliance with regulatory requirements and, further, use that information to monitor and identify opportunities to improve DOJ-OPR's compliance with regulatory requirements.

    Agency: Department of Justice: Office of Professional Responsibility
    Status: Open
    Priority recommendation

    Comments: As of March 1, 2017, the Department of Justice (DOJ) has not responded to GAO requests for information on any efforts DOJ has taken to address this recommendation.
    Recommendation: To better ensure that DOJ is fulfilling its commitment to improving efficiency in handling these complaints, Office of Attorney Recruitment and Management (OARM) and Office of the Deputy Attorney General (ODAG) should provide parties with an estimated time frame for returning each decision, including whether the complaint meets threshold regulatory requirements, merits, and appeals. If the time frame shifts, OARM and ODAG should timely communicate a revised estimate to the parties.

    Agency: Department of Justice: Office of the Deputy Attorney General
    Status: Open
    Priority recommendation

    Comments: As of March 1, 2017, the Department of Justice (DOJ) has not responded to GAO requests for information on any efforts DOJ has taken to address this recommendation.
    Recommendation: To better ensure that DOJ is fulfilling its commitment to improving efficiency in handling these complaints, Office of Attorney Recruitment and Management (OARM) and Office of the Deputy Attorney General (ODAG) should provide parties with an estimated time frame for returning each decision, including whether the complaint meets threshold regulatory requirements, merits, and appeals. If the time frame shifts, OARM and ODAG should timely communicate a revised estimate to the parties.

    Agency: Department of Justice: Justice Management Division: Human Resources and Administration: Office of Attorney Recruitment and Management
    Status: Open
    Priority recommendation

    Comments: As of March 1, 2017, the Department of Justice (DOJ) has not responded to GAO requests for information on any efforts DOJ has taken to address this recommendation.
    Recommendation: To better ensure that DOJ is fulfilling its commitment to improving efficiency in handling these complaints, DOJ Office of Professional Responsibility (DOJ-OPR), Office of the Inspector General, OARM, and ODAG should jointly assess the impact of ongoing and planned efforts to reduce the duration of FBI whistleblower retaliation complaints throughout the entire investigation, adjudication, and appeal process to ensure that these changes are in fact shortening total complaint length, without sacrificing quality.

    Agency: Department of Justice: Office of the Deputy Attorney General
    Status: Open
    Priority recommendation

    Comments: As of March 1, 2017, the Department of Justice (DOJ) has not responded to GAO requests for information on any efforts DOJ has taken to address this recommendation.
    Recommendation: To better ensure that DOJ is fulfilling its commitment to improving efficiency in handling these complaints, DOJ Office of Professional Responsibility (DOJ-OPR), Office of the Inspector General, OARM, and ODAG should jointly assess the impact of ongoing and planned efforts to reduce the duration of FBI whistleblower retaliation complaints throughout the entire investigation, adjudication, and appeal process to ensure that these changes are in fact shortening total complaint length, without sacrificing quality.

    Agency: Department of Justice: Justice Management Division: Human Resources and Administration: Office of Attorney Recruitment and Management
    Status: Open
    Priority recommendation

    Comments: As of March 1, 2017, the Department of Justice (DOJ) has not responded to GAO requests for information on any efforts DOJ has taken to address this recommendation.
    Recommendation: To better ensure that DOJ is fulfilling its commitment to improving efficiency in handling these complaints, DOJ Office of Professional Responsibility (DOJ-OPR), Office of the Inspector General, OARM, and ODAG should jointly assess the impact of ongoing and planned efforts to reduce the duration of FBI whistleblower retaliation complaints throughout the entire investigation, adjudication, and appeal process to ensure that these changes are in fact shortening total complaint length, without sacrificing quality.

    Agency: Department of Justice: Office of Professional Responsibility
    Status: Open
    Priority recommendation

    Comments: As of March 1, 2017, the Department of Justice (DOJ) has not responded to GAO requests for information on any efforts DOJ has taken to address this recommendation.
    Recommendation: To better ensure that DOJ is fulfilling its commitment to improving efficiency in handling these complaints, DOJ Office of Professional Responsibility (DOJ-OPR), Office of the Inspector General, OARM, and ODAG should jointly assess the impact of ongoing and planned efforts to reduce the duration of FBI whistleblower retaliation complaints throughout the entire investigation, adjudication, and appeal process to ensure that these changes are in fact shortening total complaint length, without sacrificing quality.

    Agency: Department of Justice: Office of Inspector General
    Status: Open
    Priority recommendation

    Comments: As of March 1, 2017, GAO has not received information from the Department of Justice about any steps taken to address this recommendation.
    Director: David C. Trimble
    Phone: (202) 512-3841

    5 open recommendations
    Recommendation: To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and direct field office sites with responsibility for non-M&O contractor risk assessments to address risk factors as they relate to those sites and take steps to ensure sites implement it.

    Agency: Department of Energy
    Status: Open

    Comments: As of May 2017, DOE had revised its fiscal year 2015 and 2016 improper payments guidance. The revised guidance directs field office sites with responsibility for non-M&O contractor risk assessments to address risk factors as they relate to those sites. The guidance further requires each site Chief Financial Officer to certify to the accuracy of improper payments and risk rating. We will continue to monitor DOE's efforts to ensure sites implement this new guidance.
    Recommendation: To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and clarify how payment sites are to address risk factors and document the basis for their risk rating determinations and take steps to ensure sites implement it.

    Agency: Department of Energy
    Status: Open

    Comments: As of May 2017, DOE had revised its fiscal years 2015 and 2016 improper payments guidance requiring sites to prepare risk assessments using a new risk assessment format. The guidance states that the new format was developed to improve consistency among the sites and improve documentation supporting the risk ratings. In the new format, each risk factor includes a description of the risk factor, rating criteria and/or questions to consider during the evaluation to assist sites in determining a risk rating by payment type. The guidance also requires all sites to maintain supporting documentation for their risk assessment. We will continue to monitor DOE's efforts to ensure sites implement this new guidance.
    Recommendation: To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and clarify who is responsible at DOE for reviewing and approving risk assessments for consistency across sites and take steps to ensure those entities implement it.

    Agency: Department of Energy
    Status: Open

    Comments: As of May 2017, DOE had revised its fiscal years 2015 and 2016 improper payments guidance to require site Chief Financial Officers and the Director of Risk Management of the Loan Programs Office to provide a signed certification to DOE's Director of the Office of Finance and Accounting certifying to the accuracy of improper payments and the risk assessment and rating submitted. The guidance provides templates for these certifications. We will continue to monitor DOE's efforts to ensure sites implement this new guidance.
    Recommendation: To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and provide specific examples of other risk factors that present inherent risks likely to contribute to significant improper payments, in addition to the eight risk factors, direct payment sites to consider those when performing their improper payment risk assessments, and take steps to ensure sites implement it.

    Agency: Department of Energy
    Status: Open

    Comments: As of May 2017, DOE had revised its fiscal year 2015 and 2016 improper payments guidance. In addition to the required OMB risk factors, the guidance added the following additional risk factors to be included in the risk assessments: (1) contractor payment processing oversight and (2) segregation of duties. The guidance states these factors have been added to ensure that inherently high-risk areas that can contribute to a site's susceptibility to significant improper payments are properly evaluated. We will continue to monitor DOE's efforts to ensure sites implement this new guidance.
    Recommendation: To provide better transparency regarding its total known improper payments reported under IPERA, the Secretary of Energy should direct the department's Chief Financial Officer to improve public reporting on the amount of total known improper payments by disclosing additional information regarding this amount and the extent to which improper payments could be occurring.

    Agency: Department of Energy
    Status: Open

    Comments: As of May 2017, DOE had added supplemental information to its fiscal year 2016 Agency Financial Report. We will continue to gather additional information from DOE to determine the extent to which this information addresses the amount of total known improper payments.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    2 open recommendations
    including 1 priority recommendation
    Recommendation: The Secretary of Homeland Security, in consultation with GSA, should develop and implement a strategy to address cyber risk to building and access control systems that, among other things: (1) defines the problem; (2) identifies roles and responsibilities; (3) analyzes the resources needed; and (4) identifies a methodology for assessing this cyber risk.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the Department has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of the General Services Administration should assess the building and access control systems that it owns in FPS-protected facilities in a manner that is fully consistent with FISMA and its implementation guidelines.

    Agency: General Services Administration
    Status: Open
    Priority recommendation

    Comments: As of October 2016, GSA recently provided documentation about its assessments of the control systems that the agency owns in FPS-protected facilities. We are reviewing this information to determine whether GSA has implemented the recommendation.
    Director: Seto J. Bagdoyan
    Phone: (202) 512-6722

    2 open recommendations
    Recommendation: To help FEMA prevent improper payments, the Administrator of FEMA should assess the cost and feasibility of addressing limitations in FEMA's control for identifying duplicate information in applications in high-risk data fields--such as SSN, bank-account information, address, and phone number--that may currently allow individuals or households to improperly receive multiple payments, and if determined to be costbeneficial take steps to address the system design limitation.

    Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
    Status: Open

    Comments: In April 2017, FEMA reported that the agency had reviewed its software system's controls for identifying duplicate SSNs, bank account, address, and phone information. FEMA reported that it would be cost effective and feasible to improve its software system's controls for identifying duplicate address information, and the agency expects to deploy these system changes in the summer of 2017. FEMA also reported that, based on its review of the cases GAO referred to FEMA, errors in SSN and bank account information were related to human casework processing rather than software system limitations. Consequently, FEMA reported that it was reviewing and updating its casework training, guidance, and quality control documentation. We will continue to monitor FEMA's efforts to implement this recommendation.
    Recommendation: To help FEMA prevent improper payments, the Administrator of FEMA should collaborate with SSA to assess the cost and feasibility of checking recipient SSNs against the Enumeration Verification System and the full death file to more accurately identify recipients who used Social Security numbers (SSNs) that were ineligible or belonged to likely deceased individuals, document the results of this assessment, and if determined to be cost-beneficial take steps to implement a partnership to use SSA data.

    Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
    Status: Open

    Comments: In April 2017, FEMA reported that the agency completed a cost estimate for system changes needed to include a direct data exchange with SSA. FEMA further reported that the agency was continuing to explore alternative means of conducting a direct data exchange that would help FEMA verify if an SSN belongs to a deceased person. We will continue to monitor FEMA's progress in implementing this recommendation.
    Director: Grover, Jennifer A
    Phone: (202)512-7141

    1 open recommendations
    Recommendation: To ensure that TSA's planned testing yields reliable results, the TSA Administrator should take steps to ensure that TSA's planned effectiveness testing of the Managed Inclusion process adheres to established evaluation design practices.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: TSA continues to make progress on implementing this recommendation. In March 2017, TSA reported that an evaluation of the security effectiveness of the managed inclusion process is to be completed over the next few weeks. Once documentation for the evaluation is available, TSA will provide it for review and analysis.
    Director: David C. Trimble
    Phone: (202) 512-3841

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To minimize the risk of developing unreliable AOAs and incurring major cost increases and schedule delays on projects, the Secretary of Energy should direct DOE's Office of Acquisition and Project Management to update its project management order requirements to incorporate best practices for conducting an AOA.

    Agency: Department of Energy
    Status: Open
    Priority recommendation

    Comments: In May 2016, DOE updated its project management order (Order 413.3B) to require that AOAs for capital asset acquisition projects be consistent with published GAO best practices. DOE also planned to issue an AOA guide that will be critical to ensuring implementation of the new AOA requirement by providing DOE procedures for conducting reliable AOAs. According to a DOE official, development of the guide was on hold indefinitely along with all other actions to publish new, or update existing departmental directives in response to the two Presidential Executive Orders issued in January and February 2017 that directed federal agencies to, among other things, reduce and reform agency regulations. In the interim, DOE issued an AOA handbook in April 2017 but will not have fully addressed the recommendation until it completes the guide.
    Director: Gomez, Jose A
    Phone: (202) 512-3841

    2 open recommendations
    Recommendation: To promote forward-looking construction and rebuilding efforts while FEMA phases out most subsidies, the Secretary of the Department of Homeland Security should direct FEMA to consider amending NFIP minimum standards for floodplain management to incorporate, as appropriate, forward-looking standards, similar to the minimum standard adopted by the Hurricane Sandy Rebuilding Task Force.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In March 2017, the Department of Homeland Security reaffirmed that they agreed with the recommendation, and would begin implementing it after implementing the statutory mandates in the Biggert-Waters Flood Insurance Reform Act of 2012. The Department estimated that it would begin implementing our recommendation in 2018 and complete its implementation by 2020.
    Recommendation: To promote greater resilience to climate change effects in U.S. agriculture, the Secretary of Agriculture should direct RMA to consider working with agricultural experts to recommend or incorporate resilient agricultural practices into their expert guidance for growers, so that good farming practices take into account longterm agricultural resilience to climate change.

    Agency: Department of Agriculture
    Status: Open

    Comments: In May 2016, USDA issued Building Blocks for Climate Smart Agriculture and Forestry: Implementation Plan and Progress Report as USDA's framework for helping farmers, ranchers, and forestland owners respond to climate change, through voluntary and incentive-based actions. The report establishes long-term goals for improving agricultural resilience to climate change, which could reduce federal fiscal exposure for federally-insured crops. However, USDA has framed its resilience-building actions for producers as voluntary, rather than incorporating them into the good farming practices required to be eligible for insurance payouts. As a result, it is unclear to what extent federal crop insurance policyholders will use the information provided to improve their resilience.
    Director: Charles Michael Johnson, Jr.
    Phone: (202) 512-7331

    1 open recommendations
    Recommendation: For elements identified in the Countering Iran in the Western Hemisphere Act of 2012 that were not fully addressed in the strategy, the Secretary of State should provide the relevant congressional committees with information that would fully address these elements. In the absence of such information, State should explain to the congressional committees why it was not included in the strategy.

    Agency: Department of State
    Status: Open

    Comments: In a letter dated December 23, 2014, the Department of State (State) noted that the elements identified in the GAO report as not being adequately addressed by State were matters where the consensus of the intelligence community was that there was not an identifiable threat to counter. GAO's report assessed that State did not address four specific elements identified in the Countering Iran in the Western Hemisphere Act of 2012. State's December 2014 letter provided explanations for these four elements, including the availability of information on existing agency websites, briefings provided to Congress, and State's lack of finding that foreign governments showed clear threats. We continue to maintain that the strategy did not include all of the elements that the law stated should be included, and State did not demonstrate that it provided relevant congressional committees with information that would fully address these elements. In December 2015, State noted that it remains in close contact with the relevant congressional committees across a range of security, economic and political with regard to the Western Hemisphere on a regular and continuing basis. State further noted that it provided an oral briefing along with its original submission of the report to Congress and answered questions posed by Congress. State officials said that they stand ready to provide further information in the appropriate setting should it be requested. However, State did not provide GAO with information about whether it had provided information to Congress specifically for the elements identified in the Countering Iran in the Western Hemisphere Act of 2012 that were not fully addressed in the strategy, nor provide additional information about whether State explained to the congressional committees why any absence of such information was not included in the strategy. Furthermore, GAO learned from the House Foreign Affairs Committee staff that State and the Office of the Director for National Intelligence provided a briefing to the committee regarding Iranian activities in Latin America on February 25, 2016. As of August 2016, GAO did not receive any documents related to the briefings because, according to State, the talking points document was considered deliberative and therefore could not be shared. According to State officials, they continue to monitor the issue and brief Congress as appropriate. As of June 2017, State noted that its position regarding this recommendation and the deliberative nature of the talking points document remains unchanged.
    Director: Stephen Caldwell
    Phone: (202) 512-8777

    4 open recommendations
    Recommendation: Within DHS, to promote efficiency and harmonize the various assessments to advance security and resilience across the spectrum of CI in a manner consistent with the Homeland Security Act of 2002, PPD-21, and the NIPP, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate work with other DHS offices and components to develop and implement ways that DHS can facilitate data sharing and coordination of vulnerability assessments to minimize the risk of potential duplication or gaps in coverage.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS has taken action in response to GAO's September 2014 recommendation to develop a department-wide process to facilitate data sharing and coordination among the various DHS components that conduct or require vulnerability assessments, but has not fully implemented the recommendation. DHS first reported to GAO in August 2015 that its Office of Infrastructure Protection (IP) and the Sector Outreach and Programs Division Innovation Center had formed a vulnerability assessment working group comprised of a variety of federal stakeholders, both within and outside DHS, to enhance overall integration and coordination of vulnerability assessment efforts. In December 2015, DHS stated that IP was conducting pilot projects to expand access to its IPGateway portal--IP's system that houses infrastructure data and identifies facilities that have been assessed by IP. In a July 2016 update, DHS reported that IP had reached agreement with DHS components to expand access to its IP Gateway portal to those partners as a means to share IP's vulnerability assessment information and help coordinate assessment visits and related activities. DHS also noted in its update that IP had begun providing access to IP Gateway to components within DHS but did not provide a date as to when that step would be complete. These are positive steps toward implementing a systematic and integrated approach for facilitating data sharing and coordination of vulnerability assessments throughout the department. However, developing a department-wide process to facilitate data sharing and coordination among the DHS offices and components that conduct or require vulnerability assessments would better enable DHS to minimize the risk of potential duplication and gaps by its offices and components in the vulnerability assessments they conduct. Because DHS is still in the process of completing these steps, the recommendation has not yet been fully implemented.
    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to identify key CI security-related assessment tools and methods used or offered by SSAs and other federal agencies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2016, DHS has established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and has designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, is collaborating to enhance the integration and coordination of vulnerability assessment efforts. This working group is intended to serve as an interagency forum to address several recommendations from GAO Report 14-507. However, the effort is ongoing and it is too early to determine if it will successfully address the recommendation.
    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to analyze the key CI security-related assessment tools and methods offered by sector-specific agencies (SSA) and other federal agencies to determine the areas they capture.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2016, DHS has established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and has designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, is collaborating to enhance the integration and coordination of vulnerability assessment efforts. This working group is intended to serve as an interagency forum to address several recommendations from GAO Report 14-507. However, the effort is ongoing and it is too early to determine if it will successfully address the recommendation.
    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to develop and provide guidance for what areas should be included in vulnerability assessments of CI that can be used by DHS, SSAs, and other CI partners in an integrated and coordinated manner, among and across sectors, where appropriate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2016, DHS has established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and has designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, is collaborating to enhance the integration and coordination of vulnerability assessment efforts. This working group is intended to serve as an interagency forum to address several recommendations from GAO Report 14-507. However, the effort is ongoing and it is too early to determine if it will successfully address the recommendation.
    Director: Anne-Marie Fennell
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To reduce the cost of the crop insurance program and achieve budgetary savings for deficit reduction or other purposes, Congress should consider reducing the level of federal premium subsidies for revenue crop insurance policies. In doing so, Congress should consider whether to make the full amount of this reduction in an initial year, or to phase in the full amount of this reduction over several years. In addition, Congress should consider directing the Secretary of Agriculture to monitor and report on the impact, if any, of the reduction on farmer participation in the crop insurance program.

    Agency: Congress
    Status: Open

    Comments: As of December 2016, Congress has not taken action to implement this matter.
    Director: Courts, Michael J
    Phone: (202) 512-8980

    5 open recommendations
    including 5 priority recommendations
    Recommendation: To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct the Under Secretary for Management to identify and eliminate inconsistencies between and within the Foreign Affairs Manual, Foreign Affairs Handbook (FAH), and other guidance concerning physical security.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State has taken steps to revise sections of the Foreign Affairs Manual and Foreign Affairs Handbook related to physical security through the Security Standards Committee. The committee, which is made up of DS and OBO officials, meet weekly to create and revise physical security standards, as needed. In addition, DS officials review all relevant sections of the FAM and FAH each year. However, as of March 2017, State has not provided evidence that it has conducted a comprehensive review of all physical security guidance to identify inconsistencies.
    Recommendation: To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the OSPB to clarify existing flexibilities in the FAH to ensure that security and life-safety updates to the OSPB standards and Physical Security Handbook are updated through an expedited review process.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State is in the process of revising the OSPB Working Group Guidelines in the FAH to clarify existing flexibilities for and to formalize an expedited process for making security and life-safety updates to the OSPB standards and Physical Security Handbook. As of April 2017 this action had not been completed, and State now expects to complete this action by the end of calendar year 2017.
    Recommendation: To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the OSPB to develop a process to routinely review all OSPB standards and the Physical Security Handbook to determine if the standards adequately address evolving threats and risks.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: Although State has not developed a process to routinely review all OSPB standards and the Physical Security Handbook to determine if the standards adequately address evolving threats and risks, officials agree with the intent of the recommendation and are taking actions to address it. For example, State?s Security Standards Committee, which is made up of DS and OBO officials, meet weekly to create and revise physical security standards, as needed. In addition, DS officials conduct an annual review of all the relevant sections of the FAM and FAH, which includes the OSPB standards and the Physical Security Handbook. However, as of March 2017, State had not provided evidence proving that it specifically considers evolving threats and risks when reviewing OSPB standards and the Physical Security Handbook.
    Recommendation: To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the OSPB to develop a policy for the use of interim and temporary facilities that includes definitions for such facilities, time frames for use, and a routine process for reassessing the interim or temporary designation.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State is taking a number of actions to regularly reassess the risk that various posts and facilities face. For example, Regional Security Officers are required to conduct a physical security review for every work facility at least once a year at high-threat, high-risk posts, and every three years at all other posts. State also now conducts an annual process, the Vital Presence Validation Process, to reassess the risk taken to operate at each of the high-threat, high-risk posts. However, as of March 2017, it is unclear whether temporary and interim facilities are being reviewed and reassessed during these or other processes.
    Recommendation: To strengthen the effectiveness of the Department of State's risk management policies, the Secretary of State should develop a risk management policy and procedures for ensuring the physical security of diplomatic facilities, including roles and responsibilities of all stakeholders and a routine feedback process that continually incorporates new information.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State has created a working group to draft a revision to the risk management policy. As of April 2017, State anticipates that the update will be published in 2018.
    Director: Susan J. Irving
    Phone: (202) 512-6806

    3 open recommendations
    Recommendation: To help minimize Treasury borrowing costs over time by better understanding and managing the risks posed by Treasury floating rate notes and by enhancing demand for Treasury securities, the Secretary of the Treasury should track and report an additional measure of the length of the portfolio that captures the interest rate reset frequency of securities in the portfolio.

    Agency: Department of the Treasury
    Status: Open

    Comments: Treasury agreed with our recommendation but has not yet introduced this additional metric. As of August 2017, the metric had not been introduced.
    Recommendation: To help minimize Treasury borrowing costs over time by better understanding and managing the risks posed by Treasury floating rate notes and by enhancing demand for Treasury securities, the Secretary of the Treasury should examine opportunities for additional new security types, such as FRNs with maturities other than 2 years or ultra-long bonds.

    Agency: Department of the Treasury
    Status: Open

    Comments: Treasury agreed with our recommendation but has not yet taken steps to consider additional securities. We will continue to monitor information released from TBAC conferences and in follow up conversations with Treasury.
    Recommendation: To help minimize Treasury borrowing costs over time by better understanding and managing the risks posed by Treasury floating rate notes and by enhancing demand for Treasury securities, the Secretary of the Treasury should analyze the price effects of the mismatch between the term of the index rate and the reset period.

    Agency: Department of the Treasury
    Status: Open

    Comments: Treasury agreed with our recommendation took introductory steps in 2014 to analyze the price effects of the mismatch by meeting with us to discuss our modeling approach. The results of their analysis was not conclusive and no action was taken at the time. We are seeking documentation of any further action that would allow us to close this recommendation as implemented.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal partners to ensure that the maritime risk assessment includes cyber-related threats, vulnerabilities, and potential consequences.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that the National Maritime Strategic Risk Assessment (NMSRA) was still being finalized. The agency stated that they expected this to be completed by July 2017. Once completed, we will analyze the results of the NMSRA in order to validate the extent to which its contents implement our recommendation.
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to use the results of the risk assessment to inform how guidance for area maritime security plans, facility security plans, and other securityrelated planning should address cyber-related risk for the maritime sector.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that it had developed a draft Navigation and Vessel Inspection Circular (NVIC) to provide guidance on assessment methods that assist vessel and facility owners and operators identify and address cybersecurity vulnerabilities. USCG stated that the draft NVIC would be published in the Federal Register for 60 days, to enable maritime stakeholders to review and provide comment. Once USCG provides us a final copy of the NVIC, we will analyze it to determine if it provides guidance for addressing cyber-related risk in the maritime sector.
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal stakeholders to determine if the Maritime Modal Sector Coordinating Council should be reestablished to better facilitate stakeholder coordination and information sharing across the maritime environment at the national level.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, the U.S. Coast Guard (USCG) stated that the tasking for the National Maritime Security Advisory Committee to explore the issue of information sharing mechanisms in regards to cyber information had been completed. However, USCG did not mention any decision related to the reestablishment of the sector coordinating council.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to develop procedures for officials at the field review level (i.e., captains of the port) and national review level (i.e., the National Review Panel and FEMA) to consult cybersecurity subject matter experts from the Coast Guard and other relevant DHS components, if applicable, during the review of cybersecurity grant proposals for funding.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information we receive and update status of implementation efforts.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to use any information on cyberrelated threats, vulnerabilities, and consequences identified in the maritime risk assessment to inform future versions of funding guidance for grant applicants and reviews at the field and national levels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information received and update status of implementation efforts.
    Director: Frank Rusco
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To provide greater assurance that DOE is effectively monitoring its loans, the Secretary of Energy should direct the Executive Director of the Loan Programs Office to fully develop its organizational structure by staffing key monitoring positions.

    Agency: Department of Energy
    Status: Open

    Comments: As of April 2017, while the Loan Programs Office (LPO)had made some progress in filling key monitoring positions, several vacancies in the leadership of the Special Assets and Risk Management Divisions remained. LPO officials noted they were unlikely to fill any of these staffing vacancies given budget and program uncertainties.
    Director: Mak, Marie A
    Phone: (202) 512-2527

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure consistent implementation of NASA's export control program, the NASA Administrator should establish guidance defining the appropriate level and organizational placement of the CEA function.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with the recommendation. To fully implement this recommendation, NASA needs to complete a planned update to its NASA Procedural Requirement (NPR) 2190.1B concerning NASA's export control program to further codify this structure and provide us with the documentation for review.
    Director: James R. McTigue, Jr.
    Phone: (202) 512-9110

    1 open recommendations
    Recommendation: If Congress agrees that significant paid preparer errors exist, it should consider legislation granting IRS the authority to regulate paid tax preparers.

    Agency: Congress
    Status: Open

    Comments: In 2017, several bills were introduced in Congress that would authorize the Department of Treasury to regulate paid tax return preparers. As of September 2017, no action has been taken on any of the bills. GAO testified on October 1, 2015 on improper payments and the tax gap before Senate Finance and on December 10, 2015 on GAO recommendations before the Subcommittee on Regulatory Affairs and Federal Management, Committee on Homeland Security and Governmental Affairs, US Senate. Both hearings increased attention to GAO's matter to Congress that tax preparers be regulated. Paid preparer regulation may increase the accuracy of tax returns and potentially reduce the tax gap.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    1 open recommendations
    Recommendation: To better ensure that the Defense Agencies Initiative (DAI) implements effective risk management and information technology (IT) acquisition best practices, the Secretary of Defense should direct the Director of the Defense Logistics Agency to direct the DAI program office to establish a comprehensive risk log that includes all up-to-date risks with evaluations and categorizations that comply with DLA's defined parameters; and associated mitigation plans.

    Agency: Department of Defense
    Status: Open

    Comments: The Defense Logistics Agency established a risk log for DAI that includes risk evaluations and categorizations, and associated mitigation plans. We will continue monitoring the program's implementation of this recommendation to ensure that the agency is periodically reviewing the status of each risk and updating DAI's risk log and mitigation plans, as intended by the recommendation.
    Director: Marcia Crosse
    Phone: (202) 512-7114

    1 open recommendations
    Recommendation: To enhance its oversight of drug shortages, particularly as the agency fine-tunes the manner in which it gathers data on shortages and transitions from its database to a more robust system, the Commissioner of FDA should conduct periodic analyses using the existing drug shortages database (and, eventually, the new drug shortages information system) to routinely and systematically assess drug shortage information, and use this information proactively to identify risk factors for potential drug shortages early, thereby potentially helping FDA to recognize trends, clarify causes, and resolve problems before drugs go into short supply.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: In August 2017, FDA reported that it had not conducted any rigorous analysis of predictors of drug shortages nor have new drug risk factors been identified. Although FDA adopted a new, commercially developed data system, the "Shortage Tracker" to track drug shortages in March 2016, it is used to help the Drug Shortage Staff manage their workload. FDA reported that this system has now been fully operational for over a year. However, no trend analysis relating to drug shortages has been conducted and the agency has no plans to conduct such analyses at this time.
    Director: Fleming, Susan A
    Phone: (202) 512-2834

    2 open recommendations
    including 1 priority recommendation
    Recommendation: To improve the CSA program, the Secretary of Transportation should direct the FMCSA Administrator to revise the SMS methodology to better account for limitations in drawing comparisons of safety performance information across carriers; in doing so, the Secretary of Transportation should direct the FMCSA Administrator to conduct a formal analysis that specifically identifies: (1) limitations in the data used to calculate SMS scores including variability in the carrier population and the quality and quantity of data available for carrier safety performance assessments, and (2) limitations in the resulting SMS scores including their precision, confidence, and reliability for the purposes for which they are used.

    Agency: Department of Transportation
    Status: Open
    Priority recommendation

    Comments: As of October 2016, FMCSA continues to maintain that they do not agree with our methodology or conclusions. While FMCSA's position about our specific recommendation is unchanged, FMCSA noted that Section 5221 of the FAST Act directed the National Academies of Science (NAS) to conduct a safety correlation study of the CSA program, and specifically FMCSA's Safety Measurement System's (SMS) methodology. FMCSA stated that if the outcome of the NAS study results in recommendations for SMS changes, they will address those recommendations accordingly. We continue to believe this recommendation has merit and could help the agency better target FMCSA's resources to the carriers that pose the highest risk of crashing, as we demonstrate in our report. For example, we reported that FMCSA requires a minimum level of information for a carrier to receive an SMS score; however, this requirement is not strong enough to produce sufficiently reliable scores. As a result, GAO found that FMCSA identified many carriers as high risk that were not later involved in a crash, potentially causing FMCSA to miss opportunities to intervene with carriers that were involved in crashes. FMCSA's methodology is limited because of insufficient information, which reduces the precision of SMS scores. GAO found that by scoring only carriers with more information, FMCSA could better identify high risk carriers likely to be involved in crashes. This illustrative approach involves trade-offs; it would assign SMS scores to fewer carriers, but these scores would generally be more reliable and thus more useful in targeting FMCSA's scarce resources.
    Recommendation: To improve the CSA program, the Secretary of Transportation should direct the FMCSA Administrator to ensure that any determination of a carrier's fitness to operate properly accounts for limitations we have identified regarding safety performance information.

    Agency: Department of Transportation
    Status: Open

    Comments: While FMCSA does not agree with our methodology or conclusions, we believe this recommendation has merit and could help the agency better target FMCSA's resources to the carriers that pose the highest risk of crashing, as we demonstrate in our report. For example, we reported that FMCSA requires a minimum level of information for a carrier to receive an SMS score; however, this requirement is not strong enough to produce sufficiently reliable scores. As a result, GAO found that FMCSA identified many carriers as high risk that were not later involved in a crash, potentially causing FMCSA to miss opportunities to intervene with carriers that were involved in crashes. FMCSA's methodology is limited because of insufficient information, which reduces the precision of SMS scores. GAO found that by scoring only carriers with more information, FMCSA could better identify high risk carriers likely to be involved in crashes. This illustrative approach involves trade-offs; it would assign SMS scores to fewer carriers, but these scores would generally be more reliable and thus more useful in targeting FMCSA's scarce resources.
    Director: St James, Lorelei
    Phone: (202) 512-2834

    3 open recommendations
    Recommendation: To strengthen USPS's capital investment process related to USPS policy and consistent application of leading practices, the Postmaster General and executive leaders should establish a time frame for developing a clear, detailed, single-source, standard set of policies and procedures that reflect the capital investment selection phase.

    Agency: United States Postal Service: Office of the Postmaster General
    Status: Open

    Comments: In June 2017, the U.S. Postal Service (USPS) informed GAO that its Handbook F-66 General Investment Policies and Procedures is undergoing revisions that will make the capital investment selection process more clear, detailed, and standardized. The revised draft of the F-66 handbook is currently in the review and clearance process and may be finalized in 2017. USPS added that it will inform GAO of further updates as they develop.
    Recommendation: To strengthen USPS's capital investment process related to USPS policy and consistent application of leading practices, the Postmaster General and executive leaders should modify capital investment policies to more closely align with the following leading practices, including: (1) for planning capital investments, consider whether an external entity could better support all or part of a desired function when evaluating alternative capital investment options; (2) for selecting capital investments, use a portfolio approach for developing business cases and finalizing and allocating resources; and (3) for evaluating capital investments, seek and leverage external oversight and review, from a consultant or peer reviewer, and require that best practices and lessons learned be incorporated into the review process.

    Agency: United States Postal Service: Office of the Postmaster General
    Status: Open

    Comments: In June 2017, USPS informed GAO and provided documentation that its Handbook F-66 General Investment Policies and Procedures is to incorporate all leading practices. The F-66, however, is not yet finalized. In particular, the draft F-66 states that for planning investments, USPS is to conduct an analysis to identify the most economically beneficial resolution to a problem--the alternative that will result in the highest net present value, lowest costs, or greatest savings. For selecting investments, USPS is to use a portfolio approach organized by agency goals, sub-goals, indicators, and targets. For evaluating investments, USPS is to evaluate the need to hire consultants when applicable to assess the investment. The revised F-66 indicates that USPS will also is require project managers to submit an analysis of investment performance and lessons learned as part of its post-deployment steps.
    Recommendation: To strengthen USPS's capital investment process related to USPS policy and consistent application of leading practices, the Postmaster General and executive leaders should regularly examine the extent to which executives and program managers consistently follow all leading practices, particularly for: (1) identifying problems and reassessing risk while managing a project; and (2) evaluating the cost, schedule, and performance results of completed projects.

    Agency: United States Postal Service: Office of the Postmaster General
    Status: Open

    Comments: In June 2017, USPS informed GAO and provided documentation that its revised Handbook F-66 General Investment Policies and Procedures is to include a management step to regularly review the progress and benefits of its capital investments, as well as its affordability and achievability, and make adjustments as necessary to meet the investment's goals. In addition, once a project is completed, USPS will require capital investment managers to present on the investment's performance, return-on-investment, and lessons learned.
    Director: Powner, David A
    Phone: (202) 512-9286

    3 open recommendations
    Recommendation: To better ensure that the Dashboard provides meaningful ratings and reliable investment data, the Director of OMB should direct the Federal CIO to make accessible regularly updated portions of the public version of the Dashboard (such as CIO ratings) independent of the annual budget process.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: Although the Federal CIO did not agree or disagree with our recommendation, OMB has taken initial steps to implement it. Specifically, OMB recently updated the Dashboard with a number of changes, and OMB officials stated in 2015 that they intended for the Dashboard to be able to show updates throughout the year. That said, OMB has yet to implement this recommendation. Specifically, OMB did not publish updates to the public version of the Dashboard during the fiscal year 2018 budget formulation process, starting at the end of August 2016. We will continue to monitor the Dashboard to determine if portions of the public version of the Dashboard (such as CIO ratings) are available throughout the year. Maintaining the availability of these data is important for increasing the utility of the Dashboard as a tool for greater IT investment oversight and transparency.
    Recommendation: To better ensure that the Dashboard provides accurate ratings, the Secretary of Commerce should direct the department CIO to ensure that the department's investments are appropriately categorized in accordance with existing statutes and that major IT investments are included on the Dashboard.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce disagreed with this recommendation. In written correspondence, the Department noted that, although it is no longer reporting three of the 10 investments reviewed for this engagement on the IT Dashboard, it is maintaining oversight through monthly Dashboard-like assessments. As of July 28, 2016, the Department stated that it did not have plans to re-categorize these three particular investments as IT and report the data on the IT Dashboard. We continue to believe that this recommendation has merit and will monitor the Department's efforts to maintain oversight for these investments.
    Recommendation: To better ensure that the Dashboard provides accurate ratings, the Secretary of Energy should direct the department CIO to ensure that the department's investments are appropriately categorized in accordance with existing statutes and that major IT investments are included on the Dashboard.

    Agency: Department of Energy
    Status: Open

    Comments: While the Department of Energy had agreed with this recommendation, in subsequent written correspondence, it explained that five of the eight investments noted by GAO as being IT were no longer being reported in the IT Portfolio on the Dashboard. Instead, the Department was reporting these data to OMB via an alternative reporting mechanism specific to high performance computing. In addition, the Department noted that the remaining three investments were deconsolidated or downgraded into non-major investments, or eliminated by funding and, as such, these investments will not be included on the Dashboard. However, we continue to believe that this recommendation has merit and that the remaining investments are more properly classified as IT. We will continue to monitor the Department's efforts to maintain oversight for these investments.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    8 open recommendations
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require documentation of the reasoning behind risk determinations for breaches involving PII.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to document the number of affected individuals associated with each incident involving PII.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should document the number of affected individuals associated with each incident involving PII.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Director: Davis, Beryl H
    Phone: (202) 512-2623

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To proactively prepare for oversight of future disaster relief funding, the Director of OMB should develop standard guidance for federal agencies to use in designing internal control plans for disaster relief funding. Such guidance could leverage existing internal control review processes and should include, at a minimum, the following elements: (1) robust criteria for identifying and documenting incremental risks and mitigating controls related to the funding and (2) requirements for documenting the linkage between the incremental risks related to disaster funding and efforts to address known internal control risks.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open
    Priority recommendation

    Comments: To address the recommendation, OMB should issue guidance on internal control for disaster relief funding, including criteria for identifying additional risks and mitigating controls related to the funding and a requirement to link these incremental risks to ongoing efforts to address known internal control risks. On July 15, 2016, OMB issued the revised Circular No. A-123, Management's Responsibility for Enterprise Risk Management and Internal Control. The Circular requires agencies to implement enterprise risk management, which includes the development of a risk profile that analyzes the risks faced in achieving strategic objectives and identifies options for addressing them. In April 2017, OMB staff stated that they believe that the implementation of enterprise risk management through Circular No. A-123 satisfies the intent our recommendation. Because the responsibility for implementing enterprise risk management lies with agency management, Circular No. A-123 does not include specific guidance for identifying risks related to disaster funding. Further discussion and documentation to support OMB's position that the revised Circular addresses our recommendation will be necessary.
    Director: Goldstein, Mark L
    Phone: (202) 512-2834

    4 open recommendations
    Recommendation: To ensure that the increasing risks of GPS disruptions to the nation's critical infrastructure are effectively managed, the Secretary of Homeland Security should increase the reliability and usefulness of the GPS risk assessment by developing a plan and time frame to collect relevant threat, vulnerability, and consequence data for the various critical infrastructure sectors, and periodically review the readiness of data to conduct a more data-driven risk assessment while ensuring that DHS's assessment approach is more consistent with the National Infrastructure Protection Plan (NIPP).

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS officials had previously indicated that DHS's Office of Infrastructure Protection (IP) and Office of Cyber and Infrastructure Analysis (OCIA) have discussed an update of the GPS risk assessment, noting that such an update may be included in fiscal year 2017 planning documents. However, as of February 2017, no documentation had been provided that demonstrates such plans. Additionally, information from DHS shows that DHS has continued other efforts to collect potentially relevant threat, vulnerability, and consequence data for various GPS equipment in use. For example, according to DHS officials, DHS has conducted visits to major maritime, finance, wireless communications, and electricity firms to gauge their understanding of GPS vulnerabilities and of technology- and strategy-based efforts to improve GPS resilience, and DHS documentation shows that DHS has held events to test GPS receivers as part of assessing vulnerabilities. We will update the status of this recommendation after we receive additional information from DHS.
    Recommendation: To ensure that the increasing risks of GPS disruptions to the nation's critical infrastructure are effectively managed, the Secretary of Homeland Security should, as part of current critical infrastructure protection planning with Sector-Specific Agencys (SSAs) and sector partners, develop and issue a plan and metrics to measure the effectiveness of GPS risk mitigation efforts on critical infrastructure resiliency.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of February 2017, DHS documentation shows that DHS has worked with Sector Specific Agencies (SSAs) and other interagency partners to help manage GPS risks and continues to communicate information on risks to critical infrastructure partners. For example, according to DHS officials, this included briefing field staff and developing questions for infrastructure surveys to gather information on GPS resilience at the facility level. According to DHS officials, at the national level DHS included GPS in discussions with SSAs on topics they could include in their Sector-Specific Plans (each SSA develops a Sector-Specific Plan to detail risk management in its critical infrastructure sector), but DHS has also indicated that sector-oriented metrics are not a viable means of assessing risk management actions. We will update the status of this recommendation after we receive additional information from DHS.
    Recommendation: To improve collaboration and address uncertainties in fulfilling the National Security Presidential Directive 39 (NSPD-39) backup-capabilities requirement, the Secretaries of Transportation and Homeland Security should establish a formal, written agreement that details how the agencies plan to address their shared responsibility. This agreement should address uncertainties, including clarifying and defining DOT's and DHS's respective roles, responsibilities, and authorities; establishing clear, agreed-upon outcomes; establishing how the agencies will monitor and report on progress toward those outcomes; and setting forth the agencies' plans for examining relevant issues, such as the roles of SSAs and industry, how NSPD-39 fits into the NIPP risk management framework, whether an update to the NSPD-39 is needed, or other issues as deemed necessary by the agencies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of February 2017, the National Executive Committee for Space-Based Positioning, Navigation, and Timing (PNT) Executive Steering group had established an interagency team called the "Complementary PNT Tiger Team" co-chaired by DHS, DOT, and DOD. This team was formed to manage the federal government's efforts to establish a national backup system to GPS. According to DHS officials, this organizational structure obviates the need for a formal, written agreement between DOT and DHS specific to GPS backup responsibilities. They also stated that, in a separate but related effort, DHS, DOT, and DOD are discussing a tri-lateral agreement that covers a broad spectrum of PNT-related responsibilities and activities. We will update the status of this recommendation after we receive additional information from DHS.
    Recommendation: To improve collaboration and address uncertainties in fulfilling the National Security Presidential Directive 39 (NSPD-39) backup-capabilities requirement, the Secretaries of Transportation and Homeland Security should establish a formal, written agreement that details how the agencies plan to address their shared responsibility. This agreement should address uncertainties, including clarifying and defining DOT's and DHS's respective roles, responsibilities, and authorities; establishing clear, agreed-upon outcomes; establishing how the agencies will monitor and report on progress toward those outcomes; and setting forth the agencies' plans for examining relevant issues, such as the roles of SSAs and industry, how NSPD-39 fits into the NIPP risk management framework, whether an update to the NSPD-39 is needed, or other issues as deemed necessary by the agencies.

    Agency: Department of Transportation
    Status: Open

    Comments: As of February 2017, the National Executive Committee for Space-Based Positioning, Navigation, and Timing (PNT) Executive Steering group had established an interagency team--called the "Complementary PNT Tiger Team"--co-chaired by DHS, DOT, and DOD. This team was formed to manage the federal government's efforts to establish a national backup system to GPS. According to DHS officials, this organizational structure obviates the need for a formal, written agreement between DOT and DHS specific to GPS backup responsibilities. They also stated that, in a separate but related effort, DHS, DOT, and DOD are discussing a tri-lateral agreement that covers a broad spectrum of PNT-related responsibilities and activities. We will update the status of this recommendation after we receive additional information from DOT.
    Director: St James, Lorelei
    Phone: (202) 512-2834

    3 open recommendations
    Recommendation: To ensure efficient management of the circulating coin inventory, the Board of Governors should direct Cash Product Office (CPO) to develop a process to assess the factors that have influenced increasing coin operations costs and differences in costs across Reserve Banks and a process to use this information to identify practices that could lead to cost-savings.

    Agency: Federal Reserve System: Board of Governors
    Status: Open

    Comments: As of August 2017, GAO is reviewing the recommendation update information the Federal Reserve. The Federal Reserve has indicated that they have developed and approved a methodology to determine the differences in coin costs among different Reserve Banks and thhave begun to identify cost differences among Reserve Banks and also begun to decrease overall coin costs.
    Recommendation: To ensure efficient management of the circulating coin inventory, the Board of Governors should direct CPO to establish, document, and annually report to the Board performance goals and metrics for managing the circulating coin inventory, (e.g., Reserve Bank coin management costs) and measure performance towards those goals and metrics.

    Agency: Federal Reserve System: Board of Governors
    Status: Open

    Comments: As of August 2017, GAO is reviewing information provided by the Federal Reserve. The Federal Reserve has indicated that the Cash Advisory Group has endorsed CPO's coin metric methodology. In addition, the CPO is working with the Board of Governors to understand variances in unit costs and working to reduce those costs.
    Recommendation: To ensure efficient management of the circulating coin inventory, the Board of Governors should direct CPO to establish and implement a process to assess the accuracy of forecasts for new coin orders and revise the forecasts as needed.

    Agency: Federal Reserve System: Board of Governors
    Status: Open

    Comments: As of August 2017, GAO is reviewing information provided by the Federal Reserve. The Federal Reserve has indicated that they have begun work to implement a more formal assessment program for forecasting new coin orders. In addition, the Cash Product Office has begun work to refine the accuracy of these forecasts.
    Director: Khan, Asif A
    Phone: (202) 512-9869

    2 open recommendations
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense, in his capacity as the Chief Management Officer and in consultation with the Under Secretary of Defense (Comptroller), to design and implement department-level policies and detailed procedures for FIAR Plan risk management that incorporate the five guiding principles for effective risk management. The following are examples of key features of each of the guiding principles that DOD should, at a minimum, address in its policies and procedures. (1) Identify risks. Generate a comprehensive and continuously updated list of risks that includes the root cause of each risk, audit area(s) each risk will affect, and the potential consequences if a risk is not effectively mitigated. (2) Analyze risks. Consult with key stakeholders, including program managers; use analytical techniques, such as risk categorization, risk urgency assessment, or sensitivity analysis; and determine the impact of the identified risks on individual DOD components' abilities to achieve audit readiness. (3) Plan for risk mitigation. Assign responsibility or ownership of the risk mitigation actions, define roles and responsibilities in executing mitigation plans, establish deadlines or milestones for individual mitigation actions, and estimate resource needs. (4) Implement risk mitigation plan. Document the implementation of mitigation actions, develop appropriate metrics that allow for tracking of progress, and validate reported metrics. (5) Monitor risks. Track identified risks and assess the effectiveness of implemented mitigation actions on a continuous basis, including identifying and planning for new risks.

    Agency: Department of Defense
    Status: Open

    Comments: DOD partially concurred with our recommendation. While DOD did concur with our assessment that they did not have a risk management policy and procedures related to implementing the FIAR guidance. They did not concur with our assessment of the overall environment of DOD's risk management of the FIAR initiative. DOD has taken steps to address our recommendation including implementing an NFR tracker and standard operating procedures designed to track DOD component material weaknesses. DOD has also documented a critical path and milestones in Appendix F of their FIAR Guidance; military component tasks and milestones in appendix G of the FIAR Guidance; and audit readiness deal breakers, now referred to as critical capabilities. However, while these are positive actions, they do not address our recommendation for DOD to implement risk management policies and procedures for FIAR implementation. Further, DOD has not provided GAO with evidence of planned actions it summarized in its agency comments. Specifically, DOD has not provided documentation related to (1) improving risk management documentation, (2) reinstating the DOD probability and impact matrix, and (3) re-evaluation of metrics to monitor progress and risk of audit readiness. Lastly, DOD's tracking of military component material weaknesses does not identify risks to audit readiness, or the agencies capabilities to manage risks to audit readiness. According to the May 2017 FIAR Status Update for the HASC Panel Recommendations, DOD has reinforced the importance of internal controls over areas of significant risk by updating the FIAR Guidance with a new chapter dedicated to internal controls. DOD has also changed how they respond to recommendation follow-up by way of the Washington Headquarters Service (WHS). We are currently waiting for a POC to be assigned. We will continue to evaluate the status of actions to address this recommendation.
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense, in his capacity as the Chief Management Officer and in consultation with the Under Secretary of Defense (Comptroller), to consider and incorporate, as appropriate, the Navy's and DLA's risk management practices in department-level policies and procedures.

    Agency: Department of Defense
    Status: Open

    Comments: DOD has changed how they respond to recommendation follow-up by way of the Washington Headquarters Service (WHS). We are currently waiting for a POC to be assigned. We will continue to evaluate the status of actions to address this recommendation.
    Director: Gomez, Jose A
    Phone: (202) 512-3841

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that EPA maximizes its limited resources and addresses the statutory, regulatory, and programmatic needs of EPA program offices and regions when IRIS toxicity assessments are not available, and once demand for the IRIS Program is determined, the EPA Administrator should direct the Deputy Administrator, in coordination with EPA's Science Advisor, to develop an agencywide strategy to address the unmet needs of EPA program offices and regions that includes, at a minimum: (1) coordination across EPA offices and with other federal research agencies to help identify and fill data gaps that preclude the agency from conducting IRIS toxicity assessments, and (2) guidance that describes alternative sources of toxicity information and when it would be appropriate to use them when IRIS values are not available, applicable, or current.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of October 2016, EPA indicated that the agency evaluated user needs for toxicity assessments as part of its process for developing the Multi-Year Agenda it issued in December 2015. We will continue to review additional information and documentation on EPA's agencywide strategy to address the unmet needs of EPA program offices and regions, and will update status comments as appropriate.
    Director: Chaplain, Cristina T
    Phone: (202) 512-4841

    3 open recommendations
    including 2 priority recommendations
    Recommendation: In order to strengthen investment decisions, place the chosen investments on a sound acquisition footing, provide a better means of tracking investment progress, and improve the management and transparency of the U.S. missile defense approach in Europe, the Secretary of Defense should direct MDA's new Director to add risk reduction non-intercept flight tests for each new type of target missiles developed.

    Agency: Department of Defense
    Status: Open

    Comments: Despite partially concurring with our recommendation in 2013, MDA has not adjusted its test plans to include risk-reduction (i.e., non-intercept) flight tests for new target types prior to their inclusion in an intercept flight test. MDA officials have not done so because such decisions must be balanced against potential cost, schedule, and programmatic impacts and flight test preparation processes, like dry-runs and quality control checks, are sufficient to discover issues prior to an intercept test. While test preparation processes are valuable, they are not a substitute for risk reduction flight tests. This was proven in June 2015 when MDA launched a new intermediate-range target that had 6 different test preparation processes but not a risk-reduction flight test and the target failed, which resulted in significant cost, schedule, and programmatic impacts. Moving forward, despite the impacts from its recent target failure, MDA plans to use a new medium-range target during its third, and most complex operational test in the second quarter of fiscal year 2019. We maintain our stance that risk reduction flight tests would reduce the risk for the associated test and the overall flight test plan; however, MDA's action to-date suggest that it has no intention of including risk-reduction flight tests for new targets. However, we will continue to monitor its progress in this regard.
    Recommendation: In order to strengthen investment decisions, place the chosen investments on a sound acquisition footing, provide a better means of tracking investment progress, and improve the management and transparency of the U.S. missile defense approach in Europe, the Secretary of Defense should direct MDA's new Director to include in its resource baseline cost estimates all life cycle costs, specifically the operations and support costs, from the military services in order to provide decision makers with the full costs of ballistic missile defense systems.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: DOD partially concurred with our recommendation that decisionmakers should have insight into the full lifecycle costs of MDA's programs. However, as of August 2017, MDA is still not including the military services' operations and sustainment costs--which are a part of the full lifecycle costs--in the resource baselines it reports in the Ballistic Missile Defense System Accountability Report. MDA is trying to determine how to report the full lifecycle costs to decisionmakers, but has indicated that the Ballistic Missile Defense System Accountability Report is not the appropriate forum for reporting the military services' operation and support costs. We continue to believe that including the full lifecycle costs of MDA's programs enables decisionmakers to make funding determinations that are based on a comprehensive understanding of the depth and breadth of each program's costs.
    Recommendation: In order to strengthen investment decisions, place the chosen investments on a sound acquisition footing, provide a better means of tracking investment progress, and improve the management and transparency of the U.S. missile defense approach in Europe, the Secretary of Defense should direct MDA's new Director to stabilize the acquisition baselines, so that meaningful comparisons can be made over time that support oversight of those acquisitions.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: DOD concurred with our recommendation regarding the need for MDA to stabilize its acquisition baselines, but also noted MDA's need to adjust its baselines to remain responsive to evolving requirements and threats; both of which are beyond MDA's control. Further, DOD highlighted the MDA Director's authority to make adjustments to the agency's programmatic baselines, within departmental guidelines. Our recommendation, however, is not designed to limit the Director's authority to adjust baselines or to prevent adjusting baselines as appropriate. Rather, our recommendation is designed to address traceability issues we have found with MDA's baselines, which are within its control. Specifically, for MDA to be able to effectively report longer-term progress of its acquisitions and provide the necessary transparency to Congress, it is critical that the agency stabilize its baselines so that once set, any revisions can be tracked over time. At this point we have not seen any indication that MDA is working to implement this recommendation. For example, in 2016, MDA's Director made changes to the Targets and Countermeasures program's baseline that omit the costs of some targets and may make tracking progress against prior years and the original baseline very difficult, and in some instances, impossible. We will continue to monitor MDA's baselines to determine any progress in this area or implementation of this recommendation.
    Director: Maurer, Diana C
    Phone: (202) 512-9627

    3 open recommendations
    including 2 priority recommendations
    Recommendation: To promote coordination as a practice to help avoid overlap, the Secretary of Homeland Security, the Attorney General, and the Director of ONDCP should work through the Information Sharing and Access Interagency Policy Committee (ISA IPC) or otherwise collaborate to develop a mechanism, such as performance metrics related to coordination, that will allow them to hold field-based information-sharing entities accountable for coordinating with each other and monitor and evaluate the coordination results achieved.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: The Department of Justice (DOJ), in coordination with the Department of Homeland Security (DHS) and the Office of National Drug Control Policy (ONDCP), has made progress toward addressing GAO's April 2013 recommendation but has not included all of the relevant field-based information sharing entities in its efforts. Through their involvement in an interagency policy committee within the Executive Office of the President, DHS, DOJ, and ONDCP have developed a mechanism to hold state and urban area fusion centers, Regional Information Sharing System (RISS) centers, and High Intensity Drug Trafficking Area (HIDTA) Investigative Support Centers accountable for coordinating their analytical and investigative activities. However, the agencies have not fully addressed the action because DOJ's Federal Bureau of Investigation's (FBI) Joint Terrorism Task Forces (JTTF) and Field Intelligence Groups (FIG), two of the five field-based entities included in GAO's April 2013 report, have not participated in the assessment on which the mechanism is based. In December 2015, DHS developed a field-based partners report in which DHS, DOJ and ONDCP reported data for state and urban area fusion centers, RISS centers, and HIDTA Investigative Support Centers. These data were focused on field-based collaboration, including governance, colocation, and other information sharing, analytic, and deconfliction-focused topics. However, the report did not include data for DOJ's JTTFs or FIGs. DOJ has noted that JTTFs and FIGs are different from the other entities because JTTFs are operational law enforcement investigative entities and FIGs provide intelligence support to FBI Field Offices. However, GAO's April 2013 report identified areas in which the missions and activities of JTTFs and FIGs overlapped with those of the other entities and that coordination with other field based entities was important to prevent unnecessary overlap and potential duplication. Considering the exclusion of two of the five entities, the agencies do not have a collective mechanism that can hold FIGS and JTTFs accountable for coordinating with the other field-based information sharing entities and allow the agencies to monitor progress and evaluate results across entities. Such a mechanism can help entities maintain effective relationships when new leadership is assigned and avoid unnecessary overlap in activities, which in turn can help entities to leverage scarce resources. As of March 2017, DOJ had provided no new updates. GAO will continue to monitor DOJ's progress in this area.
    Recommendation: To help identify where agencies and the field-based entities they support could apply coordination mechanisms to enhance information sharing and reduce inefficiencies resulting from overlap, the Secretary of Homeland Security, the Attorney General, and the Director of ONDCP should work through the ISA IPC or otherwise collaborate to identify characteristics of entities and assess specific geographic areas in which practices that could enhance coordination and reduce unnecessary overlap, such as cross-entity participation on governance boards and colocation of entities, could be further applied. The results of this assessment could be used by the agencies to provide recommendations or guidance to the entities to create coordinated governance boards or colocate entities, which can result in increased efficiencies through shared facilities and resources and reduced overlap through coordinated or collaborative products, activities, and services.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: The Department of Justice (DOJ), in coordination with the Department of Homeland Security (DHS) and the Office of National Drug Control Policy (ONDCP), has made progress toward addressing GAO's April 2013 recommendation but has not included all of the relevant field-based information sharing entities in its efforts. The three agencies have taken the necessary steps to assess the extent to which practices that can enhance coordination are being implemented at state and urban area fusion centers, Regional Information Sharing System (RISS) centers, and High Intensity Drug Trafficking Area (HIDTA) Investigative Support Centers through their involvement in an interagency policy committee within the Executive Office of the President. However, the assessment did not include DOJ's Federal Bureau of Investigation's (FBI) Joint Terrorism Task Forces (JTTF) or Field Intelligence Groups (FIG), two of the five field-based entities included in GAO's April 2013 report. In December 2015, DHS, DOJ, and ONDCP developed a field-based partners report in which DOJ and ONDCP collected and reported data elements for RISS centers and HIDTA Investigative Support Centers similar to those DHS uses in its annual fusion center assessment. These data were focused on field-based collaboration, including governance, colocation, and other information sharing, analytic, and deconfliction-focused topics. However, the report did not include data for DOJ's FBI JTTFs or FIGs. A collaborative assessment of where practices that enhance coordination can be applied to reduce overlap, collaborate, and leverage resources for all five field-based information-sharing entities would allow the agencies to provide recommendations or guidance to the entities on implementing these practices. As of March 2017, DOJ had provided no new updates. GAO will continue to monitor DOJ's progress in this area.
    Recommendation: To help ensure that an assessment of practices that could enhance coordination and reduce unnecessary overlap is shared and used to further enhance collaboration and efficiencies across agencies, the Program Manager, with input from the ISA IPC collaborating agencies, should report in the Information Sharing Environment (ISE) annual report to Congress the results of the assessment, including any additional coordination practices identified, efficiencies realized, or actions planned.

    Agency: Office of the Director of National Intelligence: Office of the Program Manager--Information Sharing Environment
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information. Status last updated August 31, 2017.
    Director: Melvin, Valerie C
    Phone: (202) 512-6304

    1 open recommendations
    Recommendation: To better ensure that GCSS-Army implements effective risk management and project monitoring and control practices, the Secretary of Defense should direct the Secretary of the Army to direct the GCSS-Army program office to specify the roles and responsibilities of the IV&V agent to ensure that it acts as a third party that validates and verifies the risks and mitigation plans developed by the program office and system integrator.

    Agency: Department of Defense
    Status: Open

    Comments: According to officials from Army's Program Executive Office Enterprise Information Systems in July 2017, the Army is working to draft an updated independent verification and validation policy in response to our recommendation. These officials expected the policy to be signed by the Program Executive Officer later this summer. We will continue to follow-up with the Army regarding this draft policy and the implementation of this recommendation.
    Director: Trimble, David C
    Phone: (202) 512-3841

    3 open recommendations
    including 3 priority recommendations
    Recommendation: To better position EPA to collect chemical toxicity and exposure-related data and ensure chemical safety under existing TSCA authority, while balancing its workload, the Administrator of EPA should consider promulgating a rule under TSCA section 8, or take action under another section, as appropriate, to require chemical companies to report chemical toxicity and exposure-related data they have submitted to the European Chemicals Agency.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of July 2017, EPA is better positioned to take action to require chemical companies to report chemical toxicity and exposure-related data submitted to the European Chemicals Agency due to passage of the new TSCA law, the Frank R. Lautenberg Chemical Safety for the 21st Century Act. Since the law was signed by the President on June 22, 2016, EPA finalized a rule to establish the agency's process for evaluating high priority chemicals to determine whether or not they present an unreasonable risk to health or the environment and finalized a rule to require industry reporting of chemicals manufactured or processed in the US over the past 10 years. However, EPA has not yet carried out actions consistent with the substance of our recommendation. Once EPA has carried out such actions, we will reassess the status of this open recommendation.
    Recommendation: To better position EPA to collect chemical toxicity and exposure-related data and ensure chemical safety under existing TSCA authority, while balancing its workload, the Administrator of EPA should consider promulgating a rule under TSCA section 8, or take action under another section, as appropriate, to require chemical companies to report exposure-related data from processors to EPA.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of July 2017, EPA is better positioned to take action to require chemical companies to report exposure-related data from processors to EPA due to passage of the new TSCA law, the Frank R. Lautenberg Chemical Safety for the 21st Century Act. Since the law was signed by the President on June 22, 2016, EPA has completed some implementation activities, including finalizing a rule to require industry reporting of chemicals manufactured or processed in the US over the past 10 years. However, EPA has not yet carried out actions consistent with the substance of our open recommendation. Once EPA has carried out such actions, we will reassess the status of this open recommendation.
    Recommendation: To better position EPA to collect chemical toxicity and exposure-related data and ensure chemical safety under existing TSCA authority, while balancing its workload, and to better position EPA to ensure chemical safety under existing TSCA authority, the Administrator of EPA should direct the appropriate offices to develop strategies for addressing challenges that impede the agency's ability to meet its goal of ensuring chemical safety. At a minimum, the strategies should address challenges associated with: (1) obtaining toxicity and exposure data needed to conduct ongoing and future TSCA Work Plan risk assessments, (2) gaining access to toxicity and exposure data provided to the European Chemicals Agency, (3) working with processors and processor associations to obtain exposure-related data, (4) banning or limiting the use of chemicals under section 6 of TSCA and planned actions for overcoming these challenges--including a description of other actions the agency plans to pursue in lieu of banning or limiting the use of chemicals, and (5) identifying the resources needed to conduct risk assessments and implement risk management decisions in order to meet its goal of ensuring chemical safety.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of July 2017, EPA is better positioned to take action to require chemical companies to report chemical toxicity and exposure data, analyze the data, take necessary actions, and identify the resources needed for evaluating and managing risk to ensure chemical safety due to passage of the new TSCA law, the Frank R. Lautenberg Chemical Safety for the 21st Century Act. Since the new law was signed by the President on June 22, 2016, EPA finalized a rule to establish the agency's process for evaluating high priority chemicals to determine whether or not they present an unreasonable risk to health or the environment and finalized a rule to require industry reporting of chemicals manufactured or processed in the U.S. over the past 10 years. However, EPA has not yet carried out actions consistent with the substance of our recommendation, including actually obtaining the data necessary to make risk-informed regulatory decisions, and then making those decisions as appropriate. Once EPA has carried out such actions, we will reassess the status of this open recommendation.
    Director: Larence, Eileen
    Phone: (202)512-6510

    1 open recommendations
    Recommendation: To ensure that USNCB and ICE are providing more comprehensive information to their respective foreign counterparts regarding registered sex offenders traveling internationally, the Attorney General and the Secretary of Homeland Security should take steps to help ensure that USNCB and ICE have information on the same number of registered sex offenders as well as the same level of detail on registered sex offenders traveling internationally. Such steps could include USNCB and ICE copying each other on their notifications to their foreign counterparts or USNCB receiving information directly from the CBP National Targeting Center (NTC).

    Agency: Department of Homeland Security
    Status: Open

    Comments: We reported that U.S. National Central Bureau (USNCB) and U.S. Immigration and Customs Enforcement (ICE) did not have information on the same registered sex offenders or the same level of detail on registered sex offenders traveling internationally, which affected their ability to notify their respective foreign counterparts. In part, this is because the two agencies rely on different information sources and do not share information with one another. We recommended that DOJ and DHS develop mechanisms that would enable these two agencies to have access to the same information on traveling sex offenders. In August 2013, ICE provided documentation showing that it copied several U.S. Marshals Service (USMS) officials on notifications that ICE sent to other countries regarding registered sex offenders traveling internationally. However, ICE did not copy USNCB on these notifications. ICE explained that it thought sharing information on traveling sex offenders with USMS and relying on USMS to pass that information along to USNCB was the most efficient way to share information with USNCB. However, we analyzed notifications from ICE, USNCB, and USMS regarding sex offenders who initiated international travel in February 2014 and found that USMS only passed along about 30 percent of the notifications it received from ICE to USNCB. We provided the results of this analysis to all three agencies in July 2014. We met with relevant U.S. Customs and Border Protection (CBP), ICE, USMS, and USNCB officials in September 2014 to discuss options for ensuring that USNCB receives more comprehensive information regarding traveling sex offenders. ICE officials stated that since CBP is the source of the information ICE receives on traveling sex offenders, as well as one of the information sources for USMS, that it may be best for CBP to provide information directly to USNCB. USNCB officials also stated that their preference was to receive information directly from CBP, and it was their understanding that CBP and USNCB were in the process of developing an MOU that would allow for this. In October 2015, CBP confirmed that the MOU would enable CBP to share information with USNCB regarding traveling sex offenders. CBP also stated that the MOU had been approved by CBP and sent to USNCB for review. In an April 2016 update, CBP reported that the MOU had been tentatively approved by USNCB and is expected to be finalized and signed in July 2016. In August 2016, CBP stated that the completion date for the MOU was pushed back to September 30, 2016, to allow time for CBP and USNCB to negotiate additional edits. We followed up with CBP about the status of the MOU in February 2017. We are awaiting a response.
    Director: Cackley, Alicia P
    Phone: (202) 512-8678

    1 open recommendations
    Recommendation: To better enable CPSC to target unsafe consumer products, Congress may wish to amend section 29(f) of CPSA to allow CPSC greater ability to enter into information-sharing agreements with its foreign counterparts that permit reciprocal terms on disclosure of nonpublic information.

    Agency: Congress
    Status: Open

    Comments: As of July 31, 2017, Section 29 of CPSA had not been amended since 2008. In 2013, a bill was introduced (S.1887) but not passed. That bill would have allowed "the Commission, when sharing information under the federal-state cooperation program with a foreign government agency for official law enforcement or consumer protection purposes, to authorize a foreign government agency to make that information available to another agency of the same foreign government (including a political subdivision of that foreign government that is located within the same territory or administrative area as the agency disclosing the information) if an appropriate official of the foreign government agency disclosing the information certifies (by prior agreement, memorandum of understanding with the CPSC, or other written certification) that it will establish and apply specified confidentiality restrictions under the Consumer Product Safety Act."
    Director: Chaplain, Cristina T
    Phone: (202)512-4859

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To improve NASA management and oversight of its spaceflight projects, and to improve the reliability of project EVM data, the NASA Administrator should direct the appropriate offices to modify the NASA Procedural Requirements (NPR) 7120.5 to require projects to implement a formal surveillance program that: (1) Ensures anomalies in contractor-delivered and in-house monthly earned value management reports are identified and explained, and report periodically to the center and mission directorate's leadership on relevant trends in the number of unexplained anomalies. (2) Ensures consistent use of work breakdown structures (WBS) for both the EVM report and the schedule. (3) Ensures that lower level EVM data reconcile to project level EVM data using the same WBS structure. (4) Improves underlying schedules so that they are properly sequenced using predecessor and successor dependencies and are free of constraints to the extent practicable so that the EVM baseline is reliable.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA partially agreed with this recommendation. NASA has implemented several initiatives related to EVM training tools and support material to enhance EVM implementation, but has not modified the NASA Procedural Requirements (NPR) 7120.5 to require projects to implement a formal surveillance program. In May 2017, officials reiterated NASA's position that they do not plan to implement a formal surveillance plan due to resource constraints. We continue to believe that implementing this recommendation for projects to implement a formal surveillance program would be beneficial and prevent anomalies in EVM data from occurring. Without implementing proper surveillance, projects may be utilizing unreliable EVM data in its analyses to inform its cost and schedule decision making.
    Director: Jeszeck, Charles A
    Phone: (202) 512-7215

    4 open recommendations
    Recommendation: To enhance understanding and better inform debate on the possible effects of moving to a more risk-based premium structure, during consideration of various redesign options and after a redesign may be authorized, the Director of PBGC should continue to develop PBGC's hypothetical model, analyzing various premium redesign options and their impacts on sponsors, and report the results to Congress. As part of these analyses, PBGC should evaluate the potential effects on sponsors of incorporating additional risk factors, such as company financial health and plan investment mix, and include an assessment to identify any potentially disproportional hardships on smaller companies that may result from the redistribution of higher rates to riskier sponsors.

    Agency: Pension Benefit Guaranty Corporation
    Status: Open

    Comments: PBGC agreed with this recommendation. The agency is committed to continued development of the databases, models, and analyses of various premium redesign options and their impacts on sponsors, and to report the results of these analyses to Congress. In April 2014, PBGC noted that its efforts are still in process. As of August 2015, PBGC had provided no additional updates on actions taken on this recommendation.
    Recommendation: To help strengthen the PBGC insurance program, Congress should authorize redesign of PBGC's premium structure to more fully reflect the risk posed by plans and sponsors to the agency, such as by providing for the incorporation of additional risk factors.

    Agency: Congress
    Status: Open

    Comments: In July 2012 and December 2013, Congress passed premium increases (P.L. No. 112-141 and P.L. 113-67, respectively) to better reflect the risk posed to the Pension Benefit Guaranty Corporation by certain defined benefit pension plans and plan sponsors. Nevertheless, As of September 2015, Congress had yet to authorize a redesign of PBGC's premium structure.
    Recommendation: In addition, to improve PBGC's ability to collect key information that may be necessary to help the agency estimate its risk exposure to future claims and strengthen implementation of any changes to the premium structure, Congress should provide PBGC with access to additional information needed to assess risk and assist in setting premiums, such as by expanding the criteria requiring plan sponsors to report under section 4010 of ERISA.

    Agency: Congress
    Status: Open

    Comments: As of September 2015, Congress has taken no action related to this matter.
    Recommendation: Moreover, to better understand the mechanics of how best to incorporate additional risk factors, improve transparency, and help inform the evaluation of the various redesign options, Congress should establish an independent premiums advisory committee reflecting a range of perspectives--including, for example, representatives from federal agencies, sponsors, actuaries, private insurers, and labor groups--to assist with such activities as developing the mechanics for incorporating additional risk factors and implementing new rates, as well as delineating a variety of alternative methods to address PBGC's deficit.

    Agency: Congress
    Status: Open

    Comments: As of September 2015, Congress has taken no action related to this matter.
    Director: Dillingham, Gerald L
    Phone: (202)512-2834

    3 open recommendations
    Recommendation: To enhance FAA's efforts to improve general aviation safety, the Secretary of Transportation should direct the FAA Administrator to improve measures of general aviation activity by requiring the collection of the number of hours that general aviation aircraft fly over a period of time (flight hours). FAA should explore ways to do this that minimize the impact on the general aviation community, such as by collecting the data at regular events (e.g., during registration renewals or at annual maintenance inspections) that are already required.

    Agency: Department of Transportation
    Status: Open

    Comments: In August 2017, GAO confirmed that FAA's collection of flight hour data during registration renewals or annual maintenance inspections is not feasible because it would require rulemaking and potentially have a significant economic and paperwork impact on the GA community. FAA noted that, although previously the GA Activity Survey was somewhat limited for collecting more extensive flight hour data, improvements to the survey regarding flight hour data collection have resulted in a low standard error of 1.1 percent, which means that the agency and industry can have confidence in the aggregate results regarding how GA is operated in the national airspace system. While there may have been methodological improvements to the survey, FAA's response indicates that it does not require the collection of GA flight hour data. GAO maintains that estimates from the survey still may not be sufficient for drawing conclusions about changes in crash rates over time and that more precise flight hour data could allow FAA to better target its safety efforts within the general aviation community.
    Recommendation: To enhance FAA's efforts to improve general aviation safety, and to ensure that ongoing safety issues are addressed, the Secretary of Transportation should direct the FAA Administrator to set specific general aviation safety improvement goals--such as targets for fatal accident reductions--for individual industry segments using a datadriven, risk management approach.

    Agency: Department of Transportation
    Status: Open

    Comments: GAO confirmed in August 2017 that FAA's General Aviation Joint Steering Committee has undertaken a data-driven approach to resolving and mitigating the risks associated with all General Aviation (GA) fatal accidents and is exploring different metrics for monitoring individual industry segments utilizing tools such as the GA Activity Survey but that credible metrics for each industry sub-sector are currently not feasible. However, our recommendation was for FAA to develop metrics for industry segments because we found a variety of differences in accident and fatality rates among industry segments and believe that focusing on segments with higher instances of both is a better use of FAA's limited resources.
    Recommendation: To enhance FAA's efforts to improve general aviation safety, and to determine whether the programs and activities underlying the 5-year strategy are successful and if additional actions are needed, the Secretary of Transportation should direct the FAA Administrator to develop performance measures for each significant program and activity underlying the 5-year strategy.

    Agency: Department of Transportation
    Status: Open

    Comments: GAO confirmed in August 2017 that FAA has established performance metrics for the activities underlying the 5-year strategy and that the GA fatal accident rate remains its primary performance measure. FAA also reported that additional performance measures would be developed in association with the General Aviation Joint Steering Committee working groups. However, FAA has provided no documentation of its metrics for the associated activities underlying the 5-year strategy therefore this recommendation remains open.
    Director: Goldstein, Mark L
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: Given the challenges that FPS faces in assessing risks to federal facilities and managing its contract guard workforce, the Secretary of Homeland Security should develop and implement a new comprehensive and reliable system for contract guard oversight.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to FPS officials, as of September 2017, FPS is currently reviewing proposals and preparing to make a decision for the final contract award for a Post Tracking System (PTS). According to FPS, this PTS will allow FPS to comprehensively and reliability mange its contract guards. Once the contract is awarded in late 2017 FPS will begin to implement the PTS system. GAO is keeping this recommendation open pending successful implementation of this system.
    Recommendation: Given the challenges that FPS faces in assessing risks to federal facilities and managing its contract guard workforce, the Secretary of Homeland Security should verify independently that FPS's contract guards are current on all training and certification requirements.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to FPS officials, as of September 2017, FPS plans to address this recommendation through the implementation of FPS?s Training Academy and Management System (TAMS). FPS reported that this system should allow it to verify independently that FPS's contract guards are current on all training and certification requirements. FPS is currently taking various steps to finalize the system and anticipates full implementation of TAMS by August 2018. GAO is leaving this recommendation open pending successful implementation of TAMS.
    Director: Trimble, David C
    Phone: 202-512-9338

    5 open recommendations
    including 4 priority recommendations
    Recommendation: To better ensure the credibility of IRIS assessments by enhancing their timeliness and certainty, the EPA Administrator should require the Office of Research and Development to assess the feasibility and appropriateness of the established time frames for each step in the IRIS assessment process and determine whether different time frames should be established, based on complexity or other criteria, for different types of IRIS assessments.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: In October 2016 we reviewed information provided by EPA related to this recommendation. While in July 2013, the EPA issued "enhancements" to the IRIS process and throughout 2016, EPA provided us with details on its online chemical information. EPA stated that the Program introduced the idea that different timelines are needed for different types of assessments based on criteria such as complexity (i.e., large database, many endpoints, complex questions about dose-response, multiple science issues, and novel approaches), potential public health impact, and the amount of new research that needs to be considered. Consequently, two sets of timelines for the IRIS assessment process were developed, one set for "standard" assessments and one set for "complex" assessments. GAO believes that this is important progress but that EPA needs to continue to determine whether different time frames should be established.
    Recommendation: To better ensure the credibility of IRIS assessments by enhancing their timeliness and certainty, the EPA Administrator should require the Office of Research and Development, should different time frames be necessary, to establish a written policy that clearly describes the applicability of the time frames for each type of IRIS assessment and ensures that the time frames are realistic and provide greater predictability to stakeholders.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: In October 2016 we reviewed information provided by EPA related to this recommendation. While in July 2013, EPA issued "enhancements" to the IRIS process and provided us with details on the online information available for each chemical, a written policy that is publicly available is still needed. EPA stated that the Program introduced the idea that different timelines are needed for different types of assessments based on criteria such as complexity (i.e., large database, many endpoints, complex questions about dose-response, multiple science issues, and novel approaches), potential public health impact, and the amount of new research that needs to be considered. Consequently, two sets of timelines for the IRIS assessment process were developed, one set for "standard" assessments and one set for "complex" assessments. GAO believes that EPA has made progress and we will continue to review information provided by EPA as they work to ensure that the time frames are realistic and provide greater predictability to stakeholders.
    Recommendation: To ensure that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users--including stakeholders such as EPA program and regional offices, other federal agencies, and the public--the EPA Administrator should direct the Office of Research and Development to annually publish the IRIS agenda in the Federal Register each fiscal year.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In October 2016, EPA provided an update to GAO and said they believe they have met the intent of this GAO recommendation by publishing an IRIS Multi-Year Agenda in December 2015. According to EPA, the Multi-Year Agenda provides detailed information on near-term agency priorities including IRIS assessments that are ongoing and those that will be initiated over the next few years. EPA also told GAO that they are working to update the information provided on the status of each ongoing IRIS assessment. As this important work continues, GAO will monitor EPA's progress and determine if the information provides IRIS users with transparent information about assessments.
    Recommendation: To ensure that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users--including stakeholders such as EPA program and regional offices, other federal agencies, and the public--the EPA Administrator should direct the Office of Research and Development to indicate in published IRIS agendas which chemicals EPA is actively assessing and when EPA plans to start assessments of the other listed chemicals.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: In October 2016, EPA provided an update to GAO and said they believe they have met the intent of this GAO recommendation by publishing an IRIS Multi-Year Agenda in December 2015. According to EPA, the Multi-Year Agenda provides detailed information on near-term agency priorities including IRIS assessments that are ongoing and those that will be initiated over the next few years. GAO still believes that annually providing current and accurate information on chemicals that EPA plans to assess through the IRIS program is critical for IRIS users and specifically which chemicals EPA is actively assessing and when EPA plans to start assessments of the other listed chemicals.
    Recommendation: To ensure that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users--including stakeholders such as EPA program and regional offices, other federal agencies, and the public--the EPA Administrator should direct the Office of Research and Development to update the IRIS Substance Assessment Tracking System (IRISTrack) to display all current information on the status of assessments of chemicals on the IRIS agenda, including projected and actual start dates, and projected and actual dates for completion of steps in the IRIS process, and keep this information current.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: In October 2016, EPA provided an update to GAO and said they believe they have met the intent of this GAO recommendation by publishing an IRIS Multi-Year Agenda in December 2015. According to EPA, the Multi-Year Agenda provides detailed information on near-term agency priorities including IRIS assessments that are ongoing and those that will be initiated over the next few years. GAO still believes that annually providing current and accurate information on chemicals that EPA plans to assess through the IRIS program is critical for IRIS users. In addition, The Agenda does not identify projected start dates for new assessments, and therefore is not ensuring that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users.
    Director: Hutton, John P
    Phone: (202) 512-4841

    2 open recommendations
    Recommendation: To better focus agencies' efforts to manage the risks related to professional and management support service contracts, the Director of OMB, through the Office of Federal Procurement Policy (OFPP), should establish a near-term deadline for agencies to develop internal procedures required by OFPP Policy Letter 11-01, including for services that closely support inherently governmental functions.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In providing comments on our report, OFPP generally agreed with this recommendation. During follow-up discussions, OFPP agreed to provide additional information to confirm the actions they have taken to address the recommendation. However, we have yet to receive this information. We will continue to follow this recommendation and provide updated information when available.
    Recommendation: To ensure that the risks of professional and management support service contracts are more fully considered and addressed, the Director of OMB, through the Office of Federal Procurement Policy, should include contracts coded in the Federal Procurement Data System - Next Generation (FPDS-NG) as Other Professional Services and Other Management Support Services in the cost savings initiative for management support services and planned service contract inventory guidance to agencies for conducting analysis of special interest functions.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In providing comments on our report, OFPP generally agreed with this recommendation. We have had discussions with OFPP and they agreed to provide additional information on the actions taken to address the recommendation. However, we have yet to receive this information. We will continue to follow this recommendation and provide updated information when available.
    Director: Goldstein, Mark L
    Phone: (202)512-6670

    2 open recommendations
    Recommendation: The Secretary of Homeland Security and Attorney General should instruct the Director of FPS, and the Director of the Marshals Service, respectively, to jointly lead an effort, in consultation and agreement with the judiciary and GSA, to update the MOA on courthouse security to address the challenges discussed in this report. Specifically, in this update to the MOA stakeholders should: (1) clarify federal stakeholders' roles and responsibilities including, but not limited to, the conditions under which stakeholders may assume each other's responsibilities and whether such agreements should be documented; and define GSA's responsibilities and determine whether GSA should be included as a signatory to the updated MOA; (2) outline how they will ensure greater participation of relevant stakeholders in court or facility security committees; and (3) specify how they will complete required risk assessments for courthouses, referred to by the Marshals Service as court security facility surveys and by FPS as facility security assessments (FSA), and ensure that the results of those assessments are shared with relevant stakeholders, as appropriate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of April 2017, The Federal Protective Service, U.S. Marshals Service, Administrative Office of the U.S. Courts, and General Services Administration were working to update the memorandum of agreement on courthouse security. An updated memorandum has been drafted, but it has yet to be signed by all parties. Consequently, resolution of this recommendation is pending until further action is taken.
    Recommendation: The Secretary of Homeland Security and Attorney General should instruct the Director of FPS, and the Director of the Marshals Service, respectively, to jointly lead an effort, in consultation and agreement with the judiciary and GSA, to update the MOA on courthouse security to address the challenges discussed in this report. Specifically, in this update to the MOA stakeholders should: (1) clarify federal stakeholders' roles and responsibilities including, but not limited to, the conditions under which stakeholders may assume each other's responsibilities and whether such agreements should be documented; and define GSA's responsibilities and determine whether GSA should be included as a signatory to the updated MOA; (2) outline how they will ensure greater participation of relevant stakeholders in court or facility security committees; and (3) specify how they will complete required risk assessments for courthouses, referred to by the Marshals Service as court security facility surveys and by FPS as facility security assessments (FSA), and ensure that the results of those assessments are shared with relevant stakeholders, as appropriate.

    Agency: Department of Justice
    Status: Open

    Comments: As of April 2017, The Federal Protective Service, U.S. Marshals Service, Administrative Office of the U.S. Courts, and General Services Administration were working to update the memorandum of agreement on courthouse security. An updated memorandum has been drafted, but it has yet to be signed by all parties. Consequently, resolution of this recommendation is pending until further action is taken.
    Director: Brown, Orice Williams
    Phone: (202)512-5837

    4 open recommendations
    Recommendation: While creating control systems at the same time that the emergency programs were being designed and implemented posed unique challenges, the recent crisis provided invaluable experience that the Federal Reserve System can apply in the future should the use of these authorities again become warranted. Going forward, to further strengthen policies for selecting vendors, ensuring the transparency and consistency of decision making involving the implementation of any future emergency programs, and managing risks related to these programs, the Chairman of the Federal Reserve Board should direct Federal Reserve Board and Reserve Bank staff to strengthen procedures in place to guide Reserve Banks' efforts to manage emergency program access for higher-risk borrowers by providing more specific guidance on how Reserve Bank staff should exercise discretion and document decisions to restrict or deny program access for depository institutions and primary dealers that would otherwise be eligible for emergency assistance.

    Agency: Federal Reserve System: Board of Governors
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: While creating control systems at the same time that the emergency programs were being designed and implemented posed unique challenges, the recent crisis provided invaluable experience that the Federal Reserve System can apply in the future should the use of these authorities again become warranted. Going forward, to further strengthen policies for selecting vendors, ensuring the transparency and consistency of decision making involving the implementation of any future emergency programs, and managing risks related to these programs, the Chairman of the Federal Reserve Board should direct Federal Reserve Board and Reserve Bank staff to document a plan for estimating and tracking losses that could occur under more adverse economic conditions within and across all emergency lending activities and for using this information to inform policy decisions, such as decisions to limit risk exposures through program design or restrictions applied to eligible borrowing institutions.

    Agency: Federal Reserve System: Board of Governors
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: While creating control systems at the same time that the emergency programs were being designed and implemented posed unique challenges, the recent crisis provided invaluable experience that the Federal Reserve System can apply in the future should the use of these authorities again become warranted. Going forward, to further strengthen policies for selecting vendors, ensuring the transparency and consistency of decision making involving the implementation of any future emergency programs, and managing risks related to these programs, the Chairman of the Federal Reserve Board should direct Federal Reserve Board and Reserve Bank staff, in drafting regulations to establish the policies and procedures governing emergency lending under section 13(3) of the Federal Reserve Act, to set forth the Federal Reserve Board's process for documenting, to the extent not otherwise required by law, its justification for each use of this authority.

    Agency: Federal Reserve System: Board of Governors
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: While creating control systems at the same time that the emergency programs were being designed and implemented posed unique challenges, the recent crisis provided invaluable experience that the Federal Reserve System can apply in the future should the use of these authorities again become warranted. Going forward, to further strengthen policies for selecting vendors, ensuring the transparency and consistency of decision making involving the implementation of any future emergency programs, and managing risks related to these programs, the Chairman of the Federal Reserve Board should direct Federal Reserve Board and Reserve Bank staff to document the Federal Reserve Board's guidance to Reserve Banks on types of emergency program decisions and risk events that require approval by or consultation with the Board of Governors, the Federal Open Market Committee, or other designated groups or officials at the Federal Reserve Board.

    Agency: Federal Reserve System: Board of Governors
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Williamson, Randall B
    Phone: (206)287-4860

    1 open recommendations
    Recommendation: To help identify risks and address vulnerabilities in physical security precautions at VA medical facilities, the Secretary of Veterans Affairs should direct the Under Secretary for Health to require relevant medical center stakeholders to coordinate and consult on (1) plans for new and renovated units, and (2) any changes to physical security features, such as closed-circuit television cameras.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Aloise, Eugene E
    Phone: (202)512-6870

    1 open recommendations
    Recommendation: Once the stewardship for the isotopes have been assigned, the Secretary of Energy should direct the head of the responsible office(s) to develop strategic plans that, among other things, systematically assess and document risks to managing the isotopes and supporting activities, such as not having control over the supply of these isotopes, and implement actions needed to mitigate them.

    Agency: Department of Energy
    Status: Open

    Comments: According to the Isotope Program, it has assessed supply and demand for some key isotopes and is working with stakeholders to manage supply and demand of isotopes for which the program does not control the supply of. We will review the program's actions and update the status of this recommendation.
    Director: Wise, David J
    Phone: (202)512-5731

    1 open recommendations
    Recommendation: To ensure that FTA targets its resources effectively as it increases its safety efforts and is able to track the results of these efforts, the Secretary of Transportation should direct the FTA Administrator to use leading practices as FTA develops its plans for fiscal year 2011 and in the future. In particular, the Administrator should create a set of clear and specific performance goals and measures that (1) are aligned with the department's strategic safety goals and identify the intended results of FTA's various safety efforts and (2) address important dimensions of program performance.

    Agency: Department of Transportation
    Status: Open

    Comments: The Moving Ahead for Progress in the 21st Century Act (MAP-21), enacted in 2012, gave the Federal Transit Administration (FTA) authority to establish and enforce a new comprehensive framework for overseeing the safety of public transportation in the U.S. FTA is developing a new National Public Transportation Safety Program, including new safety regulations and a National Safety Plan, to implement this authority. FTA has proposed a National Safety Plan that identifies a potential set of performance measures for FTA, but does not identify related goals or targets. FTA officials said that they would address our recommendation within the next 6-12 months by establishing, within an internal performance plan, a set of clear and specific performance goals and measures for FTA that align with the leading practices we identify. We will follow up in Spring 2017 to check on FTA's progress in implementing this recommendation.
    Director: Caldwell, Stephen L
    Phone: (202) 512-9610

    1 open recommendations
    Recommendation: To facilitate better agency understanding of the potential need and feasibility of expanding electronic verification of seafarers, to improve data collection and sharing, and to comply with the Inflation Adjustment Act, the Secretary of Homeland Security should direct the Commandant of the Coast Guard and Commissioner of CBP to jointly establish an interagency process for sharing and reconciling records of absconder and deserter incidents occurring at U.S. seaports.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security (DHS) concurred and stated that U.S. Customs and Border Protection (CBP) and the Coast Guard would begin to assess the appropriate offices within each component involved in the review and to establish a working group to evaluate the current reporting process within each component, and between CBP and Coast Guard. Further, DHS noted that it was working to co-locate the Coast Guard's ICC Coastwatch and CBP's National Targeting Center-Passenger and that this would help to eliminate many of the absconder-and deserter- reporting inconsistencies GAO identified between Coast Guard and CBP. In January 2013, CBP and Coast Guard officials reported that they had studied the CBP and Coast Guard data and found that multiple factors had likely contributed to the data variances, including differences in definitions for absconders/deserters among CBP and Coast Guard field units, and the method in which field units had recorded and reported absconder and deserter incidents. Officials reported that the two agencies were planning to develop an interagency memorandum of agreement (MOA) with field guidance for reporting absconder and deserter incidents. Officials reported that they expected to finalize and implement the MOA and field guidance by November 30, 2013. In July 2014, CBP described a new process in place for interagency data reconciliation, reporting that this action was taken in lieu of previously discussed plans to develop an interagency MOU. In December 2015, CBP reported that it expected to complete the effort by March 2016. In March 2016, CBP report that it expected to complete the effort by September 2016. CBP officials reported that the Coast Guard and CBP determined that the absconder data variances were caused by the agencies using different reporting criteria. Officials reported that the two agencies were preparing a memo and guidance to issue to field units by August 31, 2016. Officials reported that the recommendation would be fully implemented by September 30, 2016. In September 2016, CBP reported that it expected to implement the effort by December 31, 2016. In December 2016, CBP reported that the agency had drafted a memo to coincide with new Coast Guard procedure for conducting asymmetric migration vetting and deconfliction. CBP was also working to require all ports of entry to report all maritime asymmetric migration events directly to Coastwatch or a Targeting Framework event. However, on October 18, 2016, the DHS Deputy Secretary issued Department Policy Regarding Investigative Data and Event Deconfliction Policy Directive 045-04 that sets forth DHS policy for investigative data and event deconfliction and the use of related deconfliction systems in the course of certain law enforcement activity. As a result of the newly published Directive, DHS requires that CBP develop and implement related policy, by January 17, 2017. The policy directive requires DHS components to develop a policy applicable to components having equities in Investigative Data and Event Deconfliction. The policy will focus on more effective coordination of investigative activity to ensure officer safety by identifying links between ongoing criminal investigations. The Policy also requires that CBP components, at a minimum, conduct deconfliction thru the Deconfliction and Information Coordination Endeavor, Regional Information Sharing Systems Officer Safety Event Deconfliction System, Secure Automated Fast Event Tracking Network or Case Explorer systems. CBP and Coast Guard are now looking at a directive which makes it a port responsibility to deconflict case related information. The timeline for drafting and finalizing that directive is January 2017. Because of this change in direction, CBP and Coast Guard are requesting an extension to March 31, 2017 to finalize and disseminate the new policy.
    Director: Goldstein, Mark L
    Phone: (202)512-3000

    3 open recommendations
    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should, based on the findings of the risk assessment, conduct a thorough examination of the overall design of E-rate's internal control structure to ensure that the procedures and administrative resources related to internal controls are aligned to provide reasonable assurance that program risks are appropriately targeted and addressed.

    Agency: Federal Communications Commission
    Status: Open

    Comments: In April 2014, FCC approved USAC's hiring of a contractor to conduct a risk assessment of the E-rate program. FCC plans to implement this recommendation after the risk assessment is completed and the results of the risk assessment can be used to inform the examination of the internal control structure.
    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should implement a systematic approach to assess internal controls that appropriately considers the results of beneficiary audits and that is supported by a documented and approved set of policies and procedures.

    Agency: Federal Communications Commission
    Status: Open

    Comments: In April 2014, FCC approved the hiring of a contractor to conduct a risk assessment of the E-rate program. In July 2014, an FCC official said that the agency planning to take action on this recommendation before the risk assessment is completed.
    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should develop policies and procedures to periodically monitor the internal control structure of the E-rate program, including evaluating the costs and benefits of internal controls, to provide continued reasonable assurance that program risks are targeted and addressed.

    Agency: Federal Communications Commission
    Status: Open

    Comments: In April 2014, FCC approved the hiring of a contractor to conduct a risk assessment of the E-rate program. In July 2014, an FCC official said that the agency planning to take action on this recommendation before the risk assessment is completed.
    Director: Mccool, Thomas J
    Phone: (202)512-8678

    1 open recommendations
    Recommendation: In developing legislation for a national reporting system for the biological laboratory community, Congress may wish to consider provisions for the agency it designates as responsible for the system to take into account the following in design and implementation: (1) including stakeholders in setting system goals; (2) assessing labs' organizational culture to guide design and implementation decisions; (3) making reporting voluntary, with open-reporting formats that allow workers to report events in their own words and that can be submitted by all workers in a variety of modes (Web or postal), with the option to report to either an internal or external entity; (4) incorporating strong reporter protections, data deidentification measures, and other incentives for reporting; (5) developing feedback mechanisms and an industry-level entity for disseminating safety data and safety recommendations across the lab community; and (6) ensuring ongoing monitoring and evaluation of the safety reporting system and safety culture.

    Agency: Congress
    Status: Open

    Comments: Congress has not taken action on this recommendation.
    Director: Khan, Asif A
    Phone: (202)512-3000

    1 open recommendations
    Recommendation: The Secretary of Defense should direct the military department Chief Management Officers, in consultation with the Under Secretary of Defense (Comptroller) and the Under Secretary of Defense for Acquisition, Technology, and Logistics, as appropriate, after defining the cost accounting requirements, to utilize the requirements as input to the ERPs to help ensure that the ERPs will provide the capability to identify and aggregate cost information for the department's assets in accordance with DOD's defined requirements.

    Agency: Department of Defense
    Status: Open

    Comments: DOD's military departments are in the process of implementing Enterprise Resource Planning (ERPs). At least one of these ERPs does not currently include cost accumulation and reporting for military equipment assets. DOD's FIAR plan efforts, which, according to officials, include systems enhancements are still on-going to address this recommendation. The status of this recommendation is open.
    Director: Currie, Christopher
    Phone: (404)679-3000

    1 open recommendations
    Recommendation: In order to help build and maintain a national biosurveillance capability---an inherently interagency enterprise---the Homeland Security Council should direct the National Security Staff to, in coordination with relevant federal agencies, charge this focal point with the responsibility for developing, in conjunction with relevant federal agencies, a national biosurveillance strategy that: 1) defines the scope and purpose of a national capability; 2) provides goals, objectives and activities, priorities, milestones, and performance measures; 3) assesses the costs and benefits associated with supporting and building the capability and identifies the resource and investment needs, including investment priorities; 4) clarifies roles and responsibilities of leading, partnering, and supporting a national capability; and 5) articulates how the strategy is integrated with and supports other related strategies' goals, objectives, and activities.

    Agency: Executive Office of the President: Homeland Security Council
    Status: Open

    Comments: In July 2012, the White House released the National Strategy for Biosurveillance to describe the U.S. government's approach to strengthening biosurveillance. A strategic implementation plan was to be completed within 120 days of the strategy issuance. As we testified in September 2012, the strategy did not fully meet the intent of our recommendation; however, when the implementation plan is complete, it may meet our recommendation. Specifically, the strategy did not provide the mechanism GAO recommended to identify resource and investment needs, including investment priorities. As of September 2015, GAO has not received a copy of the implementation plan for review and has not been able to confirm that it has been finalized and is considered operational by the White House and the key interagency partners.
    Director: Melvin, Valerie C
    Phone: (202)512-6304

    3 open recommendations
    Recommendation: To enhance VA's effort to successfully fulfill its forthcoming plans for the outpatient scheduling system replacement project and the HealtheVet program, the Secretary of Veterans Affairs should direct the CIO to ensure implementation of a requirements management plan that reflects leading practices for requirements development and management. Specifically, implementation of the plan should include analyzing requirements to ensure they are complete, verifiable, and sufficiently detailed to guide development, and maintaining requirements traceability from high-level operational requirements through detailed low-level requirements to test cases.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In written comments on our report, VA concurred with this recommendation and in August 2014, identified initial actions the department had taken in response. Specifically, as part of its plans to issue a request for proposals to acquire a replacement scheduling system under its Medical Appointment Scheduling System (MASS) project, VA developed a Business Requirements Document that defines its specific business needs, capabilities, features, and constraints. Additionally, the department reported that it intends to manage and document requirements using processes supported by a Web-based tool called Rational Doors. In August 2015, VA's Office of Acquisition, Logistics, and Construction awarded a contract for the MASS project. However, in April 2016, the department paused MASS to evaluate an alternative project to enhance its legacy scheduling system. Subsequently, in early 2017, the department restarted the MASS project. Nevertheless, as of June 2017, the department had not developed a requirements management plan for MASS. Thus, the MASS project has not yet reached the point where the effectiveness of the requirements management activities we recommended can be assessed.
    Recommendation: To enhance VA's effort to successfully fulfill its forthcoming plans for the outpatient scheduling system replacement project and the HealtheVet program, the Secretary of Veterans Affairs should direct the CIO to adhere to the department's guidance for system testing including (1) performing testing incrementally and (2) resolving defects of average and above severity prior to proceeding to subsequent stages of testing.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In written comments on our report, VA concurred with this recommendation and stated that testing was managed using documented, repeatable processes that are included in the department's ProPath Web-based tool. According to the Acting Deputy Chief Information Officer for Product Development, the Medical Appointment Scheduling System (MASS) project is expected to incorporate Agile software development practices, including the use of incremental testing. In August 2015, the department awarded a contract for the MASS project that included task orders for the development of test plans. However, in April 2016, the department paused MASS to evaluate an alternative to enhance its legacy scheduling system. In early 2017, the department restarted the MASS project, but as of June 2017, had not developed a test plan for MASS. Thus, the project has not yet reached the point where adherence to the department's system testing guidance can be assessed.
    Recommendation: To enhance VA's effort to successfully fulfill its forthcoming plans for the outpatient scheduling system replacement project and the HealtheVet program, the Secretary of Veterans Affairs should direct the CIO to ensure that the policies and procedures VA is establishing to provide meaningful program oversight are effectively executed and that they include (1) robust collection methods for information on project costs, benefits, schedule, risk assessments, performance metrics, and system functionality to support executive decision making; (2) the establishment of reporting mechanisms to provide this information in a timely manner to department IT oversight control boards; and (3) defined criteria and documented policies on actions the department will take when development deficiencies for a project are identified.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs concurred with this recommendation and identified various actions it has taken in response. Specifically, the department awarded a contract for its Medical Appointment Scheduling System (MASS) project in August 2015. However, in April 2016, it paused MASS to evaluate an alternative to enhance its legacy scheduling system. In June 2017, VA reported that the MASS project had been resumed and indicated that it would adhere to the department's Veteran-focused Intake Process (VIP), which is intended to ensure oversight, accountability, and traceability of all program activity. Also, the department reported that MASS had met its first VIP milestone, Critical Decision 1, in January 2017. However, key future activities, including product development and testing, have not yet been demonstrated, while VIP milestones (e.g., Critical Decision 2), have not yet been met. Thus, MASS has not reached the point where the effectiveness of project oversight can be fully assessed.
    Director: Dagostino, Davi M
    Phone: (202) 512-3000

    1 open recommendations
    Recommendation: To improve DOD's ability to conduct its civil support missions, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, in coordination with the Chairman of the Joint Chiefs of Staff, to conduct a review of staffing requirements for the Defense Coordinating Officers, Defense Coordinating Elements, and Emergency Preparedness Liaison Officers in both the NORTHCOM and PACOM areas of responsibility that includes but is not limited to an assessment of staff size, subject-matter expertise, and military service composition by FEMA region.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with the recommendation. DOD indicated several past and ongoing efforts will help address the recommendation. DOD highlighted, in particular, DOD Instruction 3025.16, "Defense Emergency Preparedness Liaison Officer (EPLO) Programs," published on September 8, 2011; and a draft instruction on "Defense Planning and Coordination in Support of Civil Authorities," which is undergoing substantial revision due to recent updates in the DOD initiative for DOD Support to Complex Catastrophes. DOD stated that is plans to issue the instruction in September 2014. In July 2013, U.S. Northern Command (NORTHCOM) stated that as part of the Secretary of Defense's initiative to Improve DOD support in Complex Catastrophes, the Under Secretary of Defense for Personnel and Readiness, in coordination with the Under Secretary of Defense for Policy, and the Chairman of the Joint Chiefs of Staff, based upon the requirements of NORTHCOM and U.S. Pacific Command, are to identify requirements and make recommendations to the Secretary of Defense to support effective DOD coordination and liaison with DOD's Federal, Regional, and State partners on complex catastrophe preparedness and response. As part of this effort, the Under Secretary of Defense for Personnel and Readiness will consider the feasibility of joint billets for DCOs, DCEs, EPLOs, JRMPOs, and Joint Force Headquarters (JFHQ)-States. As of September 2014, NORTHCOM's IG office stated that despite positive initiatives taken to date, a review of DCO/EPLO staffing requirements has not been completed. DOD, the Combatant Commands, and the Services would benefit from such an analysis. They added that despite positive actions taken to date to improve DCO/EPLO operations, multiple efforts are still ongoing that support this action item. DODD 3025.jj remains in development with OSD, the Services, and USNORTHCOM. A USNORTHCOM operational planning team is in the process of coordinating command and control relationships for DCOs and their Defense Coordinating Elements (DCE). Another effort is underway to revive the annual DSCA/IDR Preparedness Workshop, which provided a vehicle for coordination among all DOD DSCA participants to institutionalize these processes. USNORTHCOM and components are still evaluating requirements and potential solutions for providing additional staff support to the DCOs/DCEs.
    Director: White, James
    Phone: (202) 512-3000

    1 open recommendations
    Recommendation: The Congress may wish to consider broadening IRS's ability to use math error authority (MEA), with appropriate safeguards against misuse of that authority.

    Agency: Congress
    Status: Open

    Comments: Congress has expanded IRS's math error authority in certain circumstances, but not as broadly as we suggested in February 2010. Congress enacted legislation in December 2015 that expands the circumstances in which IRS may use math error authority. Section 208 of division Q of the Consolidated Appropriations Act, 2016 (Public Law 114-113) gives IRS the authority to use math error authority if (1) a taxpayer claimed the Earned Income Tax Credit, Child Tax Credit, or the American Opportunity Tax Credit (AOTC) during the period in which a taxpayer is not permitted to claim such credit as a consequence of either having made a prior fraudulent or reckless claim; or (2) a taxpayer omitted information required to be reported because the taxpayer made prior improper claims of the Child Tax Credit or the AOTC. While expanding math error authority is consistent with what we recommended Congress consider, we had suggested that math error authority be authorized on a broader basis with appropriate controls rather than on a piecemeal basis. Our previous work has identified additional tax provisions for which expanded math error authority would be helpful, such as the First-Time Homebuyer Credit, Individual Retirement Accounts, and Residential Energy Property Credit. While Congress expanded math error authority for the First-Time Homebuyer Credit in November 2009 and for other individual credits as previously described, we maintain that a broader authorization of math error authority with appropriate controls would enable IRS to correct obvious noncompliance, would be less intrusive and burdensome to taxpayers than audits, and would potentially help taxpayers who underclaim tax benefits to which they are entitled. If Congress decides to extend broader math error authority to IRS, controls may be needed to ensure that this authority is used properly. Our prior work identified potential controls, such as requiring IRS to report on its use of math error authority. The administration also requested that Congress grant the Department of the Treasury regulatory authority to expand IRS's use of math error authority as part of its budget submission for fiscal year 2017. The 114th Congress did not provide Treasury with such authority. The Joint Committee on Taxation estimated this change could raise $274 million through fiscal years 2018 through 2026.
    Director: Shames, Lisa R
    Phone: (202) 512-2649

    2 open recommendations
    Recommendation: To better ensure FDA's oversight of the safety of GRAS substances, the Commissioner of FDA should develop a strategy to minimize the potential for conflicts of interest in companies' GRAS determinations, including taking steps such as issuing guidance for companies on conflict of interest and requiring information in GRAS notices regarding expert panelists' independence.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: In September 2014, FDA indicated that guidance on potential conflicts of interest for experts participating on GRAS panels is a priority for the agency. In its Final Rule on Substances Generally Recognized as Safe (81 FR 54959), issued Aug. 17, 2016, FDA stated that it had decided to issue guidance regarding conflicts of interest and that it would announce the availability of a draft guidance document through a notice in the Federal Register. As of December 2016, FDA had not yet issued this draft guidance.
    Recommendation: To better ensure FDA's oversight of the safety of GRAS substances, the Commissioner of FDA should develop a strategy to monitor the appropriateness of companies' GRAS determinations through random audits or some other means, including issuing guidance on how to document GRAS determinations.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: On Aug. 17, 2016, FDA published a final rule on Substances Generally Recognized as Safe (GRAS) (81 FR 54959). This final rule includes a section titled "Guidance on Documenting Conclusions of GRAS Status," which states that FDA is "issuing a guidance" for companies on how to document their GRAS determinations. It is not clear from the rule the time frame for issuing this guidance, whether it will be issued in draft first for comment, and whether it will part of the guidance on conflicts of interest that FDA also plans to issue at a later date, as noted elsewhere in the rule. As of December 2016, FDA had not issued this guidance.
    Director: Stephenson, John B
    Phone: (202)512-6225

    1 open recommendations
    Recommendation: Because EPA alone cannot address the complexities of the nation's challenges in addressing environmental health risks for children, Congress may wish to consider re-establishing a government-wide task force on children's environmental health risks, similar to the one previously established by Executive Order 13045 and co-chaired by the Administrator of EPA and the Secretary of Health and Human Services. Congress may wish to consider charging it with identifying the principal environmental health threats to children and developing national strategies for addressing them. Congress may also wish to consider establishing in law the Executive Order's requirement for periodic reports about federal research findings and research needs regarding children's environmental health.

    Agency: Congress
    Status: Open

    Comments: As of December 2016, we have not identified actions by the Congress to establish in law requirements such as those in EO 13025.
    Director: Hutton, John P
    Phone: (202)512-3000

    1 open recommendations
    Recommendation: To ensure DOD officials are able to gain insight into the risk assessment that is required to be documented in the contract file and the basis for the government's profit or fee negotiation objective, the Secretary of Defense should redesign the weighted guidelines worksheet to explicitly show the incurred cost calculations and a narrative description of the reason for assigning a specific contract-type risk value.

    Agency: Department of Defense
    Status: Open

    Comments: In providing comments on this report, the agency concurred with this recommendation but has not completed actions necessary to implement it. Defense Procurement and Acquisition Policy's(DPAP) members have drafted two proposed changes to the Defense Federal Acquisition Regulation Supplemental (DFARS). The first proposed rule is designed to provide a more transparent means of documenting the impact of costs incurred during the undefinitized period of an undefinitized contract action (UCA) on allowable profit. Proposed changes to the worksheet include more transparency and narrative requirements to detail the rationale for contracting officers' assignments of weighted guideline values. In addition to proposed changes to the weighted guideline worksheet, the proposed DFARS rule also provides new narrative requirements for Price Negotiation Memorandums. The second proposed rule changes the undefinitized period for a UCA from UCA award to the date when the government receives a qualifying proposal from the contractor as opposed to the date when the UCA is definitized. These proposed rules are currently being reviewed and approved by senior DOD officials. DPAP expects to finalize these proposed rules sometime later this year. If one or both are approved, the final rules will be published after a 90 day comment period.
    Director: Aloise, Eugene E
    Phone: (202)512-6870

    2 open recommendations
    Recommendation: To strengthen NNSA's oversight practices and current and future facility modernization efforts, and to improve the transparency and usefulness of cost analyses prepared for future NNSA nuclear facilities modernization projects, the Secretary of Energy should direct the Administrator of NNSA to ensure that life cycle cost analyses include a thorough and balanced evaluation of short- and long-term construction and financing alternatives. Such analyses should consider the full useful life of the facility rather than the 20-year requirement for GSA leases or any predetermined length of time that might produce results that favor one option over another.

    Agency: Department of Energy
    Status: Open

    Comments: NNSA provided evidence that it requires life cycle cost analyses for projects greater than $20 million. However, this is not fully responsive to GAO's recommendation. For example, the recommendation stated that each life cycle cost analysis performed includes short- and long-term construction and financing alternatives and that these analyses should consider the full life of the facility rather than the 20-year requirements for GSA leases or any predetermined length of time. NNSA's actions do not address this aspect of the life cycle cost analysis. Our work found that facility's life cycle cost analysis only covered 20 years and it failed to reflect cost savings over a longer useful life (possibly over 50 years) that could have been realized if the facility were purchased instead of leased. Nothing in the draft Order addresses how the life cycle cost period to be analyzed should be established (e.g., 20 years or 50 plus years). Our review of NNSA's additional responses have not provided sufficient evidence to close the recommendation.
    Recommendation: To strengthen NNSA's oversight practices and current and future facility modernization efforts, and because of the importance of mitigating the risks of outsourcing nuclear weapons components and other information that if exported, might allow potential adversaries to develop or advance their nuclear capabilities, the Secretary of Energy should direct the Administrator of NNSA to take immediate action to assess the effectiveness of NNSA's oversight of KCP's current export control and nonproliferation practices and, if appropriate, initiate corrective actions to strengthen that oversight.

    Agency: Department of Energy
    Status: Open

    Comments: While NNSA/contractor actions are commendable and appear to be beneficial, such as adding performance-based incentives, training 950 employees, and including new contract clauses in its supplier purchase orders, these actions do not fully satisfy the recommendation. GAO's recommendation was specifically directed at the effectiveness of NNSA's oversight of the KCP contractor's export control and nonproliferation practices and to initiate corrective actions to strengthen that NNSA oversight. While the Kansas City Site Office's addition of a performance based incentive seems to be a good improvement, NNSA has not demonstrated its own oversight effectiveness. Our review of NNSA's response provided in March 2014 was not persuasive. In addition, GAO-16-710 found that as of May 2016, the Secretary of Energy had not used the enhanced procurement authority to ensure supply chain integrity, and the Department of Energy (DOE) had not developed processes for using the authority, as it had not fully assessed the circumstances under which the authority might be useful.
    Director: Gambler, Rebecca S
    Phone: (202)512-8816

    4 open recommendations
    Recommendation: To improve the reliability and accountability of checkpoint performance results to the Congress and the public, the Commissioner of Customs and Border Protection should establish internal controls for management oversight of the accuracy, consistency, and completeness of checkpoint performance data.

    Agency: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection
    Status: Open

    Comments: In our review of Border Patrol traffic checkpoints, we found inconsistencies in the way field agents collected and entered performance data into the checkpoint information system. As a result, data reported in the system were unreliable. We recommended that Border Patrol establish internal controls to ensure the accuracy, consistency, and completeness of checkpoint performance data. In October 2009, the Border Patrol reported internal control solutions were underway, which would primarily involve upgrading its existing checkpoint data systems and creating a checkpoint data oversight protocol. In June 2013, Border Patrol reported that it was developing a redesigned checkpoint information system that should address the data errors and issues identified by our report. The agency also noted that it was exploring ways to implement a data oversight procedure and training on the importance of accurate data collection. In October 2014, the Border Patrol reported that the recommendation was being addressed in various phases, with a new expected completion date of March 2015. In June 2015, Border Patrol revised the expected completion date to September 2015. In September 2016, Border Patrol officials stated that the agency had not yet updated its checkpoint data system or created a data oversight protocol. Without established internal controls, the integrity of Border Patrol's performance and accountability system with regard to checkpoint operations remains uncertain.
    Recommendation: To improve the reliability and accountability of checkpoint performance results to the Congress and the public, the Commissioner of Customs and Border Protection should implement the quality of life measures that have already been identified by the Border Patrol to evaluate the impact that checkpoints have on local communities. Implementing these measures would include identifying appropriate data sources available at the local, state, or federal level, and developing guidance for how data should be collected and used in support of these measures.

    Agency: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection
    Status: Open

    Comments: In our review of Border Patrol traffic checkpoints, we found that the Border Patrol had identified some measures to evaluate the impact that checkpoints have on local communities in terms of quality of life, but Border Patrol had not implemented the measures. As a result, the Border Patrol lacked information on how checkpoint operations could affect nearby communities. In October 2009, the Border Patrol reported that it was reevaluating its checkpoint performance measures, including quality of life measures. In June 2012, Border Patrol reported that the University of Arizona and the University of Texas, El Paso had completed a study for CBP on checkpoints. This study made several recommendations to Border Patrol on evaluating the impact of checkpoints on local communities using quantitative measures and with maintaining regular contact with the public to elicit opinions on experiences with the checkpoint, both positive and negative. At the time, the Border Patrol noted it intended to develop quantitative measures on community impact, such as on public safety and quality of life, using information collected in the new checkpoint information system it was planning. Border Patrol also noted that it was considering the budgetary feasibility of (1) conducting a survey of checkpoint travelers to gather detailed information about the community and impact metrics that are of highest importance to the public and (2) implementing an expedited lane for regular and pre-approved travelers. In July 2014, the Border Patrol revised the expected completion date for this recommendation to March 2015, noting that it planned to request ideas from the field commanders on what the agency could measure that would accurately depict the impact of checkpoints on the community. In June 2015, Border Patrol revised the expected completion date to September 2015. In September 2016, officials from Border Patrol's Checkpoint Program Management Office said quality of life measures had not been implemented and they were not aware of any plans to develop and implement such measures.
    Recommendation: To improve the reliability and accountability of checkpoint performance results to the Congress and the public, the Commissioner of Customs and Border Protection should use the information generated from the quality of life measures in conjunction with other relevant factors to inform resource allocations and address identified impacts.

    Agency: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection
    Status: Open

    Comments: In our review of Border Patrol traffic checkpoints, we found that while the Border Patrol's national strategy cites the importance of assessing the community impact of Border Patrol operations, the implementation of such measures was lacking in terms of checkpoint operations. We recommended that Border Patrol implement such measures in areas of community concern to provide greater attention and priority in Border Patrol operational and staffing decisions to address any existing issues. In October 2009, the Border Patrol reported that once it had completed an upgrade of its existing checkpoint data systems and had reevaluated its checkpoint performance measures, the agency would begin using information garnered by these performance measures to inform future resource allocation decisions. This was originally expected to be completed by September 30, 2010, but due to budgetary and other issues, the checkpoint system upgrades were not yet completed as of June 2013. Border Patrol reported to us in June 2013 that the redesigned and upgraded checkpoint information system was expected to be implemented in September 2014. In July 2014, however, Border Patrol revised its expected completion date to March 2016. In June 2015, Border Patrol reported that it was on target to meet this March 2016 completion date. However, in September 2016, officials from Border Patrol's Checkpoint Program Management Office stated that they were not aware of any planned or completed actions to address this recommendation.
    Recommendation: To ensure that the checkpoint design process results in checkpoints that are sized and resourced to meet operational and community needs, the Commissioner of Customs and Border Protection should, in connection with planning for new or upgraded checkpoints, conduct a workforce planning needs assessment for checkpoint staffing allocations to determine the resources needed to address anticipated levels of illegal activity around the checkpoint.

    Agency: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection
    Status: Open

    Comments: In our review of Border Patrol traffic checkpoints, we found that Border Patrol's checkpoint strategy to push illegal aliens and smugglers to areas around checkpoints-which could include nearby communities-underscores the need for the Border Patrol to ensure that it deploys sufficient resources and staff to these areas. We recommended that Border Patrol conduct a needs assessment when planning for a new or upgraded checkpoint in order to better ensure that officials consider the potential impact of the checkpoint on the community and plan for a sufficient number of agents and resources. In October 2009, Border Patrol reported that the agency was evaluating its checkpoint policy regarding the establishment of a new checkpoint or the upgrade of an old checkpoint, and checkpoint policy changes would be finalized by September 30, 2010. Border Patrol also reported that checkpoint system upgrades that capture data on checkpoint performance would help management determine future resource needs at checkpoints. In June 2013, Border Patrol reported that due to budget and other issues, the checkpoint system upgrade had not been completed, and the rewritten checkpoint data protocol had not been approved. In June 2013, Border Patrol reported that as part of the checkpoint study conducted by the DHS Centers of Excellence, the Centers created checkpoint simulation tools that would help inform resource allocations when determining the number of inspection lanes on current or new checkpoints. The Border Patrol agreed with the utility of such a model, but noted that the Border Patrol would need to purchase modeling software--a cost-prohibitive measure in the current budget environment. In the interim, Border Patrol is developing a formal workforce staffing model to identify staffing strategies for all Border Patrol duties. Border Patrol expected to implement this model for checkpoint staffing assignments in fiscal year 2014. However, in July 2014, Border Patrol reported that the Border Patrol Personnel Requirements Determination project was still being developed and would not be complete until 2015. That process will inform staffing at checkpoints. As a result, Border Patrol revised its expected implementation date to September 2015. In June 2015, Border Patrol reported that it was on target to implement this recommendation by September 2015. In September 2016, Border Patrol officials reported that the agency's Personnel Requirements Determination process would not provide information on staffing needs until fiscal year 2017 or 2018, and also noted that this effort is not specifically examining staffing needs at checkpoints. Officials said there could be additional ways to address the recommendation, but that there were no ongoing efforts to do so apart from any information that may be available from the Personnel Requirements Determination process.
    Director: Brown, Orice Williams
    Phone: (202) 512-3000

    5 open recommendations
    Recommendation: To provide transparency and accountability over the payments FEMA makes to WYOs for expenses and profits, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to determine in advance the amounts built into the payment rates for estimated expenses and profit.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA is continuing (as of 08/29/2014) to analyze Write-Your-Own (WYO) payments and related flood expenses for selected companies and is evaluating the reliability (accuracy, consistency, etc.) of the National Association of Insurance Commissioners (NAIC) data for purposes of performing the analysis we had recommended.
    Recommendation: To provide transparency and accountability over the payments FEMA makes to WYOs for expenses and profits, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to annually analyze the amounts of actual expenses and profit in relation to the estimated amounts used in setting payment rates.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In its initial response to this report, FEMA did not concur with this recommendation. In November 2016, FEMA restated its position and concurs with this recommendation, and is in the process of implementing it.
    Recommendation: To provide transparency and accountability over the payments FEMA makes to WYOs for expenses and profits, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to consider the results of the analysis of payments, actual expenses, and profit in evaluating the methods for paying WYOs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA is continuing (as of 08/29/2014) to analyze WYO payments and related flood expenses for selected companies and is evaluating the reliability (accuracy, consistency, etc.) of the National Association of Insurance Commissioners (NAIC) data for purposes of performing the analysis we had recommended.
    Recommendation: To increase the usefulness of the data reported by WYOs to the National Association of Insurance Commissioners (NAIC) and to institutionalize FEMA's use of such data, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to take actions to obtain reasonable assurance that NAIC flood insurance expense data can be considered in setting payment rates that are appropriate, including identifying affiliated company profits in reported flood insurance expenses.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA continues (as of 08/29/2014) to work with the National Association of Insurance Commissioners (NAIC) to improve the consistency with which commission, operating, and loss adjustment expenses are reported by insurance companies that participate in the National Flood Insurance Program.
    Recommendation: To increase the usefulness of the data reported by WYOs to the National Association NAIC and to institutionalize FEMA's use of such data, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to develop comprehensive data analysis strategies to annually test the quality of flood insurance data that WYOs report to NAIC.

    Agency: Department of Homeland Security
    Status: Open

    Comments: FEMA continues (as of 08/29/2014) to work with the National Association of Insurance Commissioners (NAIC) to improve the consistency with which commission, operating, and loss adjustment expenses are reported by insurance companies that participate in the National Flood Insurance Program.
    Director: Dillingham, Gerald L
    Phone: (202)512-4803

    1 open recommendations
    Recommendation: To help FAA improve the data on and the safety of air cargo operations, the Secretary of Transportation should direct the FAA Administrator to gather comprehensive and accurate data on all part 135 cargo operations to gain a better understanding of air cargo accident rates and better target safety initiatives. This can be done by separating out cargo activity in FAA's annual survey of aircraft owners or by requiring all part 135 cargo carriers to report operational data as part 121 carriers currently do.

    Agency: Department of Transportation
    Status: Open

    Comments: In 2017, FAA reported that the agency has determined that a redesign of the General Aviation and Part 135 Activity Survey (GA Survey) is not required to address the recommendation, as originally considered. Beginning with the GA survey for year 2016--survey results are being processed--FAA will identify aircraft certified for cargo operations and use the certificate type to break out operational data for cargo operations. FAA also discussed this plan with stakeholders, including the Regional Air Cargo Carriers Association, and believe this new approach will meet the recommendation for gathering comprehensive and accurate data on all part 135 cargo operations. In June 2017, FAA informed us that the agency expects to release the 2016 GA survey by October 31, 2017.
    Director: Gomez, Jose A
    Phone: (202)512-2649

    1 open recommendations
    Recommendation: To enhance FDA's oversight of dietary supplements and foods with added dietary ingredients, and to better enable FDA to meet its responsibility to regulate dietary supplements that contain new dietary ingredients, the Secretary of the Department of Health and Human Services should direct the Commissioner of FDA to issue guidance to clarify when an ingredient is considered a new dietary ingredient, the evidence needed to document the safety of new dietary ingredients, and appropriate methods for establishing ingredient identity.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In July 2011, FDA published draft guidance for industry on new dietary ingredient notifications and related issues. This draft guidance includes information on when a dietary ingredient is considered new, evidence of safety, and methods for ingredient identity. We are waiting for the draft guidance to become final to close the recommendation.
    Director: Crosse, Marcia G
    Phone: (202)512-3407

    1 open recommendations
    Recommendation: The Secretary of Health and Human Services should direct the FDA Commissioner to expeditiously take steps to issue regulations for each class III device type currently allowed to enter the market through the 510(k) process. These steps should include issuing regulations to (1) reclassify each device type into class I or class II, or requiring it to remain in class III, and (2) for those device types remaining in class III, require approval for marketing through the PMA process.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA has taken steps to respond to this recommendation; however we are leaving the recommendation open because the agency has not yet taken final steps to reclassify or require premarket approval (PMA) for two class III device types allowed to enter the market through the less stringent 510(k) process. In 2009, FDA began a 5-step process to reclassify or to require PMAs for 26 class III device types. This process was modified by the Food and Drug Administration Safety and Innovation Act (FDASIA)--instead of issuing regulations as the final step, FDA issues an administrative order to reclassify or require PMAs for the device types. In 2014, the agency reported it had set a goal to have all remaining devices finalized by the second quarter of 2015; however, as of August 2017, FDA had not finished the process of reclassifying or requiring PMAs for 2 of 26 devices types. The agency reported completing the process for 24 device types, and provided new planned milestones to complete the process for the remaining device types by the middle of 2018. We will leave this recommendation open until FDA makes progress in reclassifying or requiring PMAs for the remaining device types.
    Director: Williams, Orice M
    Phone: (202)512-5837

    2 open recommendations
    Recommendation: The Secretary of the Department of Homeland Security should direct FEMA to take steps to ensure that its rate-setting methods and the data it uses to set rates result in full-risk premiums rates that accurately reflect the risk of losses from flooding. These steps should include, for example, verifying the accuracy of flood probabilities, damage estimates, and flood maps; ensuring that the effects of long-term planned and ongoing development, as well as climate change, are reflected in the flood probabilities used; and reevaluating the practice of aggregating risks across zones.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of January 2017, FEMA is taking steps to verify the accuracy of flood probabilities by collecting and analyzing data from flood insurance studies. FEMA is also continuing to monitor the completion of these studies to determine when a statistically valid amount of data is available so that it can better assess flood risk. To verify the accuracy of damage estimates, FEMA is collecting data required to revise its estimates of flood damage and is undertaking studies to determine factors beyond flood water depth that contribute to flood damage. FEMA will incorporate that information into its rate-setting methodology as the necessary data becomes available. To verify the accuracy of flood maps, FEMA continues to reassess flood risk, evaluate coastal flood maps, and update its overall map inventory. To ensure that flood probabilities reflect long-term and ongoing planned development and climate change, FEMA is working with the Technical Mapping Advisory Committee to ensure the best available information on flood probabilities is used for rate-setting. In addition, as FEMA collects information on flood probabilities, it will conduct analyses to evaluate the practice of classifying risk across zones.
    Recommendation: The Secretary of the Department of Homeland Security should direct FEMA to ensure that information is collected on the location, number, and losses associated with existing and newly created grandfathered properties in NFIP and to analyze the financial impact of these properties on the flood insurance program.

    Agency: Department of Homeland Security
    Status: Open

    Comments: To assess the impact of grandfathered properties on the NFIP, as of January 2017, FEMA has begun to develop a process to obtain current zone designations for all existing policyholders. In addition, FEMA is requiring zone determination data to be updated as flood maps change. According to FEMA, this will allow officials to determine which policyholders are grandfathered but will not allow the determination of a property-specific rate in all circumstances.
    Director: Kingsbury, Nancy R
    Phone: (202)512-6570

    4 open recommendations
    Recommendation: In order to improve the information available to the Congress for reauthorization, the Secretary of Transportation should analyze and report on trends currently anticipated to affect highway safety through 2020 and beyond in a systematic fashion--including information on high-clockspeed trends, discussion of evidence about these and other individual trends, their implications and potential interactions, and DOT responses.

    Agency: Department of Transportation
    Status: Open

    Comments: DOT has not responded to this recommendation, but DOT announced a distracted driving summit September 30-October 1, 2009, with a limited number of invitees, and invited the GAO Assistant Director on this report to participate. U.S. Transportation Secretary Ray LaHood stated that the purpose of the summit is to "to address the dangers of text-messaging and other distractions behind the wheel." The summit will include "senior transportation officials, elected officials, safety advocates, law enforcement representatives and academics" who will convene in Washington, DC "to discuss ideas about how to combat distracted driving."
    Recommendation: The Secretary of Transportation should evaluate whether or not new approaches to data collection are needed to better track new trends related to highway safety.

    Agency: Department of Transportation
    Status: Open

    Comments: DOT has not responded to this recommendation.
    Recommendation: In order to develop an approach to decision making and the development of evidence on high-clockspeed trends affecting highway safety that are characterized by uncertainty, the Secretary of Transportation should consider and evaluate practices and principles for making decisions under conditions of uncertainty and for using data in such decision making and, on that basis, develop an approach to guide decision making on high-clockspeed trends that, although somewhat uncertain, may affect highway safety.

    Agency: Department of Transportation
    Status: Open

    Comments: In GAO-09-56, GAO recommended the Secretary of Transportation consider and evaluate practices and principles for making conditions under uncertainty and for using data in light of issues encountered in developing evidence on high-clockspeed trends affecting highway safety that are characterized by uncertainty. GAO had studied driver distraction involving electronic devices, in particular cell phones with texting capability and identified these evolving electronic devices as a high clockspeed trend. DOT reports several actions on distracted driving, specifically: (1) an Executive Order to federal employees not to engage in text messaging while driving government-owned vehicles; when using electronic equipment supplied by the government while driving; or while driving privately owned vehicles when they are on official business; (2) the Secretary called on state and local governments to (a) make distracted driving part of their state highway plans, (b) pass state and local laws against distracted driving in all types of vehicles, (c) back up public awareness campaigns with high-visibility enforcement actions; (3) the Secretary directed the Department to establish an on-line clearinghouse on the risks of distracted driving and also (4) pledged to continue the Department's research on how to best combat distracted driving. DOT also notes that the Department's www.distraction.gov website provides information on the latest data on distracted driving and that 34 states have passed laws against texting and driving since the 2009 announcement by the Secretary of DOT.
    Recommendation: In order to improve the information available to the Congress for reauthorization, the Secretary of Transportation should determine, in consultation with relevant congressional committees, schedules for periodic reporting that will be sufficiently frequent to update the Congress on fast-changing trends.

    Agency: Department of Transportation
    Status: Open

    Comments: DOT has not responded to this recommendation.
    Director: Trimble, David C
    Phone: (202)512-6225

    2 open recommendations
    Recommendation: Congress may wish to consider amending CSB's authorizing statute or the Inspector General Act of 1978 to permanently give Environmental Protection Agency's (EPA) Inspector General the authority to serve as the oversight body for the agency.

    Agency: Congress
    Status: Open

    Comments: Congress has not taken action yet.
    Recommendation: As Congress prepares the appropriation of the EPA Inspector General, it may wish to consider providing the Inspector General with appropriations and staff allocations specifically for the audit function of CSB via a direct line in the EPA appropriation.

    Agency: Congress
    Status: Open

    Comments: Congress has not taken action yet.
    Director: Clark, Cheryl E
    Phone: (202) 512-3000

    1 open recommendations
    Recommendation: To address other issues that may exist in IRS's master files that affect penalty calculations, the Commissioner of Internal Revenue should direct appropriate IRS officials to, in instances where programs are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: According to IRS, it had substantially completed its corrective actions to address 19 penalty programming issues it had identified from its internal assessment of penalty computation programs. However, as of September 30, 2016, IRS had not provided us with supporting documentation to validate that it completed the corrective actions. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 financial statement audit.
    Director: Dicken, John E
    Phone: (202)512-7043

    1 open recommendations
    Recommendation: To help states identify and address quality-of-care concerns among individuals with developmental disabilities receiving Medicaid HCBS waiver services, the Administrator of CMS should encourage states to (1) include death as a critical incident and conduct mortality reviews if they do not already do so and (2) broaden their mortality review processes if they already include death as a critical incident and conduct mortality reviews.

    Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
    Status: Open

    Comments: In August 2009, CMS stated that it anticipated adding a question about mortality reviews to its next web-based version of the Home and Community-Based Services waiver application. CMS also indicated at that time that the next application version (i.e., Version 3.6) would be released in 2010. However, in July 2010, CMS indicated that this version would not be produced until 2011. In its 2011 update, CMS indicated that the version 3.6 online application had not yet been operationalized and therefore the recommendation should be left open until next year. In July 2013, CMS stated that version 3.6 remains on hold and that the agency is exploring other options for addressing this recommendation, with a target completion date of 12/31/2014.
    Director: Trimble, David C
    Phone: (202)512-6225

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To develop timely chemical risk information that EPA needs to effectively conduct its mission, the Administrator, EPA, should require the Office of Research and Development to re-evaluate its draft proposed changes to the IRIS assessment process in light of the issues raised in this report and ensure that any revised process periodically assesses the level of resources that should be dedicated to this significant program to meet user needs and maintain a viable IRIS database.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: In October 2016 we reviewed information provided by EPA related to this recommendation. The issuance of the Integrated Risk Information System (IRIS) Program Multi-Year Agenda in December 2015 demonstrated progress in responding to this recommendation. While we are currently reviewing additional documentation on how the agenda development process assessed the level of resources needed to meet user demand and to maintain a viable IRIS database, we will reevaluate how EPA continues to document the level of resources dedicated to this program to determine whether updates are occurring periodically.