Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Security operations"

    5 publications with a total of 33 open recommendations including 1 priority recommendation
    Director: Shelby S. Oakley
    Phone: (202) 512-3841

    3 open recommendations
    Recommendation: To improve the awareness of how risk-significant radioactive sources are transported within the United States and to better determine whether Nuclear Regulatory Commission (NRC) is meeting its goal of providing reasonable assurance for preventing the theft or diversion of these dangerous materials, the Chairman of NRC should take actions to collect information from licensees on the number of shipments and mode of transport for such sources--for example, by identifying the extent to which an existing NRC database (e.g., the National Source Tracking System) may be used to capture this information.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: In its 60-day response letter from NRC to GAO, NRC repeated its position on this recommendation as stated in its formal agency response that was included as appendix III in the report. In both cases, NRC states that it disagrees with this recommendation. NRC disagrees that the specific number of shipments by mode of transport is always needed. NRC explained that existing information collection requirements already exist for category 1 quantities and that it had previously determined that collection of shipment information for category 2 quantities was not necessary. NRC also stated that NSTS would not be the appropriate database to capture shipment information; it is not designed to capture real-time information. In addition, NRC does not consider the proposed collection activity to be of sufficient benefit to justify the additional cost of capturing the information. Therefore, NRC does not believe that adopting this recommendation would result in significant improvements to safety. Despite its disagreement with this recommendation, we will continue to monitor whether NRC takes any actions that would result in addressing the concern GAO raised.
    Recommendation: To further enhance the security of radioactive sources during ground transport, the Chairman of NRC, in consultation with the Secretary of Transportation and the Secretary of Homeland Security, should identify an approach to verify that motor carriers are meeting NRC's Part 37 security requirements applicable to transportation, for example by having DOT inspectors verify compliance with NRC Part 37 security requirements during their on-site investigations.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: As noted in the NRC comments on the GAO report, the NRC agrees in general with the second recommendation to explore with Federal partners an approach to verify that motor carriers meet 10 CFR Part 37 transportation security requirements. The NRC commits to exploring how the respective agencies can verify that motor carriers are meeting the NRC's applicable Part 37 transportation security requirements. This recommendation will remain open until NRC presents evidence that it has acted on it.
    Recommendation: To further enhance the security of radioactive sources during ground transport, the Secretary of Transportation, in consultation with the Chairman of NRC and the Secretary of Homeland Security, should consider examining the potential costs and security benefits associated with lowering the Highway Route Controlled Quantity (HRCQ) threshold so that more, or all, category 1 shipments are classified as HRCQ shipments.

    Agency: Department of Transportation
    Status: Open

    Comments: In its 60-day response letter, NRC stated that it recognizes that HRCQ thresholds fall under the jurisdiction of DOT. The NRC commits to exploring with DOT the potential costs and security benefits associated with lowering the HRCQ threshold so that more if not all , of the shipments of Category 1 quantities of radioactive material may be classified as HRCQ shipments. In its 60-day response letter, DOT concurred with this recommendation and stated that it planned to consult with NRC and the Department of Homeland Security Domestic Nuclear Detection Office, and its internal stakeholders to evaluate potential costs and security benefits of lowering the HRCQ threshold, which they expect to complete by January 15, 2018. This recommendation will remain open until evidence is presented by NRC and DOT that they have examined the costs and benefits of lowering the HRCQ threshold.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    22 open recommendations
    Recommendation: To assist CISOs in carrying out their responsibilities, the Director of OMB should issue guidance for agencies' implementation of the FISMA 2014 requirements to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) partially concurred with this recommendation, but does not intend to directly issue guidance as recommended. Instead, we are reviewing the relevant OMB memoranda that officials believe address the intent of the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with the FISMA 2014, the Secretary of Commerce should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce concurred with the recommendation, stating that the department's policy documents are expected to be updated by the end of the 4th Quarter in 2017. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the senior information security officer (SISO) is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that information security policies and procedures are developed and maintained.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) did not concur with our recommendation, nor has it provided evidence that it has implemented the recommendations.
    Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) partially concurred with our recommendation, but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) partially concurred with our recommendation, but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that all users receive information security awareness training.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that the department has a process for planning implementing, evaluating, and documenting remedial actions.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy in the periodic authorization of the department's information systems.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain Departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Health and Human Services should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Attorney General should define the CISO's role in department policy for ensuring that information security policies and procedures are developed and maintained.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Attorney General should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of State should define the CISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

    Agency: Department of State
    Status: Open

    Comments: The Department of State (State) concurred with this recommendation. We are currently reviewing the evidence provided by State to determine whether the role of the CISO has been defined in its policy to for ensuring that State has procedures for incident detection, response, and reporting.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2018. However, the department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that security controls are tested periodically.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2018. However, the department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the senior agency information security officer (SAISO) is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in its policy to for ensuring that subordinate security plans are documented for the agency's information systems.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in its policy to ensure recovery and continued operations of the agency's information systems in the event of a disruption.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy in the periodic authorization of the department's information systems.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in agency policy for the periodic authorization of the department's information systems.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the National Aeronautics and Space Administration should define the SAISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. We are currently reviewing the evidence provided by NASA to determine whether the role of the SAISO has been defined in agency policy for oversight of security for information systems that are operated by contractors on NASA's behalf.
    Recommendation: To ensure that the role of the CISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Small Business Administration should define the CISO's role in agency policy for ensuring that personnel with significant security responsibilities receive appropriate training.

    Agency: Small Business Administration
    Status: Open

    Comments: The Small Business administration (SBA) concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Goldstein, Mark L
    Phone: (202)512-6670

    2 open recommendations
    Recommendation: The Secretary of Homeland Security and Attorney General should instruct the Director of FPS, and the Director of the Marshals Service, respectively, to jointly lead an effort, in consultation and agreement with the judiciary and GSA, to update the MOA on courthouse security to address the challenges discussed in this report. Specifically, in this update to the MOA stakeholders should: (1) clarify federal stakeholders' roles and responsibilities including, but not limited to, the conditions under which stakeholders may assume each other's responsibilities and whether such agreements should be documented; and define GSA's responsibilities and determine whether GSA should be included as a signatory to the updated MOA; (2) outline how they will ensure greater participation of relevant stakeholders in court or facility security committees; and (3) specify how they will complete required risk assessments for courthouses, referred to by the Marshals Service as court security facility surveys and by FPS as facility security assessments (FSA), and ensure that the results of those assessments are shared with relevant stakeholders, as appropriate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of April 2017, The Federal Protective Service, U.S. Marshals Service, Administrative Office of the U.S. Courts, and General Services Administration were working to update the memorandum of agreement on courthouse security. An updated memorandum has been drafted, but it has yet to be signed by all parties. Consequently, resolution of this recommendation is pending until further action is taken.
    Recommendation: The Secretary of Homeland Security and Attorney General should instruct the Director of FPS, and the Director of the Marshals Service, respectively, to jointly lead an effort, in consultation and agreement with the judiciary and GSA, to update the MOA on courthouse security to address the challenges discussed in this report. Specifically, in this update to the MOA stakeholders should: (1) clarify federal stakeholders' roles and responsibilities including, but not limited to, the conditions under which stakeholders may assume each other's responsibilities and whether such agreements should be documented; and define GSA's responsibilities and determine whether GSA should be included as a signatory to the updated MOA; (2) outline how they will ensure greater participation of relevant stakeholders in court or facility security committees; and (3) specify how they will complete required risk assessments for courthouses, referred to by the Marshals Service as court security facility surveys and by FPS as facility security assessments (FSA), and ensure that the results of those assessments are shared with relevant stakeholders, as appropriate.

    Agency: Department of Justice
    Status: Open

    Comments: As of April 2017, The Federal Protective Service, U.S. Marshals Service, Administrative Office of the U.S. Courts, and General Services Administration were working to update the memorandum of agreement on courthouse security. An updated memorandum has been drafted, but it has yet to be signed by all parties. Consequently, resolution of this recommendation is pending until further action is taken.
    Director: Clark, Cheryl E
    Phone: (202)512-9521

    3 open recommendations
    Recommendation: Based on a review of all existing contracts under $100,000 without an appointed COTR that should require contract employees to obtain favorable background investigation results, the Commissioner of the IRS should direct the appropriate IRS officials to amend those contracts to require that favorable background investigations be obtained for all relevant contract employees before routine, unescorted, unsupervised physical access to taxpayer information is granted.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: According to IRS, it has completed its contract review and made appropriate modifications as of July 2016. However, the modifications to the contracts were not made available for our review during the fiscal year 2016 audit. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of the IRS should direct the appropriate IRS officials to establish a policy requiring collaborative oversight between IRS's key offices in determining whether potential service contracts involve routine, unescorted, unsupervised physical access to taxpayer information, thus requiring background investigations, regardless of contract award amount. This policy should include a process for the requiring business unit to communicate to the Office of Procurement and the Human Capital Office the services to be provided under the contract and any potential exposure of taxpayer information to contract employees providing the services, and for all three units to (1) evaluate the risk of exposure of taxpayer information prior to finalizing and awarding the contract and (2) ensure that the final contract requires favorable background investigations as applicable, commensurate with the assessed risk.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that during fiscal year 2017, several internal organizations will partner to identify the remaining actions needed to address this recommendation. According to IRS, these actions include developing policies and procedures to reasonably assure that (1) oversight between IRS's key offices is conducted to determine whether potential service awards IRS enters into involve routine, unescorted, unsupervised physical access to taxpayer information by contractors, thus requiring background investigations, and (2) the resulting processes make clear who is responsible for completing the various steps, as well as who must maintain documentation of the approved access determination prior to the contractor being allowed to provide the services. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of the IRS should direct the appropriate IRS officials to revise the post orders for the service center campuses (SCC) and lockbox bank security guards to include specific procedures for timely reporting exterior lighting outages to SCC or lockbox bank facilities management. These procedures should specify (1) whom to contact to report lighting outages and (2) how to document and track lighting outages until resolved.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that during fiscal year 2017, it would update campus post orders to help ensure timely reporting, monitoring and repair of exterior lighting outages. In addition, AWSS engaged in discussions with personnel from FPS and GSA to coordinate responsibilities and suggested changes for post orders when security services are contracted by those entities. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Director: Grover, Jennifer A
    Phone: (202) 512-7141

    3 open recommendations
    including 1 priority recommendation
    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should perform an internal control assessment of the TWIC program by (1) analyzing existing controls, (2) identifying related weaknesses and risks, and (3) determining cost-effective actions needed to correct or compensate for those weaknesses so that reasonable assurance of meeting TWIC program objectives can be achieved. This assessment should consider weaknesses we identified in this report among other things, and include: (1) strengthening the TWIC program's controls for preventing and detecting identity fraud, such as requiring certain biographic information from applicants and confirming the information to the extent needed to positively identify the individual, or implementing alternative mechanisms to positively identify individuals; (2) defining the term extensive criminal history for use in the adjudication process and ensuring that adjudicators follow a clearly defined and consistently applied process, with clear criteria, in considering the approval or denial of a TWIC for individuals with extensive criminal convictions not defined as permanent or interim disqualifying offenses; and (3) identifying mechanisms for detecting whether TWIC holders continue to meet TWIC disqualifying criminal offense and immigration-related eligibility requirements after TWIC issuance to prevent unqualified individuals from retaining and using authentic TWICs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We reported that internal control weaknesses governing the enrollment, background checking, and use of TWIC potentially limit the program's ability to provide reasonable assurance that access to secure areas of MTSA-regulated facilities is restricted to qualified individuals. We further reported that TSA did not assess the internal controls designed and in place to determine whether they provided reasonable assurance that the program could meet defined mission needs for limiting access to only qualified individuals, and that internal control weaknesses in TWIC enrollment, background checking, and use could have contributed to the breach of selected MTSA-regulated facilities during covert tests conducted by our investigators. We recommended that DHS perform an internal control assessment of the TWIC program by (1) analyzing existing controls, (2) identifying related weaknesses and risks, and (3) determining cost-effective actions needed to correct or compensate for those weaknesses so that reasonable assurance of meeting TWIC program objectives can be achieved. In April 2013, DHS reported that it had taken a number of steps to address our recommendations. For example, it had refreshed and reissued fraudulent document detection training to enrollment personnel; created a mechanism for enrollment personnel to send detailed information of suspected fraud to adjudication personnel; benchmarked TWIC enrollment processes with passport enrollment processes; and defined guidance for adjudicators on the application of discretionary authority. As we reported in May 2013, to determine if the internal control weaknesses identified in our May 2011 report still exist, we conducted limited covert testing in late 2012. Our investigators again acquired an authentic TWIC through fraudulent means and were able to use this card and counterfeit TWIC cards to access areas of ports or port facilities requiring a TWIC for entry at four ports. In February 2014, TSA reported that it, in coordination with Coast Guard and DHS subject matter experts, had established an Executive Steering Committee to address recommendations from the May 2011 report on the TWIC program's internal controls (GAO-11-657). GAO recommended that the internal control assessment be the basis of the effectiveness assessment. In response, the Executive Steering Committee developed an internal control action plan that lists TWIC program control issues GAO identified, along with actions that TSA and the Coast Guard would or would not take to address them. However, based on our review of the internal control action plan and associated documents, and further discussing with TSA officials the methodology used to arrive at the internal control action plan, we determined that the internal control assessment we recommended has not been implemented. Specifically, there is no evidence of a detailed mapping of each policy and process in the program, their interrelationships, and clear linkage to show how actions in one step may enhance or reduce the effectiveness of the TWIC program achieving its stated mission needs. In January 2017 TSA awarded a contract for an internal control assessment of the TWIC program, including the TWIC program?s internal controls of the enrollment, background checking, and credential issuance processes. The assessment, however, is to exclude an assessment of Coast Guard?s role in TWIC enforcement. The project held a kickoff meeting in March of 2017 and is expected to produce final recommendations by August 2017. We believe that this is a positive step towards addressing our recommendation. However, the assessment does not include an evaluation of the use of TWIC, including Coast Guard's role in TWIC enforcement. We continue to believe that the internal control assessment inclusive of TWIC use and the interrelationship between acquiring a TWIC and using it in the maritime environment is needed. For the reasons noted above, this recommendation remains open.
    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: We reported that DHS had not assessed the program's effectiveness at enhancing security. We recommended that DHS conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks. In March 2012, DHS reported that it agreed that the results and progress of the internal control actions should be used to further evaluate the effectiveness of the TWIC program. They further noted that as the different long term actions progress, DHS will develop specific plans to address this action. In May 2013 (see GAO-13-198), we reported that DHS had not addressed this recommendation. On January 17, 2014, the explanatory statement accompanying the Consolidated Appropriations Act, 2014, directed DHS to complete the assessment that we recommended within 90 days after enactment (April 17, 2014). In February 2014, TSA reported that it, in coordination with Coast Guard and DHS subject matter experts, had established an Executive Steering Committee to address recommendations from the May 2011 report on the TWIC program's internal controls (GAO-11-657). GAO recommended that the internal control assessment be the basis of the effectiveness assessment. In response, the Executive Steering Committee developed an internal control action plan that lists TWIC program control issues GAO identified, along with actions that TSA and the Coast Guard would or would not take to address them. However, based on our review of the internal control action plan and associated documents, and further discussing with TSA officials the methodology used to arrive at the internal control action plan, we determined that the internal control assessment we recommended has not been implemented. Specifically, there is no evidence of a detailed mapping of each policy and process in the program, their interrelationships, and clear linkage to show how actions in one step may enhance or reduce the effectiveness of the TWIC program achieving its stated mission needs. As of March 2017, the internal control assessment we recommended as the basis for initiating the effectiveness assessment had not been completed. However, on January 15, 2016, Coast Guard reported that it had completed its effectiveness assessment. Specifically, DHS completed an effectiveness assessment titled "Security Assessment of the Transportation Worker Identification Credential and Readers." However, the effectiveness assessment did not substantively address the risk concerns identified in our report. For example, the effectiveness assessment lacked the internal control assessment we deem to be the critical first step for fully understanding the TWIC program's controls, costs, and risks. Further, while the effectiveness assessment presented a comparison of alternative credentialing approaches, the assessment did not fully consider, as discussed in our 2011 and 2013 reports, an approach wherein federal security threat assessments could be leveraged in concert with site-specific credentials. The analysis did consider the benefits of updating the TWIC credential to new federal credentialing standards. However, absent from the analysis is a risk-informed basis for disallowing site-specific credentials. While TWIC credentials are developed based on standards aligned with those used by federal entities, each federal entity continues to use site-specific credentials that have varying appearances, rather than a single credential for granting access to all federal entities. This is important, especially because Coast Guard's risk assessment does not include an evaluation of the security benefits and shortfalls that a single credential used nation-wide provide. Absent effectiveness assessment that meets the intent of our recommendation, this recommendation remains open.
    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should use the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks as part of conducting the regulatory analysis on implementing a new regulation on the use of TWIC with biometric card readers.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We reported that prior to issuing the regulation on implementing the use of TWIC as a flashpass, DHS conducted a regulatory analysis, which asserted that TWIC would increase security. The analysis included an evaluation of the costs and benefits related to implementing TWIC. We further reported that as a proposed regulation on the use of TWIC with biometric card readers is under development, DHS is to issue a new regulatory analysis. Conducting a regulatory analysis using the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and needed corrective actions could better inform and enhance the reliability of the new regulatory analysis. Moreover, these actions could help DHS identify and assess the full costs and benefits of implementing the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks, and help ensure that the TWIC program is more effective and cost-efficient than existing measures or alternatives at enhancing maritime security. We therefore recommended that DHS use the information from the internal control and effectiveness assessments we recommended as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks as part of conducting the regulatory analysis on implementing a new regulation on the use of TWIC with biometric card readers. In March 2012, DHS reported that upon completion of the internal control and effectiveness assessments, DHS will evaluate the results to determine any subsequent actions, and that any applicable data or risks will be communicated to the Coast Guard for consideration during their regulatory analysis. However, DHS has not implemented the internal control assessment we recommended, which is to be the basis for the effectiveness assessment and addressing this recommendation. Further, the January 15, 2016 effectiveness assessment titled "Security Assessment of the Transportation Worker Identification Credential and Readers" did not substantively address the risk concerns identified in our report. Given shortfalls that remain in addressing our internal control assessment and effectiveness assessment recommendations, this recommendation remains open pending DHS taking corrective actions. As of March 2017, no further action has been taken.