Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Security regulations"

    5 publications with a total of 16 open recommendations including 3 priority recommendations
    Director: Kirschbaum, Joseph W
    Phone: (202) 512-9971

    2 open recommendations
    Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

    Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

    Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Jennifer Grover
    Phone: (202) 512-7141

    6 open recommendations
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should update the Risk Assessment of Airport Security to reflect changes to its risk environment, such as those updates reflected in Transportation Sector Security Risk Assessment (TSSRA) and JVA findings, and share results of this risk assessment with stakeholders on an ongoing basis.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should establish and implement a process for determining when additional risk assessment updates are needed.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should develop and implement a method for conducting a system-wide assessment of airport vulnerability that will provide a more comprehensive understanding of airport perimeter and access control security vulnerabilities.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should use security event data for specific analysis of system-wide trends related to perimeter and access control security to better inform risk management decisions.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should update the 2012 Strategy for airport security to reflect changes in risk assessments, agency operations, and the status of goals and objectives. Specifically, this update should reflect: (1) information from the Risk Assessment of Airport Security, as well as information contained in the most recent TSSRA and JVAs; (2) new airport security-related activities; (3) the status of TSA efforts to address goals and objectives; and (4) finalized outcome-based performance measures and performance levels--or targets--for each relevant activity and strategic goal.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should establish and implement a process for determining when additional updates to the Strategy are needed.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Secretary of the Department of Homeland Security should direct FPS to develop and implement a strategy for using covert-testing data and data on prohibited items to improve FPS's security-screening efforts. The strategy should, at a minimum, aim to ensure that: (1) covert-testing data are used to systematically monitor, review, and improve performance nationwide; (2) covert-testing data are used to determine which testing scenarios will be implemented or reinstated; and (3) data on prohibited items are analyzed to determine the reasons for wide variations in the number of reported prohibited-items detected across buildings and to assist with managing the screening process and informing policy.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, implementation of this recommendation was in process, according to the Federal Protective Service (FPS). FPS provided no additional information, but plans to update GAO in the coming weeks on the status of this and other open recommendations.
    Director: Trimble, David C
    Phone: (202) 512-3841

    3 open recommendations
    including 3 priority recommendations
    Recommendation: To better position EPA to collect chemical toxicity and exposure-related data and ensure chemical safety under existing TSCA authority, while balancing its workload, the Administrator of EPA should consider promulgating a rule under TSCA section 8, or take action under another section, as appropriate, to require chemical companies to report chemical toxicity and exposure-related data they have submitted to the European Chemicals Agency.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of July 2017, EPA is better positioned to take action to require chemical companies to report chemical toxicity and exposure-related data submitted to the European Chemicals Agency due to passage of the new TSCA law, the Frank R. Lautenberg Chemical Safety for the 21st Century Act. Since the law was signed by the President on June 22, 2016, EPA finalized a rule to establish the agency's process for evaluating high priority chemicals to determine whether or not they present an unreasonable risk to health or the environment and finalized a rule to require industry reporting of chemicals manufactured or processed in the US over the past 10 years. However, EPA has not yet carried out actions consistent with the substance of our recommendation. Once EPA has carried out such actions, we will reassess the status of this open recommendation.
    Recommendation: To better position EPA to collect chemical toxicity and exposure-related data and ensure chemical safety under existing TSCA authority, while balancing its workload, the Administrator of EPA should consider promulgating a rule under TSCA section 8, or take action under another section, as appropriate, to require chemical companies to report exposure-related data from processors to EPA.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of July 2017, EPA is better positioned to take action to require chemical companies to report exposure-related data from processors to EPA due to passage of the new TSCA law, the Frank R. Lautenberg Chemical Safety for the 21st Century Act. Since the law was signed by the President on June 22, 2016, EPA has completed some implementation activities, including finalizing a rule to require industry reporting of chemicals manufactured or processed in the US over the past 10 years. However, EPA has not yet carried out actions consistent with the substance of our open recommendation. Once EPA has carried out such actions, we will reassess the status of this open recommendation.
    Recommendation: To better position EPA to collect chemical toxicity and exposure-related data and ensure chemical safety under existing TSCA authority, while balancing its workload, and to better position EPA to ensure chemical safety under existing TSCA authority, the Administrator of EPA should direct the appropriate offices to develop strategies for addressing challenges that impede the agency's ability to meet its goal of ensuring chemical safety. At a minimum, the strategies should address challenges associated with: (1) obtaining toxicity and exposure data needed to conduct ongoing and future TSCA Work Plan risk assessments, (2) gaining access to toxicity and exposure data provided to the European Chemicals Agency, (3) working with processors and processor associations to obtain exposure-related data, (4) banning or limiting the use of chemicals under section 6 of TSCA and planned actions for overcoming these challenges--including a description of other actions the agency plans to pursue in lieu of banning or limiting the use of chemicals, and (5) identifying the resources needed to conduct risk assessments and implement risk management decisions in order to meet its goal of ensuring chemical safety.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of July 2017, EPA is better positioned to take action to require chemical companies to report chemical toxicity and exposure data, analyze the data, take necessary actions, and identify the resources needed for evaluating and managing risk to ensure chemical safety due to passage of the new TSCA law, the Frank R. Lautenberg Chemical Safety for the 21st Century Act. Since the new law was signed by the President on June 22, 2016, EPA finalized a rule to establish the agency's process for evaluating high priority chemicals to determine whether or not they present an unreasonable risk to health or the environment and finalized a rule to require industry reporting of chemicals manufactured or processed in the U.S. over the past 10 years. However, EPA has not yet carried out actions consistent with the substance of our recommendation, including actually obtaining the data necessary to make risk-informed regulatory decisions, and then making those decisions as appropriate. Once EPA has carried out such actions, we will reassess the status of this open recommendation.
    Director: Wilshusen, Gregory C
    Phone: (202)512-3000

    4 open recommendations
    Recommendation: To ensure that PIV cards do not remain in the possession of staff whose employment or contract with the federal government is over, the Secretary of Commerce should establish controls, in addition to time frames for implementing a new tracking system, to ensure that PIV cards are revoked in a timely fashion.

    Agency: Department of Commerce
    Status: Open

    Comments: As of June 2017, Commerce had not submitted information or plans regarding revoking PIV cards in a timely fashion.
    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of the Interior should develop specific implementation plans for enabling PIV-based access to the department's major facilities, including identifying necessary infrastructure upgrades and time frames for deployment.

    Agency: Department of the Interior
    Status: Open

    Comments: As of June 2017, Interior had not yet provided specific implementation plans for enabling PIV access to the department's major facilities.
    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Labor should ensure that the department's plans for PIV-enabled physical access at major facilities are implemented in a timely manner.

    Agency: Department of Labor
    Status: Open

    Comments: As of June 2017, Labor had not provided any information about whether the department's plans for PIV-enabled physical access at major facilities were being implemented in a timely manner.
    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal networks and systems, the Administrator of NASA should develop and implement procedures for PIV-based logical access when using Apple Mac and mobile devices that do not rely on direct interfaces with PIV cards, which may be impractical.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: As of March 2017, NASA reported that it had begun implementing procedures for PIV-based logical access for the Apple Mac computers and mobile devices in its computing environment. NASA procured software to begin the transition of the Apple computers, but due to configuration issues the transition was not scheduled to be completed until December 2017. Further, NASA had begun the transition for mobile devices, which was scheduled to be completed by September 2017.