Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Sensitive data"

    8 publications with a total of 22 open recommendations including 2 priority recommendations
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: To effectively manage its information security program, the Chairman of the SEC should maintain up-to-date network diagrams and asset inventories in the system security plans for General Support System and a key financial system to accurately and completely reflect the current operating environment.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To effectively manage its information security program, the Chairman of the SEC should perform continuous monitoring using automated configuration and vulnerability scanning on the operating systems, databases, and network devices.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    3 open recommendations
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to update security plans to ensure the plans fully and accurately document the controls selected and intended for protecting each of the six systems.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to implement a process to effectively monitor and track training for personnel with significant security roles and responsibilities.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to ensure that personnel with significant security responsibilities receive role-based training.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer develop and implement a policy that requires monitoring changes to critical files for the platforms identified during the audit.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: According to officials in FDIC's Division of Information Technology, the corporation plans to implement a new solution in 2017 to enable security personnel to identify users making file system changes. Subsequent to FDIC implementing a new solution, we plan to validate FDIC's actions.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: To improve the oversight of privacy and security controls over the state-based marketplaces, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to define procedures for overseeing state-based marketplaces, to include day-to-day activities of the relevant offices and staff.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The agency concurred with the recommendation and stated that it plans to implement it. Subsequent to the agency informing us that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the oversight of privacy and security controls over the state-based marketplaces, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to require continuous monitoring of the privacy and security controls over state-based marketplaces and the environments in which those systems operate to more quickly identify and remediate vulnerabilities.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The agency concurred with the recommendation and stated that it plans to implement it. Subsequent to the agency informing us that it has taken action, we plan to verify whether implementation has occurred.
    Director: Kingsbury, Nancy R
    Phone: (202) 512-2700

    3 open recommendations
    including 2 priority recommendations
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure contractors receive security awareness training within 5 business days of being granted access to an IRS information system.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: During the audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure that control testing methodology and results fully meet the intent of the control objectives being tested.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed these actions. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should update the remedial action verification process to ensure actions are fully implemented.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed actions to implement the recommendation. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Director: Marie A. Mak
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To provide greater awareness of and compliance with the specialty metal restrictions among DOD weapon system programs and their defense supplier-base, the Secretary of Defense should establish a mechanism for sharing and distributing non-sensitive information about national security waivers throughout the department and the defense supplier-base.

    Agency: Department of Defense
    Status: Open

    Comments: To address the recommendation, the Defense Contract Management Agency (DCMA) is presently working on a substantive change to their internal instruction regarding the Government-Industry Data Exchange Program (GIDEP)and DCMA Forum Regarding Defective/Nonconforming Product and Process Notifications. The new version of this guidance (DCMA-INST-301), upon its planned release in March 2018, will address both specialty metals non-compliance and counterfeit occurrences. Additionally, DCMA officials stated they are communicating DCMA's specialty metals non-compliance reporting process via a Quality Technical Information Paper and the DCMA Forum (an internal DCMA communication tool). DCMA's website also includes guidance on reporting of specialty metals non-compliance issues.
    Director: Clark, Cheryl E
    Phone: (202) 512-9377

    2 open recommendations
    Recommendation: The Commissioner of Internal Revenue should direct the appropriate IRS officials to establish and implement policies and procedures requiring a review process to reasonably assure that the accounts related to deceased taxpayers are only reopened for valid refunds.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In January 2016, IRS automated the process of locking deceased taxpayer accounts during its year-end processing. However, during our fiscal year 2016 audit, we continued to find instances in which IRS employees reopened deceased taxpayer accounts and disbursed invalid refunds. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of Internal Revenue should direct the appropriate IRS officials to establish and implement policies and procedures that require monitoring to reasonably assure that accounts related to deceased taxpayers that have been reopened are timely closed after processing the refund.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In January 2016, IRS automated the process of locking accounts related to deceased taxpayers during its year-end processing. However, during our fiscal year 2016 audit, we continued to find instances in which IRS employees reopened deceased taxpayer accounts to process refunds and did not close them timely. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    8 open recommendations
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require documentation of the reasoning behind risk determinations for breaches involving PII.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to document the number of affected individuals associated with each incident involving PII.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should document the number of affected individuals associated with each incident involving PII.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.