Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Strategic information systems planning"

    20 publications with a total of 94 open recommendations including 11 priority recommendations
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    3 open recommendations
    Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task an integrated project team, made up of an IT project manager and business owner, with including specific actions in the Public Health and Medical Situational Awareness Strategy Implementation Plan for conducting all activities required to establish and operate the network.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task the integrated project team with developing a project management plan that includes measurable steps--including a timeline of tasks, resource requirements, estimates of costs, and performance metrics--that can be used to guide and monitor HHS's actions to establish the network defined in the plans.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes related to the establishment of the network in accordance with Enterprise Performance Life Cycle Framework guidance, under the leadership of the HHS CIO.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    5 open recommendations
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to update FMCSA's IT strategic plan to include well-defined goals, strategies, measures, and timelines for modernizing its systems.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to ensure that the IT investment process guidance lays out the roles and responsibilities of all working groups and individuals involved in the agency's governance process.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to finalize the restructure of the Office of Information Technology, including fully defining the roles and responsibilities of the CIO.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to ensure that appropriate governance bodies review all IT investments and track corrective actions to closure.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to ensure that required operational analyses are performed for Aspen, Motor Carrier Management Information System, Sentri 2.0, and Unified Registration System on an annual basis.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    4 open recommendations
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to identify performance metrics and associated targets for the goals and objectives in the department's IT strategic plans, including the Information Resources Management strategic plan and the Health Information Strategic Plan, as they relate to the delivery of health IT and the VHA mission.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation and described planned coordination with the Office of Information and Technology and the Veterans Health Administration to develop or revise and maintain performance metrics that support the strategic and health information technology goals and objectives. The department plans to revise performance metrics to align to new goals and objectives by June 2018.
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that the department-level investment review structure is implemented as planned and that guidance on the IT governance process is documented and identifies criteria for selecting new investments, and reselecting investments currently operational at VHA.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation and provided meeting minutes for its Portfolio Investment Management Board and a document describing the proposed alignment and interdependencies between the 11 governance boards. We will continue to monitor the implementation of the proposed relationships and review any additional guidance issued that further describes the process used by the governance boards for selecting and reselecting information technology investments.
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to identify additional performance metrics to align with VHA's core business functions, and then use these metrics to determine the extent to which the department's IT systems support performance of VHA's mission.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation. In addition, the department outlined steps it intends to take to address our recommendation. These steps include developing a set of core metrics to provide continuous input into investment portfolio decisions and establishing a methodology for ensuring that information technology investments are aligned to business needs and that expected outcomes are defined prior to making the investments. The department plans to complete this work by September 2018. We will continue to monitor VA's progress on these efforts.
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that unmet IT needs identified by key program areas--pharmacy benefits management, scheduling, and community care--are addressed appropriately and that related business functions are supported by IT systems to the extent required.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation. The department has described its intention to ensure that unmet information technology needs for the pharmacy benefits management, scheduling, and community care program areas are addressed appropriately during fiscal year 2018 budget formulation. We will follow-up with VA to ascertain what needs have been addressed, closed, or reprioritized for each program office during fiscal year 2018.
    Director: Valerie Melvin
    Phone: (202) 512-6304

    1 open recommendations
    Recommendation: To increase the likelihood that its IT investments develop reliable cost estimates, the Secretary of HUD should finalize, and ensure the implementation of, guidance that incorporates the best practices called for in the GAO Cost Estimating and Assessment Guide.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In April 2017, HUD reported that the department concurred with the recommendation and noted that the Office of the Chief Information Officer (OCIO) intends to establish cost estimation guidance for IT projects within its IT Management Framework Guide, incorporating appropriate best practices from the GAO Cost Estimating and Assessment Guide. HUD anticipates completing the OCIO IT Management Framework guidance that is intended to incorporate cost estimating principles for IT projects by September 1, 2017.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    9 open recommendations
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD Chief Information Officer (CIO), and other entities, as appropriate, to develop a detailed JIE scope statement that is verified by stakeholders and approved by the Executive Committee.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had made progress in implementing the recommendation. Specifically, the department developed a draft Joint Information Environment (JIE) scope statement that can provide the context and framework for reporting, tracking, and controlling JIE activities. According to written comments on the status of the recommendation provided by the department in July 2017, this scope statement will be presented to the JIE Executive Committee in August 2017 for approval. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to establish a plan for managing, documenting, and communicating scope.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had made progress in implementing the recommendation. Specifically, the department developed a draft JIE scope statement, which documents the scope of JIE and describes how updates to its scope will be periodically reviewed and approved. According to written comments on the status of the recommendation provided by the department in July 2017, the draft will be presented to the JIE Executive Committee in August 2017 for approval. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable JIE cost estimate and baseline, consistent with the best practices described in this report.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had not implemented the recommendation. According to written comments on the status of the recommendation provided by the department, it developed cost baselines for two components of JIE. However, it did not develop cost estimates for the other JIE components. Specifically, the JIE Executive Committee approved the cost estimate for the Joint Regional Security Stacks in April 2017. In addition, the department's comments stated that the cost baseline for the Mission Partner Environment-Information System (MPE-IS) was included in the MPE-IS Business Case Analysis and presented to the department's Office of Cost Assessment and Program Evaluation in July 2016. We are in the process of reviewing the cost estimates for these components. The department further stated that as solutions for other JIE efforts are established, their cost baselines will be added as appropriate.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JIE schedule management plan and reliable schedule, consistent with practices described in this report.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the department had not implemented the recommendation. We will continue to monitor the department's efforts to address this recommendation by periodically requesting and evaluating updated information.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JRSS schedule management plan and reliable JRSS schedule and schedule baseline, consistent with practices described in this report.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had not fully implemented this recommendation. In March 2017, the JIE Executive Committee approved a schedule baseline for the Non-secure Internet Protocol Router network component of JRSS. In addition, the Executive Committee memo approving this schedule baseline indicated that the Executive Committee planned to review and approve a schedule baseline for the Secure Internet Protocol Router network component of JRSS by the end of fiscal year 2017. However, the department has not demonstrated that it has a schedule management plan or that its schedule was developed consistent with the practices described in our report.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to complete an assessment to determine the number of staff and the specific skills and abilities needed to effectively achieve JIE, consistent with the workforce planning practices described in this report.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had not implemented the recommendation. In its June 2016 written comments on a draft of our report, the department stated that the National Institute of Standards and Technology and the Office of Personnel Management were to publish a coding structure in response to the Federal Cybersecurity Workforce Assessment Act of 2015. DOD stated that this structure would inform steps DOD planned to take to identify the type of personnel and specific skills required to support enterprise operations and services and the government capabilities needed to effectively achieve JIE. However, as of July 2017, the department had not demonstrated that it has taken action to implement our recommendation.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a strategy for conducting JIE security assessments that describes the resources needed to execute the strategy, responsible organizations, and a schedule to complete the assessments.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department had not implemented the recommendation. We will continue to monitor the department's efforts to address this recommendation by periodically requesting and evaluating updated information.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a strategy and schedule to transition JRSS to the Risk Management Framework, and develop the security plan required by the new framework.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had not implemented this recommendation. In January 2017, the Joint Regional Security Stacks (JRSS) program received a six-month provisional Risk Management Framework Authority to Operate. According to a July 2017 update from the department on the status of this recommendation, the JRSS program management office was in the process of requesting another six-month provisional authority to operate. However, the department has not developed a strategy and schedule to complete transition of JRSS to the Risk Management Framework or developed the security plan required by the framework.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable Joint Regional Security Stacks (JRSS) cost estimate and baseline, consistent with practices described in this report.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense had taken steps to address the recommendation and we are in the process of reviewing documentation the department provided in July 2017 to determine if it sufficiently addresses the recommendation. Specifically, in April 2017, the JRSS program office documented the methodology, ground rules, and assumptions, among other things, used to develop the cost estimate we reviewed in our report, and the JIE Executive Committee established the estimate as its JRSS cost baseline. We are in the process of reviewing the cost estimate documentation and will update this status after completing the review.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    17 open recommendations
    including 7 priority recommendations
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update security assessment plans for selected systems to ensure they include the test procedures to be performed.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system to support updates of security assessment plans that include the test procedures to be performed. Subsequent to NASA informing us that security assessment plans for selected systems include these test procedures, we plan to verify the agency's actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should re-evaluate security control assessments for selected systems to ensure that they comprehensively test technical controls.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation, and will re-evaluate the selected systems' security control assessments to ensure that technical controls will be comprehensively tested. NASA officials said that they expect to complete this action by January 15, 2018. Subsequent to NASA informing us that it has implemented the recommendation, we plan to verify the agency's actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update remedial action plans for selected systems, to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system that generates plans of actions and milestones (POA&Ms), but has not yet provided sufficient examples of remedial action plans for the selected systems. Subsequent to NASA informing us that it has updated POA&Ms for the selected systems to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates, we plan to verify these actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update the continuous monitoring strategy to include metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has issued an updated continuous monitoring strategy, but this strategy does not clearly identify specific metrics to be used. Subsequent to NASA informing us that the strategy includes metrics, ongoing status monitoring of metrics, and reporting of security status, we plan to verify these actions.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. NRC supplied documents regarding its cybersecurity assessment process, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update remedial action plans for selected systems, to include responsible organization, estimated funding, funding source, and scheduled completion dates.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency provided evidence that it is including the responsible organization and scheduled completion dates in its plans of action and milestones (POA&Ms). While the estimated funding and source of funding do not appear in the POA&Ms, the agency has indicated that this data is available elsewhere. We are following up with NRC to verify this information.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update the standard that addresses continuous monitoring to include metrics and ongoing status monitoring.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency expects to publish a revised computer security standard in 2018.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented, and where other plans are cross-referenced, ensure that the other system's plan appropriately addresses the control.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM concurred with our recommendation. The agency intends to migrate security plans to an automated system in order to improve management of security controls.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM partially concurred with our recommendation. OPM is in the process of reviewing its procedures for identifying employees and contractors who directly access its information systems and reviewing the training requirements for those individuals, as well as specialized training requirements, and how compliance is tracked.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM did not concur with our recommendation. OPM is developing additional standards for evaluating technical-controls testing and will incorporate these standards into its oversight of security assessments, once the standards are complete.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update remedial action plans for selected systems, to include source of funding and updated completion dates.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with our recommendation. OPM is in the process of migrating POA&Ms to a new automated system that will allow the source of funding to be included in plans of action and milestones.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA stated that all high-impact security controls have been addressed, and the agency expects to include all controls in one plan. Subsequent to the agency informing us that it has implemented the recommendation, we plan to verify its actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is tracking specialized training for staff who have significant security responsibilities. GAO plans to request further documentation and verify the completeness of VA's actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA has assessed technical controls, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update remedial action plans for selected systems, to include estimated funding and funding source.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is including more information in its remedial action plans for selected systems, but did not demonstrate that it is including estimated funding and funding sources in these plans.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should develop a continuous monitoring strategy that addresses organization-defined metrics, frequency of monitoring metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA is developing a new framework to address the people, processes, technology, and performance monitoring mechanisms identified in the Information Security Continuous Monitoring (ISCM) Maturity Model. This framework and supporting program plan are linked to the Department of Homeland Security Continuous Diagnostics and Mitigation (CDM) phase 1 deployment that is ongoing and anticipated to be completed by the fourth quarter of 2017. VA's ISCM program plan and framework have been delayed to accommodate these changes.
    Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. In addition OMB provided limited access to a document describing best practices for federal security operation centers. GAO is requesting further access to this document on best practices in order to determine whether OMB has adequately addressed the recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    4 open recommendations
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to document artifacts that support recommendation closure consistent with SEC policy.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to document a comprehensive physical inventory of the systems and applications in the production environment.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to provide personnel appropriate access to continuous monitoring reports and tools to monitor, evaluate, and remedy identified weaknesses.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to institute a process and assign the necessary personnel to review information produced by the vulnerability scanning tools to monitor, evaluate, and remedy identified weaknesses.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update system and application audit plans based on the current version of referenced policies and guidelines and when significant changes are made to a system or application.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: The IRS concurred with the recommendation and stated that it plans to implement it. Subsequent to IRS informing us that it has taken action on this recommendation, we plan to evaluate their implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update the security plan for systems that provide network infrastructure services to IRS personnel and information systems to reflect changes to the operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: On March 28, 2017, IRS officials informed us of the actions they were taking to address this recommendation. Upon receiving information from IRS, we plan to evaluate IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Director: Valerie Melvin
    Phone: (202) 512-6304

    2 open recommendations
    Recommendation: To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to establish schedules and milestones for completing a version of an IT strategic plan that incorporates elements to align the plan's strategies with agency-wide priorities; includes results-oriented goals and performance measures that support the agency's mission, along with targets for measuring the extent to which outcomes of IT initiatives support FDA's ability to achieve agency-wide goals and objectives; identifies key IT initiatives that support the agency's goals; and describes interdependencies among the initiatives.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: FDA concurred with the recommendation and stated that the agency plans to implement it. We contacted the agency in March 2017 and have requested documents regarding FDA's actions to address the recommendation. We are waiting to receive the documents. We will update the status of the agency's actions after we receive and evaluate their response.
    Recommendation: To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to implement the plan to ensure that expected outcomes of the agency's key IT initiatives are achieved.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: FDA concurred with the recommendation and stated that the agency plans to implement it. We contacted the agency in March 2017 and have requested documents regarding FDA's actions to address the recommendation. We are waiting to receive the documents. We will update the status of the agency's actions after we receive and evaluate their response.
    Director: J. Alfredo Gómez
    Phone: (202) 512-3841

    3 open recommendations
    Recommendation: The EPA Administrator should direct OGD to develop a timetable with milestones and identify and allocate resources for adopting electronic records management for all 10 regional offices.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: Implementation efforts ongoing. According to EPA officials, the Office of Grants and Debarment established an agency-wide electronic grants record workgroup in FY 16 Q1. The workgroup identified the contents of the electronic grant file, technical options and evaluation criteria. OGD has initiated an alternatives analysis and expects to present the results of that analysis to the Grants Management Council in FY 17 Q1. Once the GMC selects the technical approach, the Agency will identify available funding for implementation through the budget process.
    Recommendation: The EPA Administrator should direct OGD to implement plans for adopting an up-to-date and comprehensive IT system by 2017 that will provide accurate and timely data on agencywide compliance with grants management directives.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: Implementation efforts ongoing. According to EPA officials, OGD is already underway with a multi-modular project to upgrade the agency's grants management IT system (IGMS). Module 2 of 3 is on schedule for deployment in FY17 Q1. The final Module is on schedule for deployment, in early FY18. OGD will incorporate in the project performance tracking of priority directives in accordance with the policy framework of the new Grants Management Plan.
    Recommendation: Until the new IT system is implemented, the EPA Administrator should direct OGD to develop ways to more effectively use existing web-based tools to better monitor agencywide compliance with grants management directives.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: Implementation efforts ongoing. According to EPA officials, OGD has already developed the capability to provide managers cumulative annual baseline monitoring data. Further capabilities of web-based tools, namely the replacement of OGD's primary tool Quik Reports, are on schedule for deployment in FY17 Q1. This effort combined with updates to the Grants Datamart will provide valuable long term enhancements for the Agency's grant reporting needs.
    Director: Joe Kirschbaum
    Phone: (202) 512-9971

    4 open recommendations
    Recommendation: To provide decision makers with better insight and additional context to identify any significant changes to the estimates in the joint report from the prior year and understand the reasons for such changes, and to improve the completeness and transparency of the budget estimates in the report, we recommend that, for future joint reports, the Secretary of Defense should direct the Secretary of the Air Force, the Secretary of the Navy, and the Department of Defense Chief Information Officer (DOD CIO), and the Secretary of Energy direct the Administrator of the National Nuclear Security Administration (NNSA) to provide more thorough documentation in the joint report on the methodologies used to develop the budget estimates, including information that may be available in related planning documents, and ensure the accuracy and completeness of the information included.

    Agency: Department of Defense
    Status: Open

    Comments: In commenting on this report, DOD and DOE concurred with our recommendation to provide more thorough documentation in the joint report on the methodologies used to develop the budget estimates and ensure the accuracy and completeness of the information included. DOD stated that it added information on the methodologies used to develop the estimates in the April 2015 joint report and would consider including further information in subsequent reports. However, neither department provided information on the specific steps it would take to ensure the accuracy and completeness of the information included in future joint reports. We continue to believe that the joint reports should include accurate and complete budget estimates.
    Recommendation: To provide decision makers with better insight and additional context to identify any significant changes to the estimates in the joint report from the prior year and understand the reasons for such changes, and to improve the completeness and transparency of the budget estimates in the report, we recommend that, for future joint reports, the Secretary of Defense should direct the Secretary of the Air Force, the Secretary of the Navy, and the DOD CIO, and the Secretary of Energy direct the Administrator of NNSA to provide comparative information on changes in the budget estimates from the prior year and explain the reasons for those changes.

    Agency: Department of Defense
    Status: Open

    Comments: In commenting on this report, DOE concurred and DOD partially concurred with our recommendation to provide comparative information on changes in the budget estimates from the prior year and explain the reasons for those changes. DOD noted that Section 1043 of the National Defense Authorization Act for Fiscal Year 2012, which required the joint report, does not require a comparative year-to-year analysis, and recommended that Congress amend the existing language to require that the joint report include an additional subsection providing a quantitative comparison of current budget estimates with the previous year's data. While Section 1043 does not require a comparative year-to-year analysis, the departments are not restricted from including such information and we continue to believe that providing comparative information on changes in the budget estimates from year-to-year and explanations for the changes would be beneficial to congressional decision makers.
    Recommendation: To provide decision makers with better insight and additional context to identify any significant changes to the estimates in the joint report from the prior year and understand the reasons for such changes, and to improve the completeness and transparency of the budget estimates in the report, we recommend that, for future joint reports, the Secretary of Defense should direct the Secretary of the Air Force, the Secretary of the Navy, and the Department of Defense Chief Information Officer (DOD CIO), and the Secretary of Energy direct the Administrator of the National Nuclear Security Administration (NNSA) to provide more thorough documentation in the joint report on the methodologies used to develop the budget estimates, including information that may be available in related planning documents, and ensure the accuracy and completeness of the information included.

    Agency: Department of Energy
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To provide decision makers with better insight and additional context to identify any significant changes to the estimates in the joint report from the prior year and understand the reasons for such changes, and to improve the completeness and transparency of the budget estimates in the report, we recommend that, for future joint reports, the Secretary of Defense should direct the Secretary of the Air Force, the Secretary of the Navy, and the DOD CIO, and the Secretary of Energy direct the Administrator of NNSA to provide comparative information on changes in the budget estimates from the prior year and explain the reasons for those changes.

    Agency: Department of Energy
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David Powner
    Phone: (202) 512-9286

    5 open recommendations
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to establish and implement an improvement plan to guide the agency in adopting recognized best practices and following agency policy.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA developed a Strategic IT Roadmap to assist the agency's business and IT leadership in prioritizing IT investments. In addition, FSA stated that it will develop and document a comprehensive improvement plan that is to delineate tactical steps, timelines, and performance metrics to track incremental progress in adopting recognized best practices and program management capabilities. We will continue to monitor the agency's progress in documenting and implementing its improvement plan.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in developing and managing system requirements before proceeding with any further system development to deliver previously envisioned MIDAS functionality. Specifically, the Administrator should ensure that requirements are complete, unambiguous, and prioritized; commitment to requirements is obtained through a formal requirements baseline; differences (or gaps) between the requirements and capabilities of the intended solution (including commercial off-the-shelf solutions) are analyzed; strategies to address any gaps are developed; and requirements are traced forward and backward among development products.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA reported that it will improve the rigor and adherence to requirements management processes for all IT projects, utilizing processes and tools that will support the integrity of the requirements throughout the lifecycle, to ensure that requirements are complete, formally baselined, gaps are analyzed, and fully traceable forward and backward. FSA also noted that it is pursuing an enhanced, more comprehensive governance structure that will further support its commitment to increasing rigor and adherence to defined requirements management processes. We will continue to monitor the agency's implementation of these efforts.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in planning and monitoring projects. Specifically, the Administrator should ensure that project plans include predefined expectations for cost, schedule, and deliverables before proceeding with any further system development; updates to the project plan are made through change control processes; and progress against the project plan, including work performed by contractors, is monitored.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA noted that it began an initiative to improve the agency's use of capital planning guidance from the Office of Management and Budget and would prepare corrective action plans to address identified weaknesses in fiscal year 2016. FSA also noted that it was conducting a series of training classes on capital planning and IT project management across the agency, developing a risk management program, and strengthening the use of earned value management. We will continue to monitor the agency's progress on its project planning efforts.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in system testing. Specifically, the Administrator should establish well-defined test plans before proceeding with any further system development, and ensure that testing of (a) individual system components, (b) the integration of system components, and (c) the end-to-end system are conducted.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA stated that going forward the agency will adhere to recognized best practices and agency policy in pursuing consistent or increased rigor around system testing. The agency noted that it plans to demonstrate that its testing capabilities are consistent and repeatable across all FSA IT projects. We will continue to monitor the agency's implementation of these efforts.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in executive-level IT governance before proceeding with any further system development. Specifically, an executive-level governance board should (1) review and approve a comprehensive business case that includes a life cycle cost estimate, a cost-benefit analysis, and an analysis of alternatives for proposed solutions that are to provide former MIDAS requirements prior to their implementation; (2) ensure that any programs that are to accommodate former MIDAS requirements are fully implementing the IT program management disciplines and practices identified in this report; (3) conduct a post-implementation review and document lessons learned for the MIDAS investment; and (4) reassess the viability of the MIDAS technical solution before investing in further modernization technologies.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA stated that, as part of its organizational transformation efforts, the CIO is evaluating its governance structure and updating the charter for the agency-wide IT investment review board with the support of the agency's Executive Leadership Council. FSA also noted that it will adhere to the department's governance framework and processes. We will continue to monitor the agency's implementation of these efforts and how they address our recommendation.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    6 open recommendations
    Recommendation: To ensure that CBP's land mobile radio systems are functioning as intended in each location and are meeting user needs, the CBP Commissioner should develop a plan to monitor the performance of its deployed radio systems.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To ensure the ICE TACCOM program is effectively managed, the Assistant Secretary of ICE should develop a program plan to ensure that the agency establishes the appropriate documentation of resource needs, program goals, and measures to monitor the performance of its deployed radio systems.

    Agency: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Immigration and Customs Enforcement
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve CBP training efforts, CBP Commissioner should develop and implement a plan to address any skills gaps for CBP agents and officers related to understanding the new digital radio systems and interagency radio use protocols.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve CBP training efforts, CBP Commissioner should develop a mechanism to verify that all Border Patrol and OFO radio users receive radio training.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve ICE training efforts, the Assistant Secretary of ICE should develop and implement a plan to address any skills gaps for ICE agents related to understanding the new digital radio systems and interagency radio use protocols.

    Agency: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Immigration and Customs Enforcement
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve ICE training efforts, the Assistant Secretary of ICE should develop a mechanism to verify that all ICE radio users receive radio training.

    Agency: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Immigration and Customs Enforcement
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Kingsbury, Nancy R
    Phone: (202) 512-2700

    3 open recommendations
    including 2 priority recommendations
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure contractors receive security awareness training within 5 business days of being granted access to an IRS information system.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: During the audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure that control testing methodology and results fully meet the intent of the control objectives being tested.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed these actions. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should update the remedial action verification process to ensure actions are fully implemented.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed actions to implement the recommendation. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Director: Sullivan, Michael J
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To help improve DOD's milestone decision process, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology and Logistics in collaboration with the military service acquisition executives, program executive officers, and program managers to, as a longer-term effort, select several current or new major defense acquisition programs to pilot, on a broader scale, different approaches for streamlining the entire milestone decision process, with the results evaluated and reported for potential wider use. The pilot programs should consider the following: (1) Defining the appropriate information needed to support milestone decisions while still ensuring program accountability and oversight. The information should be based on the business case principles needed for well-informed milestone decisions including well defined requirements, reasonable life-cycle cost estimates, and a knowledge-based acquisition plan. (2) Developing an efficient process for providing this information to the milestone decision authority by (a) minimizing any reviews between the program office and the different functional staff offices within each chain of command level and (b) establishing frequent, regular interaction between the program office and milestone decision makers, in lieu of documentation reviews, to help expedite the process.

    Agency: Department of Defense
    Status: Open

    Comments: The Office of the Secretary of Defense issued a policy directive called Better Buying Power 3.0 in April 2015, which addresses this recommendation to pilot acquisition programs for streamlining. In September 2015, DOD designated one Navy program, the Next Generation Jammer, as a pilot program with streamlined oversight, processes, and documentation. The program manager believes that implementation of this model has allowed for more focus on improving program execution by significantly shortening decision cycle time and appropriately tailoring acquisition requirements. The Air Force and Army have not designated pilot programs at this time.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    16 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test plan is developed.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, an independent assessor is selected to assess the system.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned to resolution are maintained.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA concurred with our recommendation. However, EPA has not yet provided evidence that it has implemented the recommendation. We plan to validate the department's actions when EPA informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA concurred with our recommendation. However, EPA has not yet provided evidence that it has implemented the recommendation. We plan to validate the department's actions when EPA informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Director of the Office of Personnel Management should develop, document, and implement oversight procedures for ensuring that a system test is fully executed for each contractor-operated system.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM concurred with our recommendation. However, as of April 2017, OPM had not implemented the recommendation to develop, document and implement oversight procedures to ensure that a system test is fully executed for each contractor-operated system. We will monitor OPM's efforts and validate OPM actions when evidence discloses that the recommendation has been implemented.
    Recommendation: To be able to effectively assist agencies with their contractor oversight programs, the Director of the Office of Management and Budget, in collaboration with the Secretary of Homeland Security, should develop and clarify reporting guidance to agencies for annually reporting the number of contractor-operated systems.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We requested comments on a draft of this report from the Office of Management and Budget, but none were provided. In June 2017, OMB stated that its and DHS's annual reporting requirements now contain an expanded list of criteria for contractor-operated systems, including definitions in related guidance from the National Institute of Standards and Technology. However, although the reporting requirements call for agencies to report on their total number of contractor-operated systems, neither the requirements or related guidance clarify which agency systems that have contractor relationships should be categorized as contractor-operated. The lack of clear instructions may continue to result in incomplete information regarding the number of contractor-operated systems within the government.
    Director: Charlie Jeszeck
    Phone: (202) 512-7215

    4 open recommendations
    Recommendation: To improve IRS's enforcement and compliance efforts, decrease the administrative and financial burden of maintaining both electronic and paper-based form processing systems, and reduce plan reporting costs, Congress should consider providing the Department of the Treasury with the authority to require that the Form 5500 series be filed electronically.

    Agency: Congress
    Status: Open

    Comments: As of 5/31/17, Congress has taken no action.
    Recommendation: To improve the usefulness, reliability, and comparability of Form 5500 data for all stakeholders while limiting the burden on the filing community, the Secretaries of DOL and Treasury, and the Director of PBGC should consider implementing the findings from our panel when modifying plan investment and service provider fee information, including: (1) revising Schedule H plan asset categories to better match current investment vehicles and provide more transparency into plan investments; (2) revising the Schedule of Assets attachments to create a standard searchable format; (3) developing a central repository for EIN and PN numbers for filers and service providers to improve the comparability of form data across filings; (4) clarifying Schedule C instructions for direct, eligible indirect, and reportable indirect compensation so plan fees are reported more consistently and, as we recommended in the past, better align with the 408(b)(2) fee disclosures; and (5) simplifying and clarify Schedule C service provider codes to increase reporting consistency.

    Agency: Department of Labor
    Status: Open

    Comments: In 2016, DOL in coordination with IRS and PBGC has implemented cross-year edit checks into EFAST in an effort to improve the consistency in key identifying information, such as the EIN, Plan Number and Plan Name. These checks aim to verify identifying information submitted on the Form 5500 and to notify the filer and government agencies of inconsistencies, which affords filers the ability to review and modify crucial identifying information prior to submission. Additionally, if the filer chooses to submit data that may contain inconsistent information, the edit test indicators provide government users with the ability to more readily detect filings containing potential errors in the identifying information for further review and correction. DOL has also collaborated with PBGC and IRS in issuing proposed revisions to the Form 5500 Series in a Notice of Proposed Forms Revisions. The deadline for public comment ended December 5, 2016. The proposed revisions in the Notice reflect efforts of DOL, IRS, and PBGC to improve the Form 5500 reporting for filers, the public, and the agencies by among other things, (1) modernizing financial information filed by regarding plans; (2) updating fee and expense information on plan service providers with a focus on harmonizing annual reporting requirement with DOL's 408(b)(2); financial disclosure requirements; (3) enhancing the ability to mine data files on annual returns/reports; and (4) improving compliance with ERISA and the Code through selected new questions regarding plan operation, service provider relationships, and financial management of plans. Specifically, in the Notice the agencies propose that Schedule H report assets held and assets disposed of during the plan year to provide more transparency and a more complete report of plan's annual investments and that that the Schedule of Assets be revised to require reporting of assets held through direct filing entities. Additionally, the agencies are proposing revisions to the Schedule H, Schedule of Assets that require filers to complete standardized Schedules in a format enabling data to captured electronically. This requirement would enable importation of information from the Schedules of Assets into structured databases that DOL would make available to the public from each year's Form 5500 Series filing. The agencies are also proposing to add clarifying definitions and instructions to improve the consistency of Form 5000 responses. This includes clarification of conventions to identify filers by name and identifying numbers to help mitigate confusion about legal identities with which plans transact and improve comparability of form data across filings. In addition, the agencies also propose revisions to Schedule C to require reporting of indirect compensation for service provider subject to 408(b)(2) requirements and for all compensation that is required to be disclosed. Further, the Schedule C instructions would be clarified to track more closely with the language of the 408(b)(2) regulations. The agencies are also proposing to limit the codes for Schedule C and requiring the filer to more simply indicate all types of services for each provider identified. Additionally, they propose a requirement to indicate all the types of fees/compensation separately when reporting sources of compensation from parties other than plan and plan sponsor. The agencies are reviewing the public comments and expect the process to continue through 2017. While the Agencies have made considerable efforts to address our recommendation in the proposed revisions to the Form 5500, they have not made any decisions on whether to make changes to the forms or DOL regulations, and have not decided on a timeline for implementation of any changes to the form or DOL regulations that the Agencies ultimately may decide to adopt. We will close this recommendation once the revision is final.
    Recommendation: To improve the usefulness, reliability, and comparability of Form 5500 data for all stakeholders while limiting the burden on the filing community, the Secretaries of DOL and Treasury, and the Director of PBGC should consider implementing the findings from our panel when modifying plan investment and service provider fee information, including: (1) revising Schedule H plan asset categories to better match current investment vehicles and provide more transparency into plan investments; (2) revising the Schedule of Assets attachments to create a standard searchable format; (3) developing a central repository for EIN and PN numbers for filers and service providers to improve the comparability of form data across filings; (4) clarifying Schedule C instructions for direct, eligible indirect, and reportable indirect compensation so plan fees are reported more consistently and, as we recommended in the past, better align with the 408(b)(2) fee disclosures; and (5) simplifying and clarify Schedule C service provider codes to increase reporting consistency.

    Agency: Department of the Treasury
    Status: Open

    Comments: In 2016, DOL in coordination with IRS and PBGC has implemented cross-year edit checks into EFAST in an effort to improve the consistency in key identifying information, such as the EIN, Plan Number and Plan Name. These checks aim to verify identifying information submitted on the Form 5500 and to notify the filer and government agencies of inconsistencies, which affords filers the ability to review and modify crucial identifying information prior to submission. Additionally, if the filer chooses to submit data that may contain inconsistent information, the edit test indicators provide government users with the ability to more readily detect filings containing potential errors in the identifying information for further review and correction. IRS has also collaborated with DOL and PBGC in issuing proposed revisions to the Form 5500 Series in a Notice of Proposed Forms Revisions. The deadline for public comment ended December 5, 2016. The proposed revisions in the Notice reflect efforts of DOL, IRS, and PBGC to improve the Form 5500 reporting for filers, the public, and the agencies by among other things, (1) modernizing financial information filed by regarding plans; (2) updating fee and expense information on plan service providers with a focus on harmonizing annual reporting requirement with DOL's 408(b)(2); financial disclosure requirements; (3) enhancing the ability to mine data files on annual returns/reports; and (4) improving compliance with ERISA and the Code through selected new questions regarding plan operation, service provider relationships, and financial management of plans. Specifically, in the Notice the agencies propose that Schedule H report assets held and assets disposed of during the plan year to provide more transparency and a more complete report of plan's annual investments and that that the Schedule of Assets be revised to require reporting of assets held through direct filing entities. Additionally, the agencies are proposing revisions to the Schedule H, Schedule of Assets that require filers to complete standardized Schedules in a format enabling data to captured electronically. This requirement would enable importation of information from the Schedules of Assets into structured databases that DOL would make available to the public from each year's Form 5500 Series filing. The agencies are also proposing to add clarifying definitions and instructions to improve the consistency of Form 5000 responses. This includes clarification of conventions to identify filers by name and identifying numbers to help mitigate confusion about legal identities with which plans transact and improve comparability of form data across filings. In addition, the agencies also propose revisions to Schedule C to require reporting of indirect compensation for service provider subject to 408(b)(2) requirements and for all compensation that is required to be disclosed. Further, the Schedule C instructions would be clarified to track more closely with the language of the 408(b)(2) regulations. The agencies are also proposing to limit the codes for Schedule C and requiring the filer to more simply indicate all types of services for each provider identified. Additionally, they propose a requirement to indicate all the types of fees/compensation separately when reporting sources of compensation from parties other than plan and plan sponsor. The agencies are reviewing the public comments and expect the process to continue through 2017. While the Agencies have made considerable efforts to address our recommendation in the proposed revisions to the Form 5500, they have not made any decisions on whether to make changes to the forms or DOL regulations, and have not decided on a timeline for implementation of any changes to the form or DOL regulations that the Agencies ultimately may decide to adopt. We will close this recommendation once the revision is final.
    Recommendation: To improve the usefulness, reliability, and comparability of Form 5500 data for all stakeholders while limiting the burden on the filing community, the Secretaries of DOL and Treasury, and the Director of PBGC should consider implementing the findings from our panel when modifying plan investment and service provider fee information, including: (1) revising Schedule H plan asset categories to better match current investment vehicles and provide more transparency into plan investments; (2) revising the Schedule of Assets attachments to create a standard searchable format; (3) developing a central repository for EIN and PN numbers for filers and service providers to improve the comparability of form data across filings; (4) clarifying Schedule C instructions for direct, eligible indirect, and reportable indirect compensation so plan fees are reported more consistently and, as we recommended in the past, better align with the 408(b)(2) fee disclosures; and (5) simplifying and clarify Schedule C service provider codes to increase reporting consistency.

    Agency: Pension Benefit Guaranty Corporation
    Status: Open

    Comments: In 2016, DOL in coordination with IRS and PBGC has implemented cross-year edit checks into EFAST in an effort to improve the consistency in key identifying information, such as the EIN, Plan Number and Plan Name. These checks aim to verify identifying information submitted on the Form 5500 and to notify the filer and government agencies of inconsistencies, which affords filers the ability to review and modify crucial identifying information prior to submission. Additionally, if the filer chooses to submit data that may contain inconsistent information, the edit test indicators provide government users with the ability to more readily detect filings containing potential errors in the identifying information for further review and correction. PBDC has also collaborated with DOL and IRS in issuing proposed revisions to the Form 5500 Series in a Notice of Proposed Forms Revisions. The deadline for public comment ended December 5, 2016. The proposed revisions in the Notice reflect efforts of DOL, IRS, and PBGC to improve the Form 5500 reporting for filers, the public, and the agencies by among other things, (1) modernizing financial information filed by regarding plans; (2) updating fee and expense information on plan service providers with a focus on harmonizing annual reporting requirement with DOL's 408(b)(2); financial disclosure requirements; (3) enhancing the ability to mine data files on annual returns/reports; and (4) improving compliance with ERISA and the Code through selected new questions regarding plan operation, service provider relationships, and financial management of plans. Specifically, in the Notice the agencies propose that Schedule H report assets held and assets disposed of during the plan year to provide more transparency and a more complete report of plan's annual investments and that that the Schedule of Assets be revised to require reporting of assets held through direct filing entities. Additionally, the agencies are proposing revisions to the Schedule H, Schedule of Assets that require filers to complete standardized Schedules in a format enabling data to captured electronically. This requirement would enable importation of information from the Schedules of Assets into structured databases that DOL would make available to the public from each year's Form 5500 Series filing. The agencies are also proposing to add clarifying definitions and instructions to improve the consistency of Form 5000 responses. This includes clarification of conventions to identify filers by name and identifying numbers to help mitigate confusion about legal identities with which plans transact and improve comparability of form data across filings. In addition, the agencies also propose revisions to Schedule C to require reporting of indirect compensation for service provider subject to 408(b)(2) requirements and for all compensation that is required to be disclosed. Further, the Schedule C instructions would be clarified to track more closely with the language of the 408(b)(2) regulations. The agencies are also proposing to limit the codes for Schedule C and requiring the filer to more simply indicate all types of services for each provider identified. Additionally, they propose a requirement to indicate all the types of fees/compensation separately when reporting sources of compensation from parties other than plan and plan sponsor. The agencies are reviewing the public comments and expect the process to continue through 2017. While the Agencies have made considerable efforts to address our recommendation in the proposed revisions to the Form 5500, they have not made any decisions on whether to make changes to the forms or DOL regulations, and have not decided on a timeline for implementation of any changes to the form or DOL regulations that the Agencies ultimately may decide to adopt. We will close this recommendation once any revision are made final.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    2 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure effective management and modernization of HUD's IT environment, the Secretary of Housing and Urban Development should direct the department's Chief Information Officer to establish a means for evaluating progress toward institutionalizing management controls and commit to time lines for activities and next steps.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: As of April 2017, HUD had not yet established a means for evaluating progress toward institutionalizing IT management controls. According to HUD officials, the department expects to evaluate the controls through an update to its IT Management Framework scheduled to be completed during fiscal year 2017.
    Recommendation: To ensure effective management and modernization of HUD's IT environment, the Secretary of Housing and Urban Development should direct the department's Chief Information Officer to define the scope, implementation strategy, and schedule of its overall modernization approach, with related goals and measures for effectively overseeing the effort.

    Agency: Department of Housing and Urban Development
    Status: Open
    Priority recommendation

    Comments: In August 2016, HUD officials reported that the department was taking actions intended to establish a new, stronger enterprise approach for IT development and operations. As of April 2017, the department reported that it was in phase 2 of a 4-phase application assessment initiative expected to address this recommendation. However, HUD has not yet provided evidence of how the new approach is expected to define the scope, implementation strategy, and schedule for modernizing the department's IT.
    Director: Jeszeck, Charles A
    Phone: (202) 512-7215

    2 open recommendations
    Recommendation: The Secretary of Labor and the Secretary of the Treasury should consider requiring pension plan sponsors to provide participants with an opportunity to opt out of all forms of electronic delivery, including (but not limited to) disclosures sent by default electronic delivery and disclosures posted on a secure continuous access website.

    Agency: Department of Labor
    Status: Open

    Comments: In 2013, DOL stated that it was appropriate to consider the merits of broader rights to opt out of electronic delivery and would want to consult with the Treasury Department/IRS on the agencies' different opt-out standards. In FY14, the agency reiterated that dfferent opt-out standards may be appropriate for general plan information versus individual account or other personal information and would consult with Treasury/IRS. They will consider this matter as part of any future rulemaking that modifies or amends the current regulatory safe harbor. In FY15, Labor stated that different opt-out standards may be appropriate for general plan information versus individual account or other personal information, but that was an issue for Labor to consider in consultation with the Treasury Department/IRS should Labor pursue future rulemaking that modifies or amends the current regulatory safe harbor. In July 2016, DOL confirmed that the agency continues to plan to take the above action. As of July 2017, DOL indicated that no decisions had been made concerning future rulemaking in this area.
    Recommendation: The Secretary of Labor and the Secretary of the Treasury should consider requiring pension plan sponsors to send a periodic paper notice to participants reminding them of their right to change their preferred delivery method at any time and the steps they must take to make these changes.

    Agency: Department of Labor
    Status: Open

    Comments: In FY13, DOL stated that it was appropriate to obtain further input on requiring some periodic paper reminder notice. In FY14, the agency reported that the sort of periodic notice described by GAO could be a safeguard against malfunctions in the electronic communication system and act as a reminder that important plan information is being provided through electronic media. DOL will consider and obtain further input on requiring a periodic paper reminder of as part of any future rulemaking that modifies or amends the current regulatory safe harbor. In FY15, Labor stated that the agency intends to consider and obtain further input on requiring a periodic paper reminder should we pursue future rulemaking that modifies or amends the current regulatory safe harbor. In July 2016, DOL confirmed that the agency continues to plan to take the above action. As of July 2017, DOL indicated that no decisions had been made concerning future rulemaking in this area.
    Director: Powner, David A
    Phone: (202)512-9286

    1 open recommendations
    Recommendation: The Commissioner of Internal Revenue should direct the appropriate officials to define and implement a process, including defined criteria, for reselecting ongoing projects.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: Since we made the recommendation, IRS has been working to redesign its investment management process. In June 2016, we reported that the agency had defined and implemented a repeatable process for selecting (and reselecting) operations support activities, though it had not fully documented the process, but did not have a similar process for its business systems modernization activities (GAO-16-545). We recommended that IRS document its process for operations support activities and establish, document, and implement policies and procedures for selecting new and reselecting ongoing business systems modernization activities. IRS agreed with our recommendations and, in January 2017, stated it expected to have an internal draft document of the operations support activities process completed by the end of February 2017 with a draft ready to share with GAO a month later. In addition, for the business systems modernization process, IRS noted several improvements underway and stated it would document the process as it improved by December 2017. We will continue to monitor IRS's efforts to define and implement processes, including criteria, for reselecting ongoing projects.