Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: Criminals

    14 publications with a total of 41 open recommendations including 10 priority recommendations
    Director: Gretta L. Goodwin
    Phone: (202) 512-8777

    2 open recommendations
    Recommendation: To help ensure that DOJ is contributing to efforts to improve data collection and service provision to Native Americans, the Director of OVW should require grantees to report the number of human trafficking victims served using grant funding, and, as appropriate, the Native American status of those victims.

    Agency: Department of Justice: Office of Justice Programs: Violence Against Women Office
    Status: Open

    Comments: In responding to a draft of our report, DOJ agreed to require their grantees to report the number of human trafficking victims served, but did not agree to require them to track Native American status of those victims as appropriate, citing victim confidentiality and other reasons. In June 2017, following our report's publication, DOJ provided a status update, reporting that OVW already collects consolidated data on the number of American Indian and Alaska Native victims served who are victims of all crimes and it is in the process of revising grantee forms to collect information on the number of people served who are victims of sex trafficking. We continue to believe that collecting grantee information on both the number and Native American status of victims served is important and will continue to monitor implementation.
    Recommendation: To help ensure that DOJ is contributing to efforts to improve data collection and service provision to Native Americans, the Assistant Attorney General for the Office of Justice Programs should direct OVC and OJJDP to require their grantees to report the number of human trafficking victims served using grant funding, and, as appropriate, the Native American status of those victims.

    Agency: Department of Justice: Office of Justice Programs
    Status: Open

    Comments: In responding to a draft of our report, DOJ agreed to require its grantees to report the number of human trafficking victims served, but did not agree to require them to track Native American status of those victims as appropriate, citing victim confidentiality and other reasons. In June 2017, following our report's publication, DOJ provided a status update, reporting that OJJDP human trafficking grantees will be required to report the number of human trafficking victims served, beginning with progress reports ending December 31, 2017, and that OJJDP will update applicable solicitations beginning in fiscal year 2018 to reflect this new measure. DOJ reported no new efforts from OVC, and maintained that it will not require grantees to report on the Native American status of their victims served using grant funding because of the concerns it cited initially. We continue to believe that collecting grantee information on both the number and Native American status of victims served is important and will continue to monitor implementation.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    6 open recommendations
    Recommendation: To better inform on the effectiveness of CDS implementation and border security efforts, the Chief of Border Patrol should strengthen the methodology for calculating recidivism such as by using an alien's apprehension history beyond one fiscal year and excluding aliens for whom there is no record of removal and who may remain in the United States.

    Agency: Department of Homeland Security: United States Customs and Border Protection: Office of the Commissioner: U.S. Border Patrol
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To better inform on the effectiveness of CDS implementation and border security efforts, the Chief of Border Patrol should collect information on reasons agents do not apply the CDS guides' Most Effective and Efficient consequences to assess the extent that agents' application of these consequences can be increased and modify development of CDS guides, as appropriate.

    Agency: Department of Homeland Security: United States Customs and Border Protection: Office of the Commissioner: U.S. Border Patrol
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To better inform on the effectiveness of CDS implementation and border security efforts, the Chief of Border Patrol should revise CDS guidance to ensure consistent and accurate methodologies for estimating Border Patrol costs across consequences and to factor in, where appropriate and available, the relative costs of any federal partner resources necessary to implement each consequence.

    Agency: Department of Homeland Security: United States Customs and Border Protection: Office of the Commissioner: U.S. Border Patrol
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To better inform on the effectiveness of CDS implementation and border security efforts, the Chief of Border Patrol should ensure that sector management is monitoring progress in meeting their performance targets and communicating performance results to Border Patrol headquarters management.

    Agency: Department of Homeland Security: United States Customs and Border Protection: Office of the Commissioner: U.S. Border Patrol
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To better inform on the effectiveness of CDS implementation and border security efforts, the Chief of Border Patrol should provide consistent guidance for alien classification and take steps to ensure CDS Project Management Office and sector management conduct data integrity activities necessary to strengthen control over the classification of aliens.

    Agency: Department of Homeland Security: United States Customs and Border Protection: Office of the Commissioner: U.S. Border Patrol
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Homeland Security should direct the Assistant Secretary of Immigration and Customs Enforcement and Commissioner of Customs and Border Protection to collaborate on sharing immigration enforcement and removal data to help Border Patrol account for the removal status of apprehended aliens in its recidivism rate measure.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Kimberly Gianopoulos
    Phone: (202) 512-8612

    3 open recommendations
    Recommendation: To provide a basis for comparing actual results with intended results that can generate more meaningful performance information, the Secretaries of the Interior and State and the Attorney General of the United States should jointly work with the Task Force to develop performance targets related to the National Strategy for Combating Wildlife Trafficking Implementation Plan.

    Agency: Department of the Interior
    Status: Open

    Comments: Agency agreed with recommendation and plans to implement it
    Recommendation: To provide a basis for comparing actual results with intended results that can generate more meaningful performance information, the Secretaries of the Interior and State and the Attorney General of the United States should jointly work with the Task Force to develop performance targets related to the National Strategy for Combating Wildlife Trafficking Implementation Plan.

    Agency: Department of Justice
    Status: Open

    Comments: Agency agreed with recommendation and plans to implement it
    Recommendation: To provide a basis for comparing actual results with intended results that can generate more meaningful performance information, the Secretaries of the Interior and State and the Attorney General of the United States should jointly work with the Task Force to develop performance targets related to the National Strategy for Combating Wildlife Trafficking Implementation Plan.

    Agency: Department of State
    Status: Open

    Comments: Agency agreed with recommendation and plans to implement it
    Director: Gretta L. Goodwin
    Phone: (202) 512-8777

    4 open recommendations
    Recommendation: To enhance the clarity and transparency of sexual violence data that is reported to the public, the Secretary of Education should direct the Assistant Secretary for the Office of Postsecondary Education, the Secretary of Health and Human Services should direct the Director of Centers for Disease Control and Prevention, and the Attorney General should direct the Director of the Bureau of Justice Statistics to make information on the acts of sexual violence and contextual factors that are included in their measurements of sexual violence publicly available. This effort could entail revising their definitions of key terms used to describe sexual violence so that the definitions match the measurements of sexual violence.

    Agency: Department of Education
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enhance the clarity and transparency of sexual violence data that is reported to the public, the Secretary of Education should direct the Assistant Secretary for the Office of Postsecondary Education, the Secretary of Health and Human Services should direct the Director of Centers for Disease Control and Prevention, and the Attorney General should direct the Director of the Bureau of Justice Statistics to make information on the acts of sexual violence and contextual factors that are included in their measurements of sexual violence publicly available. This effort could entail revising their definitions of key terms used to describe sexual violence so that the definitions match the measurements of sexual violence.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enhance the clarity and transparency of sexual violence data that is reported to the public, the Secretary of Education should direct the Assistant Secretary for the Office of Postsecondary Education, the Secretary of Health and Human Services should direct the Director of Centers for Disease Control and Prevention, and the Attorney General should direct the Director of the Bureau of Justice Statistics to make information on the acts of sexual violence and contextual factors that are included in their measurements of sexual violence publicly available. This effort could entail revising their definitions of key terms used to describe sexual violence so that the definitions match the measurements of sexual violence.

    Agency: Department of Justice
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help lessen confusion among the public and policy makers regarding federal data on sexual violence, the Director of OMB should establish a federal interagency forum on sexual violence statistics. The forum should consider the broad range of differences across the data collection efforts to assess which differences enhance or hinder the overall understanding of sexual violence in the United States.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gretta L. Goodwin
    Phone: (202) 512-8777

    1 open recommendations
    Recommendation: To help the NICS Section achieve its mission to enhance national security and public safety by providing the timely and accurate determination of a person's eligibility to possess firearms, the Director of the FBI should monitor NICS check outcomes for specific categories of prohibited individuals to assess timeliness and provide this information to other DOJ entities for use in establishing priorities and tools to assist states in submitting more complete records for use during NICS checks.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Diana C. Maurer
    Phone: (202) 512-9627

    4 open recommendations
    Recommendation: To help determine if pretrial diversion programs and practices are effectively contributing to the achievement of department goals and enhance DOJ's ability to better manage and encourage the use of such programs and practices, the Attorney General should identify, obtain, and track data on the outcomes and costs of pretrial diversion programs.

    Agency: Department of Justice
    Status: Open

    Comments: In providing comments on this report, DOJ concurred with this recommendation but has not yet taken any actions necessary to implement it.
    Recommendation: To help determine if pretrial diversion programs and practices are effectively contributing to the achievement of department goals and enhance DOJ's ability to better manage and encourage the use of such programs and practices, the Attorney General should develop performance measures by which to help assess program outcomes.

    Agency: Department of Justice
    Status: Open

    Comments: In providing comments on this report, DOJ concurred with this recommendation but has not yet taken any actions necessary to implement it.
    Recommendation: To determine how the use of RRCs and home confinement contribute to its goal of helping inmates successfully reenter society, and to better enable BOP to adjust its policies and procedures for the optimal use of these alternatives, as necessary and within statutory requirements, the Director of BOP should identify, obtain, and track data on the outcomes of the programs.

    Agency: Department of Justice: Bureau of Prisons
    Status: Open

    Comments: In providing comments on this report, DOJ concurred with this recommendation but has not yet taken any actions necessary to implement it.
    Recommendation: To determine how the use of RRCs and home confinement contribute to its goal of helping inmates successfully reenter society, and to better enable BOP to adjust its policies and procedures for the optimal use of these alternatives, as necessary and within statutory requirements, the Director of BOP should develop performance measures by which to help assess program outcomes.

    Agency: Department of Justice: Bureau of Prisons
    Status: Open

    Comments: In providing comments on this report, DOJ concurred with this recommendation but has not yet taken any actions necessary to implement it.
    Director: Diana C. Maurer
    Phone: (202) 512-9627

    2 open recommendations
    including 2 priority recommendations
    Recommendation: To allow for more efficient use of data on missing and unidentified persons contained in the NCIC's Missing Persons and Unidentified Persons files and NamUs, the Directors of the FBI and NIJ should evaluate the feasibility of sharing certain information among authorized users, document the results of this evaluation, and incorporate, as appropriate, legally and technically feasible options for sharing the information.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In commenting on GAO's June 2016 report, DOJ disagreed with our recommendation, because DOJ believes it does not have the legal authority to fulfill the corrective action as described in the proposed recommendation. Specifically, DOJ stated that the National Missing and Unidentified Persons System (NamUs) does not qualify, under federal law, for access to the National Crime Information Center (NCIC) and is not an authorized user to receive NCIC data. Therefore, DOJ does not believe there is value in evaluating the technical feasibility of integrating these two databases. In March 2017, DOJ reiterated its position that any such sharing was prohibited by law. We understand the legal framework placed on NCIC and that it may be restricted from fully integrating with a public database. However, this statutory restriction does not preclude DOJ from exploring options to more efficiently share information within the confines of the current legal framework. Until DOJ studies whether such feasible mechanisms exist, it will be unable to make this determination, risking continued inefficiencies through fragmentation and overlap.
    Recommendation: To allow for more efficient use of data on missing and unidentified persons contained in the NCIC's Missing Persons and Unidentified Persons files and NamUs, the Directors of the FBI and NIJ should evaluate the feasibility of sharing certain information among authorized users, document the results of this evaluation, and incorporate, as appropriate, legally and technically feasible options for sharing the information.

    Agency: Department of Justice: Office of Justice Programs: National Institute of Justice
    Status: Open
    Priority recommendation

    Comments: In commenting on GAO's June 2016 report, DOJ disagreed with our recommendation, because DOJ believes it does not have the legal authority to fulfill the corrective action as described in the proposed recommendation. Specifically, DOJ stated that the National Missing and Unidentified Persons System (NamUs) does not qualify, under federal law, for access to the National Crime Information Center (NCIC) and is not an authorized user to receive NCIC data. Therefore, DOJ does not believe there is value in evaluating the technical feasibility of integrating these two databases. In March 2017, DOJ reiterated its position that any such sharing was prohibited by law. We understand the legal framework placed on NCIC and that it may be restricted from fully integrating with a public database. However, this statutory restriction does not preclude DOJ from exploring options to more efficiently share information within the confines of the current legal framework. Until DOJ studies whether such feasible mechanisms exist, it will be unable to make this determination, risking continued inefficiencies through fragmentation and overlap.
    Director: Diana Maurer
    Phone: (202) 512-9627

    6 open recommendations
    including 6 priority recommendations
    Recommendation: To improve transparency and better ensure that face recognition capabilities are being used in accordance with privacy protection laws and policy requirements, the Attorney General should assess the PIA development process to determine why PIAs were not published prior to using or updating face recognition capabilities, and implement corrective actions to ensure the timely development, updating, and publishing of PIAs before using or making changes to a system.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: DOJ officials did not concur with this recommendation, and stated that the FBI has established practices that protect privacy and civil liberties beyond the requirements of the law. DOJ officials stated that it will internally evaluate the PIA process as part of the Department's overall commitment to improving its processes, not in response to our recommendation. In March 2017, we followed up with DOJ to obtain its current position on our recommendation. DOJ continues to believe that its approach in designing the NGI system was sufficient to meet legal privacy requirements and that our recommendation represents a "checkbox approach" to privacy. We disagree with DOJ's characterization of our recommendation. We continue to believe that the timely development and publishing of future PIAs would increase transparency of the department's systems. We recognize the steps the agency took to consider privacy protection during the development of the NGI system. We also stand by our position that notifying the public of these actions is important and provides the public with greater assurance that DOJ components are evaluating risks to privacy when implementing systems. As a result, the recommendation remains open and unimplemented.
    Recommendation: To improve transparency and better ensure that face recognition capabilities are being used in accordance with privacy protection laws and policy requirements, the Attorney General should assess the SORN development process to determine why a SORN was not published that addressed the collection and maintenance of photos accessed and used through NGI for the FBI's face recognition capabilities prior to using NGI-IPS, and implement corrective actions to ensure SORNs are published before systems become operational.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: DOJ agreed, in part, with our recommendation and submitted the SORN for publication to the Federal Register on April 21, 2016, and it was published on May 5, 2016. DOJ did not agree that the publication of a SORN is required by law. We disagree with DOJ's interpretation regarding the legal requirements of a SORN. The Privacy Act of 1974 requires that when agencies establish or make changes to a system of records, they must notify the public through a SORN published in the Federal Register. DOJ's comments on our draft report acknowledge that the automated nature of face recognition technology and the sheer number of photos now available for searching raise important privacy and civil liberties considerations. DOJ officials also stated that the FBI's face recognition capabilities do not represent new collection, use, or sharing of personal information. We disagree. We believe that the ability to perform automated searches of millions of photos is fundamentally different in nature and scope than manual review of individual photos, and the potential impact on privacy is equally fundamentally different. By assessing the SORN development process and taking corrective actions to ensure timely development of future SORNs, the public would have a better understanding of how personal information is being used and protected by DOJ components. As a result, the recommendation remains open and unimplemented.
    Recommendation: To better ensure that face recognition capabilities are being used in accordance with privacy protection laws and policy requirements, the Director of the Federal Bureau of Investigation should conduct audits to determine the extent to which users of NGI-IPS and biometric images specialists in FACE Services are conducting face image searches in accordance with Criminal Justice Information Services Division policy requirements.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In March 2017, DOJ provided us with the audit plan the CJIS Audit Unit developed in June 2016 for NGI-IPS users. In addition, DOJ reported that the CJIS Audit Unit began assessing NGI-IPS requirements at participating states in conjunction with its triennial National Identity Services audit and that, as of February 2017, the unit had conducted NGI-IPS audits of four states. Further, DOJ officials said CJIS developed an audit plan of the FACE Services Unit to coincide with the existing triennial FBI internal audit for 2018. However, DOJ did not provide the audit plan for the FACE Services Unit. DOJ officials said the methodology would be the same as the audit plan for NGI-IPS, but that methodology does not describe oversight on use of information obtained from external systems accessed by FACE Services employees. Therefore, we believe DOJ is making progress towards meeting the recommendation, but has not fully implemented our recommendation.
    Recommendation: To better ensure that face recognition systems are sufficiently accurate, the Director of the Federal Bureau of Investigation should conduct tests of NGI-IPS to verify that the system is sufficiently accurate for all allowable candidate list sizes, and ensure that the detection and false positive rate used in the tests are identified.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In comments on our draft report in 2016, and reiterated during recommendation follow-up, as of March 2017, DOJ did not concur with this recommendation. DOJ officials stated that the FBI has performed accuracy testing to validate that the system meets the requirements for the detection rate, which fully satisfies requirements for the investigative lead service provided by NGI-IPS. We disagree with DOJ. A key focus of our recommendation is the need to ensure that NGI-IPS is sufficiently accurate for all allowable candidate list sizes. Although the FBI has tested the detection rate for a candidate list of 50 photos, NGI-IPS users are able to request smaller candidate lists (between 2 and 50 photos). FBI officials stated that they do not know, and have not tested, the detection rate for other candidate list sizes. According to these officials, a smaller candidate list would likely lower the detection rate because a smaller candidate list may not contain a likely match that would be present in a larger candidate list. However, according to the FBI Information Technology Life Cycle Management Directive, testing needs to confirm the system meets all user requirements. Because the accuracy of NGI-IPS's face recognition searches when returning fewer than 50 photos in a candidate list is unknown, the FBI is limited in understanding whether the results are accurate enough to meet NGI-IPS users' needs. DOJ officials also stated that searches of NGI-IPS produce a gallery of likely candidates to be used as investigative leads, not for positive identification. As a result, according to DOJ officials, NGI-IPS cannot produce false positives and there is no false positive rate for the system. We disagree with DOJ. The detection rate and the false positive rate are both necessary to assess the accuracy of a face recognition system. Generally, face recognition systems can be configured to allow for a greater or lesser number of matches. A greater number of matches would generally increase the detection rate, but would also increase the false positive rate. Similarly, a lesser number of matches would decrease the false positive rate, but would also decrease the detection rate. Reporting a detection rate of 86 percent without reporting the accompanying false positive rate presents an incomplete view of the system's accuracy. As a result, the recommendation remains open and unimplemented.
    Recommendation: To better ensure that face recognition systems are sufficiently accurate, the Director of the Federal Bureau of Investigation should conduct an operational review of NGI-IPS at least annually that includes an assessment of the accuracy of face recognition searches to determine if it is meeting federal, state, and local law enforcement needs and take actions, as necessary, to improve the system.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: As of March 2017, FBI officials stated they implemented the recommendation by submitting a paper to solicit feedback from users through the Fall 2016 Advisory Policy Board Process. Specifically, officials said the paper requested feedback on whether the face recognition searches of the NGI-IPS are meeting their needs, and input regarding search accuracy. According to FBI officials, no users expressed concern with any aspect of the NGI-IPS meeting their needs, including accuracy. Although FBI's action of providing working groups with a paper presenting GAO's recommendation is a step, the FBI's actions do not fully meet the recommendation. The FBI's paper was presented as informational, and did not result in any formal responses from users. We disagree with the FBI's conclusion that receiving no responses on the informational paper fulfills the operational review recommendation, which includes determining that NGI-IPS is meeting user's needs. As such, we continue to recommend the FBI conduct an operational review of NGI-IPS at least annually.
    Recommendation: To better ensure that face recognition systems are sufficiently accurate, the Director of the Federal Bureau of Investigation should take steps to determine whether each external face recognition system used by FACE Services is sufficiently accurate for the FBI's use and whether results from those systems should be used to support FBI investigations.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In comments on our draft report in 2016, and reiterated during recommendation follow-up in 2017, DOJ officials did not concur with this recommendation and had no plans to implement it. DOJ officials stated that the FBI has no authority to set or enforce accuracy standards of face recognition technology operated by external agencies. In addition, DOJ officials stated that the FBI has implemented multiple layers of manual review that mitigate risks associated with the use of automated face recognition technology. Further, DOJ officials stated there is value in searching all available external databases, regardless of their level of accuracy. We disagree with the DOJ position. We continue to believe that the FBI should assess the quality of the data it is using from state and federal partners. We acknowledge that the FBI cannot and should not set accuracy standards for the face recognition systems used by external partners. We also do not dispute that the use of external face recognition systems by the FACE Services Unit could add value to FBI investigations. However, we disagree with FBI's assertion that no assessment of the quality of the data from state and federal partners is necessary. We also disagree with the DOJ assertion that manual review of automated search results is sufficient. Even with a manual review process, the FBI could miss investigative leads if a partner does not have a sufficiently accurate system. By relying on its external partners' face recognition systems, the FBI is using these systems as a component of its routine operations and is therefore responsible for ensuring the systems will help meet FBI's mission, goals and objectives. The recommendation remains open and unimplemented.
    Director: Michael J. Courts
    Phone: (202) 512-8980

    2 open recommendations
    Recommendation: To strengthen DHS's ability to fulfill legislative requirements for the VWP and protect the security of the United States and its citizens, the Secretary of Homeland Security should specify time frames for working with VWP countries to institute the additional VWP security requirements, including the requirement that the countries fully implement agreements to share information about known or suspected terrorists through the countries' Homeland Security Presidential Directive 6 arrangements and Preventing and Combating Serious Crime agreements with the United States.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS reported that nearly all VWP countries have begun sharing information on known or suspected terrorists through Homeland Security Presidential Directive 6 arrangements and that DHS also made progress in fully implementing Preventing and Combating Serious Crime agreements. According to DHS, all VWP countries were informed of the new VWP requirements in July 2016. In its initial response, DHS stated that it planned to conduct a comprehensive assessment of VWP countries' compliance with the new VWP requirements and establish a time frame for each VWP country to reach full compliance as part of each country's next formal review. However, as of April 2017, DHS needs to provide documentation to GAO to support all of these actions. GAO will continue to monitor DHS efforts to fully address this recommendation.
    Recommendation: To strengthen DHS's ability to fulfill legislative requirements for the VWP and protect the security of the United States and its citizens, the Secretary of Homeland Security should take steps to improve DHS's timeliness in reporting to Congress, within the statutory time frame, the department's determination of whether each VWP country should continue participating in the program and any effects of the country's participation on U.S. law enforcement and security interests.

    Agency: Department of Homeland Security
    Status: Open

    Comments: Since 2016, DHS has issued several reports on VWP countries to Congress that have addressed several of the overdue reports identified in 2016, but some gaps remain. As of April 2017, DHS reported plans to deliver additional reports in 2017 to address these gaps. In its initial response, DHS reported that the department had taken steps to ensure timely reporting to Congress and committed to providing Congress with advance notification of any delays in delivering future reports. To fully address this recommendation, DHS needs to issue reports to Congress on VWP countries that have not been covered within the last two years. GAO will continue to monitor DHS efforts.
    Director: Jessica Farb
    Phone: (202) 512-6991

    2 open recommendations
    Recommendation: To enhance U.S. agencies' performance monitoring of counter-firearms trafficking activities, the Director of the Bureau of Alcohol, Tobacco, Firearms and Explosives should establish and document performance targets for the bureau's key counter-firearms trafficking activities in Belize, Guatemala, and Mexico, as appropriate.

    Agency: Department of Justice: Bureau of Alcohol, Tobacco, Firearms and Explosives
    Status: Open

    Comments: ATF concurred with this recommendation and stated that it plans to implement it. According to ATF officials, ATF has engaged in an overview of performance measures in Mexico and, when applicable, in Guatemala and Belize, and planned to implement a more structured annual system of performance targeting and evaluation for operations in these jurisdictions in fiscal year 2017. As of October 2017, we are continuing to follow up with ATF on its efforts to implement the new performance evaluation system.
    Recommendation: To enhance U.S. agencies' performance monitoring of counter-firearms trafficking activities, the Secretary of State should work with other U.S. agencies and implementers to help ensure that quarterly progress reports identify key challenges and plans to address them.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with this recommendation and stated that it planned to work with other agencies to implement it. State officials noted that the International Narcotics and Law Enforcement Affairs Bureau's quarterly reporting template for interagency partners currently contains a segment entitled "Problems or Challenges and Corrective Action Plan/Risk Identification Mitigation" in which the interagency partner is expected to detail any problems or challenges in implementing any of the program components and activities. State officials stated they will continue to remind interagency partners of this requirement and assist with correct completion of the reporting templates.
    Director: Jennifer Grover
    Phone: (202) 512-7141

    2 open recommendations
    Recommendation: The Attorney General should direct ODAG to document a plan specifying DOJ's process for monitoring the effects of marijuana legalization under state law, in accordance with DOJ's 2013 marijuana enforcement policy guidance, to include the identification of the various data ODAG will use and their potential limitations for monitoring the effects of state marijuana legalization, and how ODAG will use the information sources in its monitoring efforts to help inform decisions on whether state systems are effectively protecting federal marijuana enforcement priorities.

    Agency: Department of Justice
    Status: Open

    Comments: The agency concurred with the recommendation and reported plans to implement it. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: The Attorney General should direct ODAG to use existing mechanisms to share DOJ's monitoring plan with appropriate officials from DOJ components responsible for providing information DOJ reports using regarding the effects of state legalization to ODAG, obtain feedback, and incorporate the feedback into its plan.

    Agency: Department of Justice
    Status: Open

    Comments: The agency concurred with the recommendation and reported plans to implement it. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Director: Lawrance Evans
    Phone: (202) 512-8678

    4 open recommendations
    Recommendation: To ensure that NCUA has adequate authority to determine the safety and soundness of credit unions, Congress should consider modifying the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions.

    Agency: Congress
    Status: Open

    Comments: In July 2015, we suggested that Congress modify the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions. As of October 2016, Congress had not granted NCUA such authority.
    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency: Department of the Treasury: Office of the Comptroller of the Currency
    Status: Open

    Comments: In July 2015, we recommended that the Office of the Comptroller of the Currency (OCC) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In September 2015, OCC stated that it is taking two actions to respond to our recommendation. First, the agency is integrating the Cybersecurity Assessment Tool (Tool), developed by OCC and other federal financial institution regulators, into OCC's ongoing IT examinations of national banks and federal savings associations. Officials believe that the Tool will provide OCC with a repeatable and measurable process for assessing both the level of risk and the maturity of risk management processes within and across OCC-supervised institutions. Also, officials believe that data gathered in this process will allow OCC to monitor industry trends and identify new or emerging weaknesses where additional guidance or supervisory actions may be needed. Furthermore, the Tool will help OCC allocate examiner resources and better target examiner training. OCC began integrating the Tool in selected examinations in December 2015. Second, OCC stated that it enhanced its guidance and procedures for examiners to identify and aggregate supervisory concerns into matters requiring attention (MRAs), which are the mechanism OCC uses to communicate supervisory concerns to bank management and directors. OCC believes that the enhancements will facilitate systemic categorization of supervisory concerns that strengthen recording, monitoring, and analyzing of volumes and trends across bank portfolios. Also, the enhanced guidance discusses the relationship between MRAs, interagency ratings, OCC's risk assessment system, and enforcement actions. OCC believes that these process enhancements combined with the integration of the Tool, will improve its ability to assess information security practices at medium and small institutions. We will continue to monitor OCC's progress in implementing the Tool and the resulting trend analyses that the Tool is intended to facilitate.
    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency: Federal Reserve System
    Status: Open

    Comments: In July 2015, we recommended that the Board of Governors of the Federal Reserve System (Board) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. As of October 2016, the Board had not provided an update on its efforts to address this recommendation.
    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency: National Credit Union Administration
    Status: Open

    Comments: In July 2015, we recommended that the National Credit Union Administration (NCUA) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In July 2016, NCUA told us that it and the other federal financial institution regulators issued the Cybersecurity Assessment Tool (Tool) in June 2015 to provide a comprehensive method for institutions to benchmark their cybersecurity programs. Officials believe that the Tool will allow examiners to consistently and methodically look at credit union risks and trends, as well as collect detailed information on the risks and mitigating controls employed by credit unions. When the Tool is fully implemented, officials expect to be able to aggregate risk indicators and program gaps across the credit union industry to improve resource deployment and enhance cybersecurity supervisory oversight. NCUA plans to begin pilot testing the Tool in late 2016 with program integration targeted for July 2017. We will continue to monitor NCUA's progress with this program and revisit our recommendation in July 2017.
    Director: Maurer, Diana C
    Phone: (202) 512-9627

    2 open recommendations
    including 2 priority recommendations
    Recommendation: To ensure that the Department of Justice effectively measures its efforts to address incarceration challenges, the Attorney General should explore additional data collection opportunities and modify its Smart on Crime indicators to incorporate key elements of successful performance measurement systems.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: In August 2015, DOJ reported that it has taken steps to obtain new, more granular data elements that it hoped to incorporate into its indicators. However, DOJ also stated that it did not believe that measureable targets were appropriate for its Smart on Crime indicators because prosecutors need to make case by case decisions without regard to targets or concerns for any other incentive. As of October 2016, DOJ had not provided any updates on its progress addressing this recommendation to enhance performance measurement. Until DOJ provides this information, we cannot determine whether its efforts resulted in indicators that incorporate key elements of successful performance measurement systems. In March, 2017, DOJ noted that, due to a change in administration, the consequences of the Smart on Crime initiative are uncertain, and did not provide any further updates on its progress addressing our recommendation.
    Recommendation: To ensure that the Department of Justice effectively measures its efforts to address incarceration challenges, the Attorney General should direct the Office of the Pardon Attorney, in conjunction with the Office of the Deputy Attorney General, to (1) track how long it takes, on average, for commutation of sentence petitions to clear each step in the review process under DOJ's control, and (2) identify and address, to the extent possible, any processes that may contribute to unnecessary delays.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: In August 2015, DOJ reported that tracking the steps of its review would not provide meaningful data because the Department prioritizes those cases for review that appear likely to meet the Clemency Initiative factors announced in April 2014. Nevertheless, DOJ stated that it agreed that identifying and addressing unnecessary delays in the review process is important, and that it has been regularly working to identify and address such delays. As of October 2016, DOJ had not provided any updates on its progress addressing this recommendation to better track and address any unnecessary delays. Until it does so, we cannot determine whether it is meeting the key goal of the new Clemency Initiative--to expeditiously identify and review especially meritorious petitions. In March 2017, DOJ noted that due to the accelerated clemency review process implemented in 2015, it currently has no standard process to evaluate, and did not provide any further updates on its progress in addressing our recommendation.
    Director: Stephen L. Caldwell
    Phone: (202) 512-9610

    1 open recommendations
    Recommendation: To help ensure that efforts to counter piracy and maritime crime are coordinated and prioritized to effectively address the evolving threat, the Assistant to the President for National Security Affairs, in collaboration with the Secretaries of Defense and State, should work through the Counter-Piracy Steering Group or otherwise collaborate with the Secretaries of Homeland Security, Transportation, and the Treasury, and the Attorney General to determine whether additional actions to address counterpiracy and maritime security, such as developing an action plan that includes elements of a strategic approach, are needed to guide and coordinate activities.

    Agency: Executive Office of the President: Office of the Assistant to the President for National Security Affairs
    Status: Open

    Comments: In June 2014, the Executive Office of the President issued the United States Counter Piracy and Maritime Security Action Plan, which includes an annex specific to activities in and around the Gulf of Guinea. While the plan outlines some of the planned indicators of effectiveness for activities in and around the Gulf of Guinea, the extent to which the agencies have assessed or plan to assess costs and benefits are not explicitly addressed. The plan states that the Counter Piracy Steering Group will coordinate, implement, and monitor the objectives outlined in the plan and will assess methods and agency activities to reduce risk and protect the maritime industry from acts of piracy and related maritime crime. The plan identifies an increase in investigating and prosecuting cases and a reduction in the trend of piracy and related maritime crime as tangible indicators of successful implementation of the plan. However, GAO's past work on piracy off the Horn of Africa recommended that, as part of a strategic approach, agencies (1) identify the costs of U.S. counterpiracy efforts including operational, support, and personnel costs; and (2) assess the benefits, and effectiveness of U.S. counterpiracy activities. The 2014 plan and its Gulf of Guinea annex do not include a discussion of these elements of a strategic approach. In August 2017, neither the Department of Defense nor the Department of State (the co-chairs of the Counter Piracy Steering Group) provided an update on the extent to which they have collectively or individually addressed the assessment of costs and benefits for activities in and around the Gulf of Guinea. Including these elements in the plan can help assess the effectiveness of current efforts, prioritize future efforts, and leverage resources. GAO will continue to monitor progress in this area.