Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: Fingerprints

    4 publications with a total of 16 open recommendations including 6 priority recommendations
    Director: Joseph W. Kirschbaum
    Phone: (202) 512-9971

    6 open recommendations
    Recommendation: To enhance enterprise-wide biometric strategic planning, the Under Secretary of Defense for Acquisition, Technology, and Logistics should publish an updated biometric strategic plan to identify enterprise goals and objectives.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enhance enterprise-wide biometric strategic planning, the Under Secretary of Defense for Acquisition, Technology, and Logistics should publish a supporting biometric implementation plan that includes intended outcomes, measures of effectiveness, and responsibilities, among other things.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To facilitate more effective and efficient acquisition management of DOD's biometric and forensic enterprises, the Secretary of the Army, in coordination with the Under Secretary of Defense for Acquisition, Technology, and Logistics, should assign a milestone decision authority to oversee the Near Real Time Identity Operations solution.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To facilitate more effective and efficient acquisition management of DOD's biometric and forensic enterprises, the Secretary of the Army, in coordination with the Under Secretary of Defense for Acquisition, Technology, and Logistics, should complete a disposition analysis for the Near Real Time Identity Operations solution before the solution reaches operation and sustainment.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To facilitate more effective and efficient acquisition management of DOD's biometric and forensic enterprises, the Secretary of the Army, in coordination with the Under Secretary of Defense for Acquisition, Technology, and Logistics, should consider including geographic dispersal as part of the selection criteria for the DOD Automated Biometric Information System (ABIS) follow-on system.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To facilitate more effective and efficient acquisition management of DOD's biometric and forensic enterprises, the Secretary of the Army, in coordination with the Under Secretary of Defense for Acquisition, Technology, and Logistics, should use tradeoff selection criteria, rather than lowest-price technically acceptable criteria, for determining contractor support for DOD ABIS mission-critical functions when it is practicable to do so.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Diana Maurer
    Phone: (202) 512-9627

    6 open recommendations
    including 6 priority recommendations
    Recommendation: To improve transparency and better ensure that face recognition capabilities are being used in accordance with privacy protection laws and policy requirements, the Attorney General should assess the PIA development process to determine why PIAs were not published prior to using or updating face recognition capabilities, and implement corrective actions to ensure the timely development, updating, and publishing of PIAs before using or making changes to a system.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: DOJ officials did not concur with this recommendation, and stated that the FBI has established practices that protect privacy and civil liberties beyond the requirements of the law. DOJ officials stated that it will internally evaluate the PIA process as part of the Department's overall commitment to improving its processes, not in response to our recommendation. In March 2017, we followed up with DOJ to obtain its current position on our recommendation. DOJ continues to believe that its approach in designing the NGI system was sufficient to meet legal privacy requirements and that our recommendation represents a "checkbox approach" to privacy. We disagree with DOJ's characterization of our recommendation. We continue to believe that the timely development and publishing of future PIAs would increase transparency of the department's systems. We recognize the steps the agency took to consider privacy protection during the development of the NGI system. We also stand by our position that notifying the public of these actions is important and provides the public with greater assurance that DOJ components are evaluating risks to privacy when implementing systems. As a result, the recommendation remains open and unimplemented.
    Recommendation: To improve transparency and better ensure that face recognition capabilities are being used in accordance with privacy protection laws and policy requirements, the Attorney General should assess the SORN development process to determine why a SORN was not published that addressed the collection and maintenance of photos accessed and used through NGI for the FBI's face recognition capabilities prior to using NGI-IPS, and implement corrective actions to ensure SORNs are published before systems become operational.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: DOJ agreed, in part, with our recommendation and submitted the SORN for publication to the Federal Register on April 21, 2016, and it was published on May 5, 2016. DOJ did not agree that the publication of a SORN is required by law. We disagree with DOJ's interpretation regarding the legal requirements of a SORN. The Privacy Act of 1974 requires that when agencies establish or make changes to a system of records, they must notify the public through a SORN published in the Federal Register. DOJ's comments on our draft report acknowledge that the automated nature of face recognition technology and the sheer number of photos now available for searching raise important privacy and civil liberties considerations. DOJ officials also stated that the FBI's face recognition capabilities do not represent new collection, use, or sharing of personal information. We disagree. We believe that the ability to perform automated searches of millions of photos is fundamentally different in nature and scope than manual review of individual photos, and the potential impact on privacy is equally fundamentally different. By assessing the SORN development process and taking corrective actions to ensure timely development of future SORNs, the public would have a better understanding of how personal information is being used and protected by DOJ components. As a result, the recommendation remains open and unimplemented.
    Recommendation: To better ensure that face recognition capabilities are being used in accordance with privacy protection laws and policy requirements, the Director of the Federal Bureau of Investigation should conduct audits to determine the extent to which users of NGI-IPS and biometric images specialists in FACE Services are conducting face image searches in accordance with Criminal Justice Information Services Division policy requirements.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In March 2017, DOJ provided us with the audit plan the CJIS Audit Unit developed in June 2016 for NGI-IPS users. In addition, DOJ reported that the CJIS Audit Unit began assessing NGI-IPS requirements at participating states in conjunction with its triennial National Identity Services audit and that, as of February 2017, the unit had conducted NGI-IPS audits of four states. Further, DOJ officials said CJIS developed an audit plan of the FACE Services Unit to coincide with the existing triennial FBI internal audit for 2018. However, DOJ did not provide the audit plan for the FACE Services Unit. DOJ officials said the methodology would be the same as the audit plan for NGI-IPS, but that methodology does not describe oversight on use of information obtained from external systems accessed by FACE Services employees. Therefore, we believe DOJ is making progress towards meeting the recommendation, but has not fully implemented our recommendation.
    Recommendation: To better ensure that face recognition systems are sufficiently accurate, the Director of the Federal Bureau of Investigation should conduct tests of NGI-IPS to verify that the system is sufficiently accurate for all allowable candidate list sizes, and ensure that the detection and false positive rate used in the tests are identified.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In comments on our draft report in 2016, and reiterated during recommendation follow-up, as of March 2017, DOJ did not concur with this recommendation. DOJ officials stated that the FBI has performed accuracy testing to validate that the system meets the requirements for the detection rate, which fully satisfies requirements for the investigative lead service provided by NGI-IPS. We disagree with DOJ. A key focus of our recommendation is the need to ensure that NGI-IPS is sufficiently accurate for all allowable candidate list sizes. Although the FBI has tested the detection rate for a candidate list of 50 photos, NGI-IPS users are able to request smaller candidate lists (between 2 and 50 photos). FBI officials stated that they do not know, and have not tested, the detection rate for other candidate list sizes. According to these officials, a smaller candidate list would likely lower the detection rate because a smaller candidate list may not contain a likely match that would be present in a larger candidate list. However, according to the FBI Information Technology Life Cycle Management Directive, testing needs to confirm the system meets all user requirements. Because the accuracy of NGI-IPS's face recognition searches when returning fewer than 50 photos in a candidate list is unknown, the FBI is limited in understanding whether the results are accurate enough to meet NGI-IPS users' needs. DOJ officials also stated that searches of NGI-IPS produce a gallery of likely candidates to be used as investigative leads, not for positive identification. As a result, according to DOJ officials, NGI-IPS cannot produce false positives and there is no false positive rate for the system. We disagree with DOJ. The detection rate and the false positive rate are both necessary to assess the accuracy of a face recognition system. Generally, face recognition systems can be configured to allow for a greater or lesser number of matches. A greater number of matches would generally increase the detection rate, but would also increase the false positive rate. Similarly, a lesser number of matches would decrease the false positive rate, but would also decrease the detection rate. Reporting a detection rate of 86 percent without reporting the accompanying false positive rate presents an incomplete view of the system's accuracy. As a result, the recommendation remains open and unimplemented.
    Recommendation: To better ensure that face recognition systems are sufficiently accurate, the Director of the Federal Bureau of Investigation should conduct an operational review of NGI-IPS at least annually that includes an assessment of the accuracy of face recognition searches to determine if it is meeting federal, state, and local law enforcement needs and take actions, as necessary, to improve the system.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: As of March 2017, FBI officials stated they implemented the recommendation by submitting a paper to solicit feedback from users through the Fall 2016 Advisory Policy Board Process. Specifically, officials said the paper requested feedback on whether the face recognition searches of the NGI-IPS are meeting their needs, and input regarding search accuracy. According to FBI officials, no users expressed concern with any aspect of the NGI-IPS meeting their needs, including accuracy. Although FBI's action of providing working groups with a paper presenting GAO's recommendation is a step, the FBI's actions do not fully meet the recommendation. The FBI's paper was presented as informational, and did not result in any formal responses from users. We disagree with the FBI's conclusion that receiving no responses on the informational paper fulfills the operational review recommendation, which includes determining that NGI-IPS is meeting user's needs. As such, we continue to recommend the FBI conduct an operational review of NGI-IPS at least annually.
    Recommendation: To better ensure that face recognition systems are sufficiently accurate, the Director of the Federal Bureau of Investigation should take steps to determine whether each external face recognition system used by FACE Services is sufficiently accurate for the FBI's use and whether results from those systems should be used to support FBI investigations.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In comments on our draft report in 2016, and reiterated during recommendation follow-up in 2017, DOJ officials did not concur with this recommendation and had no plans to implement it. DOJ officials stated that the FBI has no authority to set or enforce accuracy standards of face recognition technology operated by external agencies. In addition, DOJ officials stated that the FBI has implemented multiple layers of manual review that mitigate risks associated with the use of automated face recognition technology. Further, DOJ officials stated there is value in searching all available external databases, regardless of their level of accuracy. We disagree with the DOJ position. We continue to believe that the FBI should assess the quality of the data it is using from state and federal partners. We acknowledge that the FBI cannot and should not set accuracy standards for the face recognition systems used by external partners. We also do not dispute that the use of external face recognition systems by the FACE Services Unit could add value to FBI investigations. However, we disagree with FBI's assertion that no assessment of the quality of the data from state and federal partners is necessary. We also disagree with the DOJ assertion that manual review of automated search results is sufficient. Even with a manual review process, the FBI could miss investigative leads if a partner does not have a sufficiently accurate system. By relying on its external partners' face recognition systems, the FBI is using these systems as a component of its routine operations and is therefore responsible for ensuring the systems will help meet FBI's mission, goals and objectives. The recommendation remains open and unimplemented.
    Director: Maurer, Diana C
    Phone: (202) 512-9627

    3 open recommendations
    Recommendation: To help ensure the efficient use of resources for the Three Percent Fund, the Attorney General should develop a policy and implement procedures to regularly analyze unobligated balances and develop collection estimates in order to determine an appropriate reserve amount and inform estimates of future funding needs.

    Agency: Department of Justice
    Status: Open

    Comments: In February 2015, we found that the Department of Justice (DOJ) Collection Resource Allocation Board (CRAB) had taken steps to manage the Three Percent Fund, but it had not conducted analyses that would help DOJ better manage the fund, such as developing reserve estimates aligned with DOJ priorities or projecting future collections. GAO has identified leading practices among federal agencies when evaluating balances in federal accounts. Such practices emphasize the importance of regularly analyzing balances by, for example, estimating collections and determining reserve needs. Doing so helps agencies more effectively anticipate program needs and ensure the most efficient use of resources. As a result, we recommended that DOJ develop a policy and implement procedures to regularly analyze unobligated balances collection estimates in the Three Percent Fund. DOJ partially concurred with this recommendation. In response, DOJ provided us with a policy it began implementing in January 2016 to help them analyze the Three Percent Fund's unobligated balance and develop an appropriate reserve amount. For example, DOJ's policy for developing the reserve estimate now relies on more robust requests for information of DOJ debt collection activities, including government personnel, contract support, and automated litigation service requirements. By developing and implementing this policy, DOJ is better positioned to ensure the continuity of operations funded through the Three Percent Fund and to make future resource allocations. However, DOJ stated in its response to the report that it does not believe it is appropriate to estimate incoming collections for the following year. For example, DOJ does not ask litigating components for the number of cases that will be settled because the agency does not want to be perceived as inappropriately encouraging larger government civil collections. Additionally, DOJ does not calculate such estimates due to the high level of variability in the civil debt litigation cases that make it difficult to use historical information to estimate reserves. We noted in our report DOJ's concerns for developing collection estimates. However, we continue to believe that developing a policy for considering collection estimates is important. The Three Percent Fund is self-sustaining and does not receive annual appropriations. Therefore, any volatility should be managed with the best information and estimates the department can provide. Without developing collection estimates, DOJ is at risk of committing too much or too few budgetary resources from the Three Percent Fund. A lack of such a policy may lead to Three Percent balances either falling too low to efficiently manage operations or rise to unnecessarily high levels. As we have previously reported, one method DOJ could consider instead of a specific dollar estimate is to develop a range between the potential lowest and highest collection amounts based on historical trends and current collection activities. By estimating future collections, DOJ could better ensure it is able to efficiently fund as many programs as possible and best support the fund's priorities. Therefore, we consider this recommendation only partially implemented and will keep it open until DOJ develops collection estimates to aid managing the Three Percent Fund.
    Recommendation: To improve transparency and ensure the effective use of automation fees for the CJIS fingerprint checks fees, the Director of the Federal Bureau of Investigation should publish in the Federal Register, or other documents such as annual reports, how much is assessed for automation and cost recovery in each transaction to better communicate the cost of the service to customers and stakeholders.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open

    Comments: In fiscal year 2015, we found that the Federal Bureau of Investigation (FBI) sets its Criminal Justice Information Services (CJIS) fingerprint checks fees to collect two parts--the cost recovery portion and the automation portion, but does not provide transparency in how much is assessed for each portion of the fee. As a result, we recommended that FBI publish in the Federal Register, or other documents such as annual reports, how much is assessed for automation and cost recovery in each transaction to better communicate the cost of the service to customers and stakeholders. In July 2016, FBI published a notice in the Federal Register announcing a CJIS fingerprint checks fees rate change effective on October 1, 2016. However, the notice did not include an explanation of how much is assessed for the cost recovery or the automation portion of the fee. According to a Department of Justice (DOJ) liaison, FBI included a breakout of the revised rates in its CJIS Information Letter, which services as written notification of a rate change to state and federal stakeholders. GAO requested a copy of the CJIS Information Letter, but as of February 2017, DOJ has not provided the letter. Further, while the CJIS Information Letter might provide transparency to stakeholders on how much FBI assesses for each portion of the fee, FBI has not relayed how it intends to be transparent with customers. To fully address this recommendation, FBI needs to demonstrate that it is being transparent with stakeholders and with customers. Until it does so, this recommendation will remain open.
    Recommendation: To improve transparency and ensure the effective use of automation fees for the CJIS fingerprint checks fees, the Director of the Federal Bureau of Investigation should develop a policy to analyze the unobligated balances coming from the automation portion of the fee to inform program needs, including improving methods for anticipating automation collections, and establishing a range of appropriate carryover amounts to support program needs.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open

    Comments: In fiscal year 2015, we found that the Federal Bureau of Investigation (FBI) had a growing unobligated balance from the automation portion of its Criminal Justice Information Services (CJIS) fingerprint checks fees but did not evaluate the appropriate range of its carryover amounts, nor had it developed a policy to do so. As a result, we recommended that FBI develop a policy to analyze the unobligated balances coming from the automation portion of the fee to inform program needs, including improving methods for anticipating automation collections, and establishing a range of appropriate carryover amounts to support program needs. In September 2016, the Department of Justice (DOJ) reported that FBI is taking steps to develop and implement a multi-year investment plan that will be reviewed and updated annually, and that will address key questions from the GAO report titled "Budget Issues: Key Questions to Consider When Evaluating Balances in Federal Accounts." Additionally, the multi-year investment plan will include both an annual analysis of current and projected revenue from the automation portion of the fee, and the evaluation of the resource requirements needed to support the development of technological enhancement of fingerprint identification and criminal justice services. According to DOJ officials, the 2017 plan will be the first to include this information; however GAO has not yet received a copy of the 2017 plan. We will continue to monitor FBI's progress on this recommendation.
    Director: Lepore, Brian J
    Phone: (202)512-3000

    1 open recommendations
    Recommendation: To determine the viability and cost-effectiveness of reducing transmission times for biometrics data, the Secretary of Defense should direct the Assistant Secretary of Defense for Research and Engineering, through the Under Secretary of Defense for Acquisition, Technology, and Logistics, to comprehensively assess and then address, as appropriate, the factors that contribute to transmission time for biometrics data.

    Agency: Department of Defense
    Status: Open

    Comments: In January 2016, DOD published Directive 8521.01E, Defense Biometrics, which directs the Secretary of the Army to measure the health and performance of the DOD Biometrics Enterprise and generate results for the Biometrics Principal Staff Assistant and the DOD Biometrics Executive Committee. OUSD(AT&L) and Army officials also noted that the department is required to obtain a favorable evaluation from the Director, Operational Test and Evaluation (DOT&E) and the Army Test and Evaluation Command in order to obtain approval for extending the service life of DOD's authoritative biometric system. These officials note that the tests and evaluations required for such approval will include an assessment of transmission and response times against approved requirements for the biometrics system. However, Marine Corps officials highlighted continued biometrics data transmission and synchronization issues with a currently fielded biometric capability that uses some of the same technology we identified issues with during the course of our review. In Summer 2017, DOD informed GAO that the department will soon issue a report to address these issues, so GAO is keeping this recommendation open until such time as DOD's report becomes available for GAO review.