Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: Software

    44 publications with a total of 224 open recommendations including 12 priority recommendations
    Director: Cristina Chaplain
    Phone: (202) 512-4841

    2 open recommendations
    Recommendation: Congress should consider requiring the NASA Administrator to direct the Exploration Systems Development organization within the Human Exploration and Operations Mission Directorate to establish separate cost and schedule baselines for work required to support SLS and EGS for Exploration Mission 2 and establish separate cost and schedule baselines for each additional capability that encompass all life cycle costs, to include operations and sustainment. (Matter for Consideration 1)

    Agency: Congress
    Status: Open

    Comments: When we determine what steps the Congress has taken, we will provide updated information.
    Recommendation: Exploration Systems Development should no longer dual-hat individuals with both programmatic and technical authority responsibilities. Specifically, the technical authority structure within Exploration Systems Development should be restructured to ensure that technical authorities for the Offices of the Chief Engineer and Safety and Mission Assurance are not fettered with programmatic responsibilities that create an environment of competing interests that may impair their independence. (Recommendation 1)

    Agency: National Aeronautics and Space Administration: Human Exploration and Operations Mission Directorate: Exploration Systems Development Division
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol Harris
    Phone: (202) 512-4456

    14 open recommendations
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes and implements specific time frames for determining key strategic implementation details, including how the program will transition from the current state to the final TIM state. (Recommendation 1)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes a schedule that provides planned completion dates based on realistic estimates of how long it will take to deliver capabilities. (Recommendation 2)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes new time frames for implementing the actions identified in the organizational change management strategy and effectively executes against these time frames. (Recommendation 3)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office defines and documents the roles and responsibilities among product owners, the solution team, and any other relevant stakeholders for prioritizing and approving Agile software development work. (Recommendation 4)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes specific prioritization levels for current and future features and user stories. (Recommendation 5)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office implements automated Agile management testing and deployment tools, as soon as possible. (Recommendation 6)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office updates the Systems Engineering Life Cycle Tailoring Plan to reflect the current governance framework and milestone review processes. (Recommendation 7)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes thresholds or targets for acceptable performance-levels. (Recommendation 8)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office begins collecting and reporting on Agile-related cost metrics. (Recommendation 9)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office ensures that program velocity is measured and reported consistently. (Recommendation 10)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office ensures that unit test coverage for software releases is measured and reported accurately. (Recommendation 11)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Homeland Security should direct the Under Secretary for Management to ensure that appropriate DHS leadership reaches consensus on needed oversight and governance changes related to the frequency of reviewing Agile programs, and then documents and implements associated changes. (Recommendation 12)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Homeland Security should direct the Under Secretary for Management to ensure that the Office of the Chief Technology Officer completes guidance for Agile programs to use for collecting and reporting on performance metrics. (Recommendation 13)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Homeland Security should direct the Under Secretary for Management to ensure that DHS-level oversight bodies review key Agile performance and cost metrics for the TIM program and use them to inform management oversight decisions. (Recommendation 14)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Asif A. Khan
    Phone: (202) 512-9869

    2 open recommendations
    Recommendation: The DHS Under Secretary for Management should develop and implement effective processes and improve guidance to reasonably assure that future AAs fully follow AOA process best practices and reflect the four characteristics of a reliable, high-quality AOA process. (Recommendation 1)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The DHS Under Secretary for Management should improve the Risk Management Planning Handbook and other relevant guidance for managing risks associated with financial management system modernization projects to fully incorporate risk management best practices, including (1) defining thresholds to facilitate review of performance metrics to determine when risks become unacceptable; (2) identifying and analyzing risks to include periodically reconsidering risk sources, documenting risks specifically related to the lack of sufficient, reliable cost and schedule information needed to help properly manage and oversee the project, and timely disposition of IV&V contractor-identified risks; (3) developing risk mitigation plans with specific risk-handling activities, the costs and benefits of implementing them, and contingency plans for selected critical risks; and (4) implementing risk mitigation plans to include establishing periods of performance for risk-handling activities and defining time intervals for updating and certifying the accuracy and completeness of information on risks in DHS's risk register. (Recommendation 2)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    25 open recommendations
    Recommendation: The Administrator of General Services should disseminate the 16 agency-focused lessons learned that have not been fully incorporated in GSA guidance to the agencies involved in the current transition. (Recommendation 1)

    Agency: General Services Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Agriculture should ensure that the Department's Chief Information Officer verifies the completeness of its inventory of current telecommunications assets and services and establishes a process for ongoing maintenance of the inventory. (Recommendation 2)

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Agriculture should ensure that the Department's Chief Information Officer completes efforts to identify future telecommunications needs and areas for optimization, identifies the costs and benefits of new technology, and aligns USDA's approach with its long-term plans. (Recommendation 3)

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Agriculture should ensure that the Department's Chief Information Officer identifies transition-related roles and responsibilities related to the management of assets, human capital, and information security, and legal expertise; develops a transition communications plan; and uses configuration and change-management processes in USDA's transition. (Recommendation 4)

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Agriculture should ensure that the Department's Chief Information Officer documents the costs and benefits of transition investments, identifies staff resources needed for the remainder of the transition, and analyzes training needs for staff assisting with the transition. (Recommendation 5)

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Agriculture should ensure that the Department's Chief Information Officer demonstrates that the Department's transition goals and measures align with its mission, identifies transition risks related to critical systems and continuity of operations, and identifies mission-critical priorities in USDA's transition timeline. (Recommendation 6)

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Labor should ensure that the Department's Chief Information Officer verifies the completeness of DOL's inventory of current telecommunications assets and services and establishes a process for ongoing maintenance of the inventory. (Recommendation 7)

    Agency: Department of Labor
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Labor should ensure that the Department's Chief Information Officer identifies the agency's future telecommunications needs, completes a strategic analysis of the agency's telecommunications requirements, and incorporates the requirements into transition planning. (Recommendation 8)

    Agency: Department of Labor
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Labor should ensure that the Department's Chief Information Officer identifies transition-related roles and responsibilities related to the management of assets, human capital, and information security, and legal expertise; develops a transition communications plan; and uses project, configuration, and change-management processes in DOL's transition (Recommendation 9)

    Agency: Department of Labor
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Labor should ensure that the Department's Chief Information Officer identifies the resources needed for the full transition, develops justifications for the costs of changes to hardware and software, identifies staff resources needed for the remainder of the transition, and analyzes training needs for staff assisting with the transition. (Recommendation 10)

    Agency: Department of Labor
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Labor should ensure that the Department's Chief Information Officer identifies transition risks related to information security, critical systems, and continuity of operations, and identifies mission-critical priorities in DOL's transition timeline. (Recommendation 11)

    Agency: Department of Labor
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chairman of the Securities and Exchange Commission should ensure that the Commission's Chief Information Officer identifies the agency's future telecommunications needs, areas for optimization, and the costs and benefits of new technology; completes a strategic analysis of the commission's telecommunications requirements; and incorporates the identified requirements into transition planning. (Recommendation 12)

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chairman of the Securities and Exchange Commission should ensure that the Commission's Chief Information Officer identifies roles and responsibilities related to the management of assets and human capital and legal expertise for the transition; includes key local and regional officials in SEC's transition communications plan; and completes efforts to use configuration and change management processes in the transition. (Recommendation 13)

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chairman of the Securities and Exchange Commission should ensure that the Commission's Chief Information Officer identifies the resources needed for the full transition, justifies requests for transition resources, identifies staff resources needed for the full transition, and completes efforts to analyze training needs for staff assisting with the transition. (Recommendation 14)

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chairman of the Securities and Exchange Commission should ensure that the Commission's Chief Information Officer completes efforts to demonstrate that the commission's transition goals and measures align with its mission, identifies transition risks related to critical systems and continuity of operations, and identifies mission-critical priorities in SEC's transition timeline. (Recommendation 15)

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner of the Social Security Administration should ensure that the Administration's Chief Information Officer verifies the completeness of SSA's inventory of current telecommunications assets and services and establishes a process for ongoing maintenance of the inventory regarding services other than local and long-distance telecommunications. (Recommendation 16)

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner of the Social Security Administration should ensure that the Administration's Chief Information Officer completes identification of the agency's future telecommunications needs and aligns its approach with the agency's enterprise architecture. (Recommendation 17)

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner of the Social Security Administration should ensure that the Administration's Chief Information Officer uses configuration and change-management processes in its transition. (Recommendation 18)

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner of the Social Security Administration should ensure that the Administration's Chief Information Officer identifies the resources needed for the full transition, documents the costs and benefits of transition investments, identifies staff resources needed for the remainder of the transition, and analyzes training needs for all staff working on the transition. (Recommendation 19)

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner of the Social Security Administration should ensure that the Administration's Chief Information Officer completes efforts to identify measures of success for the transition, identifies transition risks related to critical systems and continuity of operations, and identifies mission-critical priorities in SSA's transition timeline. (Recommendation 20)

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Transportation should ensure that the Department's Chief Information Officer verifies the completeness of DOT's inventory of current telecommunications assets and services and establishes a process for ongoing maintenance of the inventory. (Recommendation 21)

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Transportation should ensure that the Department's Chief Information Officer identifies the agency's future telecommunications needs, areas for optimization, and costs and benefits of new technology; and completes efforts to align DOT's approach with its long-term plans and enterprise architecture. (Recommendation 22)

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Transportation should ensure that the Department's Chief Information Officer identifies roles and responsibilities related to the management of assets and human capital and legal expertise for the transition; develops a transition communications plan; and fully uses configuration and change-management processes in DOT's transition. (Recommendation 23)

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Transportation should ensure that the Department's Chief Information Officer fully identifies the resources needed for the full transition, justifies requests for transition resources, identifies staff resources needed for the full transition, and fully analyzes training needs for staff assisting with the transition. (Recommendation 24)

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Transportation should ensure that the Department's Chief Information Officer fully demonstrates that DOT's transition goals and measures align with its mission; completely identifies transition risks related to information security, critical systems, and continuity of operations; and fully identifies mission-critical priorities in the transition timeline. (Recommendation 25)

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    3 open recommendations
    Recommendation: The Chief Executive Officer should direct the Chief Information Officer to take steps needed to ensure that system requirements are defined to align with the business needs of CNCS's future risk-based grants monitoring process (Recommendation 1).

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that the system development project schedule identifies in the baseline both planned and actual dates for completing all project-level activities, and can be used to monitor and measure progress of the grant monitoring system project (Recommendation 2).

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that test plans are defined and implemented to include the second version of the grant monitoring system in all stages of testing during development, and results of initial stages are approved before conducting subsequent test stages (Recommendation 3).

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: To effectively manage its information security program, the Chairman of the SEC should maintain up-to-date network diagrams and asset inventories in the system security plans for General Support System and a key financial system to accurately and completely reflect the current operating environment.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To effectively manage its information security program, the Chairman of the SEC should perform continuous monitoring using automated configuration and vulnerability scanning on the operating systems, databases, and network devices.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    10 open recommendations
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement the audit plans for the 12 systems and applications that we reviewed in the production computing environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that system administrators and security operations analysts are alerted in the event of audit processing failures.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should update information contingency plan test procedures to include updating contingency plans to reflect changes to the current operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that approved risk-based decisions pertaining to database configurations are based on suitable justification.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop, document, and implement the use of detailed procedures to facilitate the periodic review and analysis of audit records for its financial systems.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop an enterprise-wide system owner procedural document to control critical mainframe operating system commands.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should regularly update configuration standards and guidelines for network devices to incorporate recommendations from industry leaders, security agencies, and key practices from IRS partners to address known vulnerabilities applicable to IRS's environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement a compliance verification application, or other appropriate process, to ensure configuration policies are comprehensively tested on the mainframe.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that all known significant audit findings and recommendations related to financial reporting, which includes those in GAO's public and limited official use only reports, that directly relate to the objective of A-123 internal control tests are reviewed and monitored.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should identify and review service organizations' listing of user controls that are deemed relevant and test those controls to appropriately draw conclusions about the operating effectiveness of controls.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Michael J. Sullivan
    Phone: (202) 512-4841

    3 open recommendations
    Recommendation: To ensure that DOD adequately prioritizes its resources to finish F-35 baseline development and delivers all of the promised warfighting capabilities and that Congress is fully informed when making fiscal year 2018 budget decisions, the Secretary of Defense should reassess the additional cost and time needed to complete developmental testing using historical program data.

    Agency: Department of Defense
    Status: Open

    Comments: The agency has not taken any action to implement this recommendation.
    Recommendation: To ensure that DOD adequately prioritizes its resources to finish F-35 baseline development and delivers all of the promised warfighting capabilities and that Congress is fully informed when making fiscal year 2018 budget decisions, the Secretary of Defense should delay the issuance of the Block 4 development request for proposals at least until developmental testing is complete and all associated capabilities have been verified to work as intended.

    Agency: Department of Defense
    Status: Open

    Comments: The agency has not taken any action to implement this recommendation.
    Recommendation: To ensure that DOD adequately prioritizes its resources to finish F-35 baseline development and delivers all of the promised warfighting capabilities and that Congress is fully informed when making fiscal year 2018 budget decisions, the Secretary of Defense should finalize the details of DOD and contractor investments associated with an economic order quantities (EOQ) purchase in fiscal year 2018, and submit a report to Congress with the fiscal year 2018 budget request that clearly identifies the details, including costs and benefits of the finalized EOQ approach.

    Agency: Department of Defense
    Status: Open

    Comments: In providing comments on this report, the agency partially concurred with this recommendation but has not yet taken any actions necessary to implement it.
    Director: Susan Fleming
    Phone: (202) 512-2834

    3 open recommendations
    Recommendation: To determine whether CSA interventions influence motor carrier safety performance, the Secretary of Transportation should direct the FMCSA Administrator to identify and implement, as appropriate, methods to evaluate the effectiveness of individual intervention types or common intervention patterns to obtain more complete, appropriate, and accurate information on the effectiveness of interventions in improving motor carrier safety performance. In identifying and implementing appropriate methods, FMCSA should incorporate accepted practices for designing program effectiveness evaluations, including practices that would enable FMCSA to more confidently attribute changes in carriers' safety behavior to CSA interventions.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To understand the efficiency of CSA interventions the Secretary of Transportation should direct the FMCSA Administrator to update FMCSA's cost estimates to determine the resources currently used to conduct individual intervention types and ensure FMCSA has cost information that is representative of all states.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enable FMCSA management to monitor the agency's progress in achieving its effectiveness and efficiency outcomes for CSA interventions and balance priorities, the Secretary of Transportation should direct the FMCSA Administrator to establish and use performance measures to regularly monitor progress toward both FMCSA's effectiveness outcome and its efficiency outcome.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David Powner
    Phone: (202) 512-9286

    25 open recommendations
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: United States Agency for International Development
    Status: Open

    Comments: We plan to follow up on the agency's actions to implement this recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Agriculture
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Education
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Commerce
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Energy
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Social Security Administration
    Status: Open

    Comments: In its comments on a draft of our report, SSA agreed with our recommendation. Subsequent to SSA informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of the Interior
    Status: Open

    Comments: We plan to follow up on the department's actions to implement this recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Transportation
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Labor
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of the Treasury
    Status: Open

    Comments: The department said it had no comments on our draft report and recommendation. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of State
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In its comments on a draft of our report, EPA generally agreed with our recommendation. Subsequent to EPA informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: In its comments on a draft of our report, NASA concurred with our recommendation. Subsequent to NASA informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: National Science Foundation
    Status: Open

    Comments: NSF stated that it had no comments on our draft report and recommendation. We will plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Small Business Administration
    Status: Open

    Comments: In comments on a draft of our report, SBA said the report captures its current posture. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: In comments on a draft of our report, NRC stated that it generally agreed with the report. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Office of Personnel Management
    Status: Open

    Comments: In its comments on a draft of our report, OPM concurred with our recommendation. Subsequent to OPM informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Defense should direct the responsible official to modify the department's existing processes to collect and review cost, technical, and business information for the enterprise and business IT systems within the Enterprise Information Environment Mission Area applications which are currently not reviewed as part of the department's process for business systems.

    Agency: Department of Defense
    Status: Open

    Comments: In comments on a draft of our report, the department disagreed with our recommendation. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Homeland Security should direct the department's CIO to identify one high-cost function it could collect detailed cost, technical, and business information for and modify existing processes to collect and review this information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of the Interior should direct the department's CIO to document and implement a plan for establishing policy that would define a standard analytical technique for rationalizing the investment portfolio.

    Agency: Department of the Interior
    Status: Open

    Comments: We plan to follow up on the department's actions to implement this recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Labor should direct the department's CIO to consider a segmented approach to further rationalize and identify a function for which it would modify existing processes to collect and review application-specific cost, technical, and business value information.

    Agency: Department of Labor
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Director of the National Science Foundation should direct the CIO to consistently document evaluations for all applications and report cost information for them in the roadmap or other documentation.

    Agency: National Science Foundation
    Status: Open

    Comments: NSF stated that it had no comments on our draft report and recommendation. We will plan to follow up.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    3 open recommendations
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to update security plans to ensure the plans fully and accurately document the controls selected and intended for protecting each of the six systems.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to implement a process to effectively monitor and track training for personnel with significant security roles and responsibilities.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to ensure that personnel with significant security responsibilities receive role-based training.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Cristina Chaplain
    Phone: (202) 512-4841

    2 open recommendations
    Recommendation: In the event that operational test results for PDB-8 and PDB-8.1 reveal performance shortfalls that require additional development of the near and mid-term upgrades tested, the Secretary of Defense should direct the Secretary of the Army to establish mechanisms for overseeing those upgrades commensurate with other major defense acquisition programs, to include an initial report--similar to a Selected Acquisition Report--as soon as practical following operational testing for both PDB-8 and PDB-8.1, on the near and mid-term upgrades evaluated during these tests, including: (1) cost, schedule, and performance estimates for any additional development that is needed; and (2) an estimate of the amount of development costs it has incurred since 2013 for near- and mid-term Patriot upgrades operationally tested along with PDB-8 and PDB-8.1.

    Agency: Department of Defense
    Status: Open

    Comments: DOD partially concurred with this recommendation, however, it is too early to determine what, if any, actions the agency will take until the results of operational testing for PDB-8 are made available following its planned completion in late summer 2017.
    Recommendation: In the event that operational test results for PDB-8 and PDB-8.1 reveal performance shortfalls that require additional development of the near and mid-term upgrades tested, the Secretary of Defense should direct the Secretary of the Army to establish mechanisms for overseeing those upgrades commensurate with other major defense acquisition programs, to include annual updates to Congress comparing the latest cost and schedule estimates against the initial estimates and providing explanations for any major deviations until development is complete.

    Agency: Department of Defense
    Status: Open

    Comments: DOD partially concurred with this recommendation, however, it is too early to determine what, if any, actions the agency will take until the results of operational testing for PDB-8 are made available following its planned completion in late summer 2017.
    Director: David A. Powner
    Phone: (202) 512-9286

    12 open recommendations
    Recommendation: In order to improve the accuracy of IT Dashboard incremental development data, the Director of OMB should direct the Federal Chief Information Officer (CIO) to clarify existing guidance regarding what IT investments are and are not subject to requirements on the use of incremental development and how CIOs should report the status of projects that are not subject to these requirements.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) has taken initial steps to implement our recommendation. Specifically, OMB's June 2016 annual capital planning guidance for fiscal year 2018 included instructions on what types of investments were required to adhere to incremental development requirements related to the delivery of usable functionality. The guidance stated that all software development projects are required to produce usable functionality at intervals of no more than six months. Further, all major development projects within investments are required to use modular/agile principles. However, OMB's guidance still lacks direction on how CIOs are to report the status of nonsoftware projects, as we recommended. In the absence of our recommended guidance clarification, OMB is at risk of agencies continuing to be unclear about how nonsoftware development investment data are to be reported on the Dashboard, increasing the risk that data on the IT Dashboard will not always be accurate. We will continue to evaluate OMB's progress in clarifying its guidance and considering a change to provide more detailed guidance related to the reporting of nonsoftware development investment data.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the Enterprise Business Management Office within the Office of the Chief Information Officer will validate each investment reported on the Dashboard and work with program officials to ensure they appropriately update the data for the IT Dashboard. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education (Education) concurred with our recommendation and stated that the department will ensure that the data is kept current using their IT portfolio management process. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce (Commerce) concurred with our recommendation and stated that these changes would be incorporated into the department?s Dashboard reporting. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (Defense) partially concurred with our recommendation and stated that the department is taking action to update the Dashboard data as appropriate. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) concurred with our recommendation. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation (Transportation) concurred with our recommendation and stated the department was committed to ensuring the information on the IT Dashboard reflects up to date information. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury (Treasury) did not comment on our recommendation. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education (Education) concurred with our recommendation to establish a departmentwide certification policy. Education officials reported in March 2017 that the department will complete changes to its guidance by November 2017. However, until this guidance is finalized, Education will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate Education's progress in implementing this recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (Defense) did not concur with our recommendation, stating that its existing guidance was adequate in this area. However, in August 2016, Defense issued its fiscal year 2018 budget submission guidance which required each component CIO to certify that IT investments were adequately implementing incremental development. The component CIOs were to document the certification in a statement of compliance memorandum, using their agency's letterhead, and submit the memorandum to the Defense CIO. Defense officials report that this same guidance will be added to the Financial Management Regulations during summer 2017. Until this annual guidance has been updated and incorporated into the department's standing policies, Defense is at risk of overlooking this requirement in subsequent years. We will continue to evaluate Defense's progress in implementing this recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) concurred with our recommendation to establish a departmentwide certification policy. However, HHS officials reported in April 2017 that they did not have a timeframe for when the department's new certification guidance would be completed. Until this guidance is finalized, HHS will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate HHS's progress in implementing this recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury (Treasury) did not comment on our recommendations. Further, Treasury officials reported in March 2017 that it had no plans to revise its policies, as we recommended. Until the department establishes a CIO certification policy, Treasury will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate Treasury's progress in implementing this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    5 open recommendations
    Recommendation: To effectively measure 18F's performance, the Administrator of GSA should direct the Commissioner for the Technology Transformation Service to ensure that goals and associated performance measures are outcome-oriented and that performance measures have targets, including (1) performance measures and targets tied to fully recovering program costs; and (2) goals, performance measures, and targets for how the program will achieve its mission after September 2016.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration (GSA) agreed with, and has begun to take steps to implement, this recommendation. Specifically, GSA developed a quarterly performance report for fiscal year 2017 that includes an outcome-oriented goal for 18F as well as associated performance measures and targets. According to a Technology Transformation Service official, GSA plans to expand its quarterly performance report for fiscal year 2018 to reflect additional 18F goals and performance measures, including measures tied to fully recovering program costs. We will continue to evaluate GSA's progress in implementing this recommendation.
    Recommendation: To effectively measure 18F's performance, the Administrator of GSA should direct the Commissioner for the Technology Transformation Service to assess actual results for each performance measure.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration (GSA) agreed with, and has begun to take steps to implement, this recommendation. Specifically, GSA developed a quarterly performance report for fiscal year 2017 that includes an outcome-oriented goal for 18F as well as associated performance measures with targets. Additionally, GSA has assessed actual results of the performance measures for the first two quarters of fiscal year 2017. According to a Technology Transformation Service official, GSA plans to expand its quarterly performance report for fiscal year 2018 to include additional 18F goals and performance measures. We will continue to evaluate GSA's progress in implementing this recommendation.
    Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to ensure that all goals and associated performance measures are outcome-oriented and that performance measures have targets.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB developed three goals for U.S. Digital Service (USDS): (1) rethink how the federal government builds and buys digital services; (2) expand the use of common, platforms, services, and tools; and (3) bring top technical talent into public service. In addition, OMB established performance measures with targets for its third goal and for each of the program's major projects. However, OMB has not established performance measures for the first two USDS goals. Further, the program's third goal is not outcome-oriented. We will continue to evaluate OMB's progress in implementing this recommendation.
    Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to assess actual results for each performance measure.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB assessed the results of performance measures for one of the U.S. Digital Service (USDS) program's goals--bring top technical talent into public service--and for each of the program's major projects. However, OMB has not established performance measures for the other two USDS goals--rethink how the federal government builds and buys digital services; and expand the use of common, platforms, services, and tools. We will continue to evaluate OMB's progress in implementing this recommendation.
    Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to update USDS policy to clearly define the responsibilities and authorities governing the relationships between CIOs and the digital service teams and require existing agency digital service teams to address this policy. In doing so, the Federal Chief Information Officer should ensure that this policy is aligned with relevant federal law and OMB guidance on CIO responsibilities and authorities.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. In particular, OMB updated its digital service team policy to require that teams appropriately inform their chief information officers (CIO) regarding U.S. Digital Service (USDS) projects. However, the policy does not describe the responsibilities or authorities governing the relationships between CIOs and digital service teams. We will continue to evaluate OMB's progress in implementing this recommendation.
    Director: Chaplain, Cristina T
    Phone: (202) 512-4841

    2 open recommendations
    including 1 priority recommendation
    Recommendation: To provide the Congress and NASA a reliable estimate of program cost and schedule that are useful to support management and stakeholder decisions, the NASA Administrator should direct the Orion program to perform an updated JCL analysis including updating cost and schedule estimates in adherence with cost and schedule estimating best practices.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA partially agreed with this recommendation, stating that the agency reviewed, in detail, the Orion integrated cost/schedule and risk analysis methodology and determined the rigor to be a sufficient basis for the agency commitments. We still contend that NASA should update its analysis that informed its baseline because we found that the cost and schedule estimates underlying those baselines are not reliable as they did not conform to best practices.
    Recommendation: To have a full understanding of the cost, schedule, and safety impact of deferring work, the NASA Administrator should direct the Orion program to perform an analysis on the cost of deferred work in relation to levels of management reserves and unallocated future expenses and actual contractor performance, and report the results of that analysis to NASA management.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: NASA concurred with this recommendation, but characterized its deferral of work to date as task-level deferrals, lasting only several months and not affecting major program milestone or the critical path. NASA did agree to include an analysis of how these deferrals affect budget reserves and program performance in future routine management reporting. NASA officials told us that they are currently evaluating work flow for the first and second mission as the agency revisits the launch date for the first mission. Given this is currently being analyzed, officials were not able to provide any analysis at this time about the potential cost impact of changes in scheduled work.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    9 open recommendations
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of the Department of Homeland Security (DHS) should direct the Director of USCIS to direct the USCIS Chief Information Officer (CIO), in coordination with the DHS CIO and the Chief of the Office of Transformation Coordination (OTC), to review and update, as needed, existing policies and guidance and consider additional controls to complete planning for software releases prior to initiating development and ensure software meets business expectations prior to deployment.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, the U.S. Citizenship and Immigration Services (USCIS) within the Department of Homeland Security (DHS) had taken steps to address this recommendation. In particular, in June 2017, USCIS provided an updated policy, dated April 2017, governing planning and deploying software releases. USCIS also demonstrated partial compliance with that policy. For example, it provided some release planning review documentation for recent releases that are required by the updated policy, including readiness review memos for releases 7.2 and 8.1. However, USCIS did not demonstrate that the program responsible for developing the USCIS Electronic Immigration System (USCIS ELIS) was consistently following its updated policy. For example, USCIS did not demonstrate that the program was completing all planning activities prior to initiating development, as called for in its updated policy. Moreover, the agency did not demonstrate compliance with its previous policy for all software releases planned and deployed since our July 2016 report. We will continue to work with USCIS to monitor actions the agency is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to consistently implement the principles of the framework adopted for Agile software development.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in May 2017, USCIS provided updated policy governing the development of software releases, dated April 2017, along with release planning artifacts specific to USCIS ELIS. The updated policy included an appendix devoted to generally accepted agency practices and applying Agile principles in the agency. However, USCIS had not clearly indicated if USCIS ELIS was to implement the practices described in the policy. For example, the updated policy did not require program compliance with the generally accepted agency practices. Moreover, supporting artifacts from the release planning process did not always define a commitment to a particular development methodology or set of development practices. For example, the team process agreements, which describe how members of individual teams will work with each other, did not indicate if developers were to adhere to the practices described in updated USCIS policy. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to define and consistently execute appropriate roles and responsibilities for individuals responsible for development activities consistent with its selected development framework.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in June 2017, USCIS provided updated policy, dated April 2017, governing the development of software releases and release planning artifacts. The updated policy and release documentation defined some roles and responsibilities that were previously only described by USCIS in its informal November 2014 management model, such as the authority and responsibility of a product owner. However, program documentation and policy did not define all of the roles and responsibilities. For example, program documentation and policy did not define the roles and responsibilities of a facilitator, or Scrum Master, which is a position identified in leading practices for software development using Scrum, the development methodology previously identified by the program. In addition, USCIS did not demonstrate that it had defined and committed to an updated development methodology for software releases. Such a defined methodology will impact expectations for the roles and responsibilities in software development. Without such a defined methodology or approach to Agile software development, it is not clear if roles and responsibilities defined by previously documented approach to Agile software development are still applicable for the current development approach. Moreover, documentation associated with program releases and updated policy did not define all of the roles and responsibilities for positions described by USCIS in its May 2017 written response to GAO. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to identify all system users and involve them in release planning activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, DHS and USCIS had not provided information demonstrating that the department has addressed this recommendation. In October 2016, DHS provided a written response stating that the USCIS Office of Information Technology and Office of Transformation Coordination were working closely with the various USCIS directorates to obtain and integrate feedback through regular review sessions with the end users and through additional end user testing. However, as of July 2017, DHS and USCIS have not provided new information about the status of this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to write user stories that identify user roles, include estimates of complexity, take no longer than one sprint to complete, and describe business value.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had provided GAO with documentation intended to demonstrate that the agency had taken steps to address this recommendation. For example, in May 2017, USCIS provided updated policy governing the development of software releases along with release planning artifacts specific to USCIS ELIS and an Independent Verification and Validation assessment. The agency also provided a series of backlogs that captured user stories for some software releases. In addition, the Independent Verification and Validation assessment indicated that the program was tracking user story quality as part of assessing whether value was continuously discovered and aligned to the mission. However, the assessment report provided to GAO indicated a negative trend for this outcome. Moreover, USCIS policy no longer set expectations regarding user story development. In addition, supporting artifacts from the release planning process did not always define a commitment to a particular development methodology, which is turn impacts the expectations for writing user stories. Finally, backlogs provided by USCIS did not cover all releases in development since our July 2016 report and did not include enough detail to assess all aspects of the user story process (e.g., story size and user involvement). We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to establish outcomes for Agile software development.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in April 2017, USCIS issued updated policy governing software development at the agency. The updated policy included an appendix devoted to generally accepted agency practices and applying Agile principles in the agency. This appendix also included a set of ten outcomes associated with using Agile practices at USCIS. For example, outcomes included that value is continuously discovered and aligned to the mission. However, the updated policy did not require program compliance with the practices and principles described in the appendix. Moreover, the agency did not demonstrate that USCIS ELIS had committed to achieving a specific set of outcomes for Agile software development, such as the outcomes described in the USCIS policy. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to monitor program performance and report to appropriate entities through the collection of reliable metrics.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in May 2017, USCIS provided updated policy governing the development of software that called for teams to prepare an Operations Monitoring Plan or dashboard showing the practices, tools, and measures that will monitor applications in production. The agency also provided a series of documents from internal systems and processes intended to monitor performance, such as a product dashboard for analyzing code quality (i.e., SonarQube) and a report from its Independent Verification and Validation team. However, the program was undergoing a re-baseline and had yet to document updated cost, schedule, and performance expectations against which to monitor. Moreover, the agency did not demonstrate that other metrics, such as customer satisfaction and team velocity, were being reliably collected. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To help manage the USCIS ELIS system, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update existing policies and guidance and consider additional controls to conduct unit and integration, and functional acceptance tests, and code inspection consistent with stated program goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in May 2017, USCIS provided artifacts from internal systems in place to monitor software development performance. These metrics monitored aspects of testing, such as code quality and code coverage. However, the program did not provide an updated Test and Evaluation Master Plan, which is a document it will produce as part of its ongoing effort to re-baseline. A Test and Evaluation Master Plan sets the testing expectations for the program as agreed upon with its stakeholders in DHS and USCIS. The updated plan will provide a basis for further evaluation of the steps DHS and USCIS have taken to address this recommendation. Moreover, the agency did not demonstrate that functional acceptance tests were being conducted in accordance with stated program goals. For example, the agency did not provide acceptance criteria or the associated tests demonstrating that user stories passed the defined acceptance criteria. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To help manage the USCIS ELIS system, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update existing policies and guidance and consider additional controls to develop complete test plans and cases for interoperability and end user testing, as defined in the USCIS Transformation Program Test and Evaluation Master Plan, and document the results.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, DHS and USCIS had not provided information demonstrating that they had addressed this recommendation. In October 2016, DHS provided a written response indicating that an internal process for revisiting the USCIS ELIS Test and Evaluation Master Plan had been initiated, with participation from all relevant stakeholder groups. A Test and Evaluation Master Plan sets the testing expectations for the program as agreed upon with its stakeholders in DHS and USCIS. The updated plan will provide a basis for further evaluation of the steps DHS and USCIS have taken to address this recommendation. The letter also stated that USCIS had begun to work on a policy for new interoperability test procedures. Moreover, the letter added that end user testing is a continuing activity, including providing feedback of observed issues into the development queue, with the slow launch of the naturalization capabilities in USCIS ELIS being a model. However, as of July 2017, DHS and USCIS had not provided new information about the status of this recommendation. We will continue to work with DHS and USCIS to obtain additional documentation about actions they are taking to address this recommendation.
    Director: Frank Rusco
    Phone: (202) 512-3841

    7 open recommendations
    Recommendation: To help improve patent quality, the Secretary of Commerce should direct the Director of the USPTO to develop a consistent definition of patent quality, and clearly articulate this definition in agency documents and other guidance.

    Agency: Department of Commerce
    Status: Open

    Comments: According to the agency's action plan, USPTO will update relevant agency guidance, conduct training, and take other actions in response to this recommendation by March 2017.
    Recommendation: To help improve patent quality, the Secretary of Commerce should direct the Director of the USPTO to further develop measurable, quantifiable goals and performance indicators related to patent quality as part of the agency's strategic plan.

    Agency: Department of Commerce
    Status: Open

    Comments: According to the agency's action plan, USPTO will update existing indicators and, as appropriate, develop new measures by October 2016.
    Recommendation: To help improve patent quality, the Secretary of Commerce should direct the Director of the USPTO to analyze the time examiners need to perform a thorough patent examination. This action could be taken in conjunction with the recommendation in our report on USPTO's prior art search capabilities (GAO-16-479).

    Agency: Department of Commerce
    Status: Open

    Comments: According to the agency's action plan, USPTO will complete an examination of expectancy by April 2017.
    Recommendation: To help improve patent quality, the Secretary of Commerce should direct the Director of the USPTO to analyze how current performance incentives affect the extent to which examiners perform thorough examinations of patent applications.

    Agency: Department of Commerce
    Status: Open

    Comments: According to the agency's action plan, USPTO will complete an assessment of examination quality across current incentive award tiers by September 2017.
    Recommendation: To help improve patent quality, the Secretary of Commerce should direct the Director of the USPTO to establish a process to provide data on the results of the Patent Trial and Appeal Board (PTAB) proceedings to managers and staff in the USPTO's Technology Centers, and analyze PTAB data for trends in patent quality issues to identify whether additional training, guidance, or other actions are needed to address trends.

    Agency: Department of Commerce
    Status: Open

    Comments: According to the agency's action plan, USPTO will establish a process to provide examiners with information on various PTAB proceedings by September 2016.
    Recommendation: To help improve patent quality, the Secretary of Commerce should direct the Director of the USPTO to evaluate the effects of compact prosecution and other agency application and examination policies on patent quality. In doing so, USPTO should determine if any changes are needed to ensure that the policies are not adversely affecting patent quality.

    Agency: Department of Commerce
    Status: Open

    Comments: According to the agency's action plan, USPTO will complete an assessment of various policies on patent quality by September 2017.
    Recommendation: To help improve patent quality, the Secretary of Commerce should direct the Director of the USPTO to consider whether to require patent applicants to include claim clarity tools--such as a glossary of terms, a check box to signal functional claim language, or claim charts--in each patent application.

    Agency: Department of Commerce
    Status: Open

    Comments: According to the agency's action plan, USPTO will issue a request for comments on additional claim clarity tools by September 2017 and determine any new requirements by January 2018.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer develop and implement a policy that requires monitoring changes to critical files for the platforms identified during the audit.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: According to officials in FDIC's Division of Information Technology, the corporation plans to implement a new solution in 2017 to enable security personnel to identify users making file system changes. Subsequent to FDIC implementing a new solution, we plan to validate FDIC's actions.
    Director: Malenich, J Lawrence
    Phone: (202) 512-3406

    5 open recommendations
    Recommendation: To provide reasonable assurance that the property, equipment, and software transactions are properly tracked and capitalized or expensed as appropriate, the Director of CFPB should direct the program offices to require vendors to provide detailed invoices with costs broken out by project.

    Agency: Consumer Financial Protection Bureau
    Status: Open

    Comments: During our fiscal year 2016 audit, we continued to find control deficiencies over CFPB's accounting for its property, equipment, and software. CFPB was still in the process of working with its Office of Procurement and program offices to require more detailed invoices with costs broken out by project. We will continue to evaluate CFPB's actions to address this recommendation during our fiscal year 2017 financial statement audit.
    Recommendation: To provide reasonable assurance that the property, equipment, and software transactions are properly tracked and capitalized or expensed as appropriate, the Director of CFPB should direct the Chief Financial Officer to update OCFO's financial records to include costs by project.

    Agency: Consumer Financial Protection Bureau
    Status: Open

    Comments: Although CFPB took actions to attempt to address this recommendation, as of September 30, 2016, there were still some unidentified costs in the OCFO's financial records. In addition, our fiscal year 2016 audit continued to identify deficiencies over the recording of property, equipment, and software costs. We will continue to evaluate CFPB's actions to address this recommendation during our fiscal year 2017 financial statement audit.
    Recommendation: The Director of CFPB should direct the Office of Technology and Innovation's Chief Information Officer to develop and document training materials that are consistent with CFPB's policies and procedures and provide training to employees, on a recurring basis, on how to conduct inventory of electronic equipment and how to update and maintain accurate inventory records.

    Agency: Consumer Financial Protection Bureau
    Status: Open

    Comments: During our fiscal year 2016 audit, we continued to find incomplete and inaccurate information in CFPB's inventory records. We will continue to evaluate CFPB's actions to address this recommendation during our fiscal year 2017 financial statement audit.
    Recommendation: The Director of CFPB should direct the Chief Financial Officer and Chief Information Officer to develop and implement procedures that require coordination between the OCFO and the Office of Technology and Innovation to provide reasonable assurance that the records maintained by both divisions are accurate, consistent, complete, and comparable for inventory and accounting purposes.

    Agency: Consumer Financial Protection Bureau
    Status: Open

    Comments: During our fiscal year 2016 audit, we continued to find incomplete and inaccurate information in CFPB's inventory records. We will continue to evaluate CFPB's actions to address this recommendation during our fiscal year 2017 financial statement audit.
    Recommendation: The Director of CFPB should direct the Chief Financial Officer to design and implement effective procedures over the preparation of CFPB financial statements and note disclosures, including procedures such as completing the FAM 2010 and 2020 checklists at fiscal year-end, to provide reasonable assurance that the financial statements as of fiscal year-end are prepared in accordance with GAAP and note disclosures are adequate.

    Agency: Consumer Financial Protection Bureau
    Status: Open

    Comments: During our fiscal year 2016 audit, we continued to find errors and inconsistent disclosures in CFPB's financial statements, some of which resulted in post-closing adjusting entries. We will continue to evaluate CFPB's actions to address this recommendation during our fiscal year 2017 financial statement audit.
    Director: William J. Cordrey
    Phone: (404) 679-1873

    2 open recommendations
    Recommendation: To help provide better visibility of DOD's financial management status for decision makers and to improve oversight of DOD's audit readiness efforts to strengthen internal controls and improve financial practices and processes, the Under Secretary of Defense (Comptroller) should, while developing other formatting changes to be made in future reports, expand the semiannual FIAR Plan Status Report to include the extent to which assertions of audit readiness have been made without assurance that related controls are effective and the details of remediation activities taken and planned to correct the known internal control deficiencies.

    Agency: Department of Defense: Under Secretary of Defense (Comptroller)
    Status: Open

    Comments: DOD concurred with this recommendation and stated that its future FIAR Plan Status Reports will provide an increased level of detail regarding critical aspects of achieving audit readiness. DOD further stated that it would use the recommendation to develop and, where appropriate, enhance future semiannual Status Reports to include greater visibility into the progress and impediments related to PP&E audit readiness. Specifically, DOD stated that the Office of the Under Secretary of Defense (Comptroller) will work with the military departments to ensure that their audit readiness plans include specific milestones for addressing internal control deficiencies. The Comptroller expects completion by the November 2017 FIAR report. We will continue to evaluate DOD's actions to address this recommendation.
    Recommendation: To help provide better visibility of DOD's financial management status for decision makers and to improve oversight of DOD's audit readiness efforts to strengthen internal controls and improve financial practices and processes, the Under Secretary of Defense (Comptroller) should, while developing other formatting changes to be made in future reports, expand the semiannual FIAR Plan Status Report to include the details of military services' actions taken and progress made toward correcting the control deficiencies underlying the reported dealbreakers.

    Agency: Department of Defense: Under Secretary of Defense (Comptroller)
    Status: Open

    Comments: DOD concurred with this recommendation and stated that its future FIAR Plan Status Reports will provide an increased level of detail regarding critical aspects of achieving audit readiness. DOD further stated that it would use the recommendation to develop and, where appropriate, enhance future semiannual Status Reports to include greater visibility into the progress and impediments related to PP&E audit readiness. Specifically, DOD stated that the Office of the Under Secretary of Defense (Comptroller) will work with the military departments to ensure that their audit readiness plans include specific milestones for addressing internal control deficiencies. The Comptroller expects completion by the November 2017 FIAR report. We will continue to evaluate DOD's actions to address this recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    17 open recommendations
    including 7 priority recommendations
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update security assessment plans for selected systems to ensure they include the test procedures to be performed.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system to support updates of security assessment plans that include the test procedures to be performed. Subsequent to NASA informing us that security assessment plans for selected systems include these test procedures, we plan to verify the agency's actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should re-evaluate security control assessments for selected systems to ensure that they comprehensively test technical controls.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation, and will re-evaluate the selected systems' security control assessments to ensure that technical controls will be comprehensively tested. NASA officials said that they expect to complete this action by January 15, 2018. Subsequent to NASA informing us that it has implemented the recommendation, we plan to verify the agency's actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update remedial action plans for selected systems, to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system that generates plans of actions and milestones (POA&Ms), but has not yet provided sufficient examples of remedial action plans for the selected systems. Subsequent to NASA informing us that it has updated POA&Ms for the selected systems to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates, we plan to verify these actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update the continuous monitoring strategy to include metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has issued an updated continuous monitoring strategy, but this strategy does not clearly identify specific metrics to be used. Subsequent to NASA informing us that the strategy includes metrics, ongoing status monitoring of metrics, and reporting of security status, we plan to verify these actions.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. NRC supplied documents regarding its cybersecurity assessment process, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update remedial action plans for selected systems, to include responsible organization, estimated funding, funding source, and scheduled completion dates.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency provided evidence that it is including the responsible organization and scheduled completion dates in its plans of action and milestones (POA&Ms). While the estimated funding and source of funding do not appear in the POA&Ms, the agency has indicated that this data is available elsewhere. We are following up with NRC to verify this information.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update the standard that addresses continuous monitoring to include metrics and ongoing status monitoring.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency expects to publish a revised computer security standard in 2018.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented, and where other plans are cross-referenced, ensure that the other system's plan appropriately addresses the control.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM concurred with our recommendation. The agency intends to migrate security plans to an automated system in order to improve management of security controls.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM partially concurred with our recommendation. OPM is in the process of reviewing its procedures for identifying employees and contractors who directly access its information systems and reviewing the training requirements for those individuals, as well as specialized training requirements, and how compliance is tracked.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM did not concur with our recommendation. OPM is developing additional standards for evaluating technical-controls testing and will incorporate these standards into its oversight of security assessments, once the standards are complete.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update remedial action plans for selected systems, to include source of funding and updated completion dates.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with our recommendation. OPM is in the process of migrating POA&Ms to a new automated system that will allow the source of funding to be included in plans of action and milestones.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA stated that all high-impact security controls have been addressed, and the agency expects to include all controls in one plan. Subsequent to the agency informing us that it has implemented the recommendation, we plan to verify its actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is tracking specialized training for staff who have significant security responsibilities. GAO plans to request further documentation and verify the completeness of VA's actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA has assessed technical controls, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update remedial action plans for selected systems, to include estimated funding and funding source.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is including more information in its remedial action plans for selected systems, but did not demonstrate that it is including estimated funding and funding sources in these plans.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should develop a continuous monitoring strategy that addresses organization-defined metrics, frequency of monitoring metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA is developing a new framework to address the people, processes, technology, and performance monitoring mechanisms identified in the Information Security Continuous Monitoring (ISCM) Maturity Model. This framework and supporting program plan are linked to the Department of Homeland Security Continuous Diagnostics and Mitigation (CDM) phase 1 deployment that is ongoing and anticipated to be completed by the fourth quarter of 2017. VA's ISCM program plan and framework have been delayed to accommodate these changes.
    Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. In addition OMB provided limited access to a document describing best practices for federal security operation centers. GAO is requesting further access to this document on best practices in order to determine whether OMB has adequately addressed the recommendation.
    Director: Cary Russell
    Phone: (202) 512-5431

    2 open recommendations
    Recommendation: To ensure that risks associated with ALIS are addressed expediently and holistically, the Secretary of Defense should direct the F-35 Program Executive Officer to improve the reliability of its cost estimates, conduct uncertainty and sensitivity analyses consistent with cost-estimating best practices identified in GAO's Cost Estimating and Assessment Guide.

    Agency: Department of Defense
    Status: Open

    Comments: According to DOD officials, the F-35 Program regularly performs sensitivity analysis in its cost estimates. The F-35 Cost Team runs drills throughout the year on varying ground rules and assumptions for all elements of the sustainment Annual Cost Estimate (ACE), including ALIS cost elements. These drills are used to assess cost impacts of various proposed requirements changes from the F-35 Program Office and the Services. The cost models capture the sensitivity of those technical baseline changes and the F-35 Program Office and Services use those results to inform the final technical baseline definition that becomes the basis of the annual estimate update. Although these measures are regularly performed, they do not constitute a direct uncertainty or sensitivity analysis on ALIS itself. For that reason, as of September 2017, this recommendation remains open.
    Recommendation: To ensure that risks associated with ALIS are addressed expediently and holistically, the Secretary of Defense should direct the F-35 Program Executive Officer to improve the reliability of its cost estimates, ensure that future estimates of ALIS costs use historical data as available and reflect significant program changes consistent with cost-estimating best practices identified in GAO's Cost Estimating and Assessment Guide.

    Agency: Department of Defense
    Status: Open

    Comments: According to DOD officials, as part of the cost estimating processes in the F-35 Program Office, the sustainment Annual Cost Estimate does incorporate the latest available historical cost data and reflects the latest approved technical baseline. For example, the latest hardware procurement costs from the most recent annual contracts for the F-35 were incorporated into the 2016 Annual Cost Estimate update as were the manpower assembly installation costs based on final delivered item prices. Although these are positive measures for the program and the cost estimate, the program has not incorporated a range of potential future costs that may better reflect actual ALIS costs. Until this step is taken, the recommendation will remain open.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update system and application audit plans based on the current version of referenced policies and guidelines and when significant changes are made to a system or application.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: The IRS concurred with the recommendation and stated that it plans to implement it. Subsequent to IRS informing us that it has taken action on this recommendation, we plan to evaluate their implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update the security plan for systems that provide network infrastructure services to IRS personnel and information systems to reflect changes to the operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: On March 28, 2017, IRS officials informed us of the actions they were taking to address this recommendation. Upon receiving information from IRS, we plan to evaluate IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Director: David J. Wise
    Phone: (202) 512-2834

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To enhance the agency's ability to effectively respond in the event of a real-world vehicle cyberattack, the Secretary of Transportation should direct NHTSA to work expeditiously to finish defining and then to document the agency's roles and responsibilities in response to a vehicle cyberattack involving safety-critical systems, including how NHTSA would coordinate with other federal agencies and stakeholders involved in the response.

    Agency: Department of Transportation
    Status: Open
    Priority recommendation

    Comments: As of May 2017, DOT had taken steps to address our recommendation, defining NHTSA's roles and responsibilities to address cybersecurity incidents that involve automotive safety critical systems under its existing processes and authorities. NHTSA also recognized the need to coordinate with other entities, including other federal agencies. However, NHTSA expects that it will need to update and improve its response and coordination plan based on new learning, experience, executive orders, and federal guidance. In addition, NHTSA plans to conduct a pilot program in fiscal year 2018 to determine whether adjustments to its current processes need to be made in light of the Department of Homeland Security's National Cyber Incident Response Plan.
    Director: Chris Currie
    Phone: (404) 679-1875

    1 open recommendations
    Recommendation: To enable FEMA to and more effectively respond to disasters, the Secretary of Homeland Security should direct the FEMA Administrator to develop a workforce strategy to manage and improve retention that includes a process for systematically gathering attrition data and a plan to retain IMAT Cadre-of On-Call Response Employees.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, FEMA provided an update on the status of actions taken in response to our report. In the update, FEMA officials said they had issued a new FEMA Human Capital Strategic Plan for fiscal years 2016-2020 that includes an objective to build a scalable and skilled workforce with associated measures including a decrease in attrition rate for permanent full time employees, and an increase in disaster workforce through improvements in the recruitment and retention of incident management employees. FEMA also stated that pay issues and work-life balance have been identified as contributing to retention on National Type I and Regional Type II IMATs. FEMA is actively addressing the pay issues. FEMA provided a brief summary of the actions being taken--which includes development of a policy that provides information on establishing base pay under the new pay system, movement within the pay bands, and merit-based increases is in development. Until completion of the action items, this recommendation will remain open. FEMA officials plan to provide a status update in October 2017.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    9 open recommendations
    Recommendation: The Secretary of Homeland Security should direct Network Security Deployment (NSD) to determine the feasibility of enhancing NCPS's current intrusion detection approach to include functionality that would detect deviations from normal network behavior baselines.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 Update: In Feb. 2017, DHS officials stated that they have continued pilot activities that will enable DHS to identify suspicious network activity based on anomalous behavior and reputation and have collected lessons learned that are being tracked by the NCPS Program Management Office. Officials added that DHS had identified a contractor to support the transition of the pilot, including drafting an implementation plan; however, it had yet to award a contract due to lack of resources. As such, the agency did not have an estimated date on the completion of a draft plan for how the transition would be implemented. We requested that DHS provide a copy of the draft implementation plan for our review, when it became available. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct NSD to determine the feasibility of developing enhancements to current intrusion detection capabilities to facilitate the scanning of traffic not currently scanned by NCPS.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the NCPS Program Management Office is working with participating Internet Service Providers (ISP) to develop plans to support IPv6 for Traffic Aggregation, DNS redirection, and SMTP quarantining capabilities. Officials stated that an implementation plan that would include all ISP schedules for all planned intrusion prevention services would be available in the third quarter of fiscal year 2017. Additionally, regarding encrypted traffic, officials stated that it is conducting an analysis of Security on Encrypted Traffic (SonET) to better understand options for addressing the challenges, viability of options, and how the issue is being addressed at a broader industry level. The study is scheduled to continue through the fourth quarter of fiscal year 2017. We asked DHS to provide the ISP implementation plans (when finalized) and any findings from the ongoing SCADA and Encrypted traffic studies. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct United States Computer Emergency Readiness Team (US-CERT) to update the tool it uses to manage and deploy intrusion detection signatures to include the ability to more clearly link signatures to publicly available, open-source data repositories.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS stated that the NCPS PMO is working with participating Internet Service Providers (ISP) to develop plans to support IPv6 for Traffic Aggregation, DNS redirection, and SMTP quarantining capabilities. Officials stated that an implementation plan that would include all ISP schedules for all planned intrusion prevention services would be available in the third quarter of fiscal year 17. Additionally, officials stated that NSD is conducting an analysis on Security on Encrypted Traffic (SonET) to better understand options for addressing the challenges, viability of options, how the issue is being addressed at a broader industry level. The study will continue through the fourth quarter of fiscal year 2017. We asked DHS to provide the ISP implementation plans (when finalized) and any output/results (findings) from the ongoing studies DHS has related to SCADA and Encrypted traffic. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct US-CERT to consider the viability of using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, as an input into the development and management of intrusion detection signatures.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that enhancements were made so that Continuous Diagnostics and Mitigation program (CDM) data can be viewed with the Cyber Indicators Analysis Program (CIAP). Officials stated that the CDM data now may be combined with known vulnerability findings from NCATS and known threats collected from the CIAP system to further prioritize signature development as necessary. We have requested a meeting with DHS to observe the described enhancements. We believe that we will be able to close this recommendation, once we observe the claimed enhancements.
    Recommendation: The Secretary of Homeland Security should direct US-CERT to develop a timetable for finalizing the incident notification process, to ensure that customer agencies are being sent notifications of potential incidents, which clearly solicit feedback on the usefulness and timeliness of the notification.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 Update: In Feb. 2017, DHS stated that US-CERT is in the process of developing a targeted survey of EINSTEIN customers (based off of a prior survey). Additionally, US-CERT has updated the Incident Reporting Guidelines to address previously mentioned process concerns. We have requested a copy of these guidelines and will review the modifications made within. Additionally, DHS stated that modifications to the Remedy ticketing system are underway that would allow for the inclusion of user feedback. These changes are anticipated to be implemented by October 2017. We likely would not be able to close this recommendation until we could review the results of the modifications.
    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop metrics that clearly measure the effectiveness of NCPS's efforts, including the quality, efficiency, and accuracy of supporting actions related to detecting and preventing intrusions, providing analytic services, and sharing cyber-related information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the Office of Cyber Security and Communications (CS&C) had developed, refined, and were baselining a first set of measures that relate to the Einstein 3A program. Further, they are considering adding one of these measures as an addition to the measures tracked in support of the yearly Government Performance and Results Act (GPRA) required reporting in FY 2018. Additionally, DHS officials stated they are developing information sharing related measures, including exploring how its public and private sector recipients of information measure the value cyber threat indicators and defensive measures. In March 2017, we requested a copy of the developed measures, when they became available. This recommendation will remain open until we are able to review the developed metrics and the subsequent data they are to measure.
    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop clearly defined requirements for detecting threats on agency internal networks and at cloud service providers to help better ensure effective support of information security activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS provided memos that gave an overview of the planned enhancements to the Continuous Diagnostics and Mitigation (CDM) program that included references to cloud providers. However, DHS did not provide any specific requirements for us to review. We have requested a follow-up meeting to review the specific requirements developed in support of the planned enhancements described in the provided memos. We will not be able to close this recommendation until we can review the developed requirements and determine that cloud providers are appropriately covered.
    Recommendation: The Secretary of Homeland Security should direct NSD to develop processes and procedures for using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, to help ensure DHS is using a risk-based approach for the selection/development of future NCPS intrusion prevention capabilities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS stated that the NCPS Program Management Office has made enhancements to the Continuous Diagnostics and Mitigation (CDM) dashboard, but had yet to fully develop the CDM/NCPS data correlation. In March 2017, we asked for update on the status of data correlation, once available. In order to close this recommendation, we would need to review this model and determine how, if at all, the vulnerability information was used as part of a risk-based approach to intrusion prevention.
    Recommendation: The Secretary of Homeland Security should direct NSD to work with their customer agencies and the Internet service providers to document secure routing requirements in order to better ensure the complete, safe, and effective routing of information to NCPS sensors.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the agency worked with the Office of Management and Budget to develop a draft Trusted Internet Connections Reference Architecture. This architecture is to serve as the new guidance for agencies on perimeter security capabilities as well as alternative routing strategies. In March 2017, we requested a copy of the guidance to review the alternative routing guidance. This recommendation will remain open until we have been able to review the information above.
    Director: James R. McTigue, Jr.
    Phone: (202) 512-9110

    7 open recommendations
    Recommendation: To help ensure SB/SE's audit selection program meets its mission and selects returns fairly, the Commissioner of Internal Revenue should clearly define and document the key term "fairness" for return selection activities.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed to incorporate a definition of fairness into the Internal Revenue Manual (IRM), which serves as a single point of reference for guidance to IRS examiners. In February 2016, the Deputy Commissioner of Services and Enforcement (S&E) reiterated IRS's definition of fairness in the examination process to S&E employees. In January 2017, IRS issued interim guidance on fairness in examination case selection. IRS officials said that this guidance is considered "final" until the IRM is updated, no later than January 2019. In February 2017, IRS issued an article on its IRWeb and a message from the Deputy Commissioner S&E on defining fairness in the exam process. We are awaiting resolution of how this definition will be used in three other recommendations on communicating examples as well as developing both a related objective and measure.
    Recommendation: To help ensure SB/SE's audit selection program meets its mission and selects returns fairly, the Commissioner of Internal Revenue should clearly communicate examples of fair selections to staff to better assure consistent understanding.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed to communicate examples of fairness to managers and examiners involved in selecting tax returns for examination. In March 2017, the Director of IRS Small Business/Self Employed (SB/SE) Examination-Headquarters issued a memo to SB/SE examination directors that included examples illustrating the fairness definition in return selection. The examples were to be shared with directors, management, and examiners involved in return selection. To close this recommendation, we are waiting for resolution of how the fairness definition will be implemented through related recommendations on developing program objectives and measures assessing fairness in return selection.
    Recommendation: To help ensure SB/SE's audit selection program meets its mission and selects returns fairly, the Commissioner of Internal Revenue should develop, document, and implement program-level objective(s) to evaluate whether the return selection process is meeting its mission of applying the tax law with integrity and fairness to all.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed to review its current objectives for the SB/SE examination program and found that an additional program-level objective to evaluate fairness in the return selection was necessary. The new objective is "Ensure examinations are initiated based on indicators of noncomplicance. In addition, ensure a review of the decisions to survey a return (i.e., not initiate an examination) are based on upon factors outlined in the Internal Revenue Manual (IRM) and approved by an appropriate level of management." In March 2017, IRS issued interim guidance communicating the new objective, which was sent to Examination Directors. The guidance and objective were also posted on the IRweb, which is available to all IRS employees. IRS officials said that the interim guidance is considered final until it can be incorporated into the IRM, which should be done within 2 years of when the interim guidance is issued. We are awaiting IRS's response to a related recommendation on developing a measure for this selection objective before deciding to close this recommendation.
    Recommendation: To help ensure that SB/SE's audit selection objective(s) on fairness are used and met, the Commissioner of Internal Revenue should develop, document, and implement related performance measures that would allow SB/SE to determine how well the selection of returns for audit meets the new objective(s).

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed to develop, document, and implement additional performance measures if new objectives related to fair return selection were implemented. In March 2017, IRS developed a new objective on fair return selection. In April 2017, IRS officials said that they were working on performance measures related to the new objective on fair return selection. They plan to meet with GAO in 1-2 months to obtain our feedback on the measures.
    Recommendation: To help ensure that SB/SE's audit selection objective(s) on fairness are used and met, the Commissioner of Internal Revenue should incorporate the new objective(s) for fair return selection into the SB/SE risk management system to help identify and analyze potential risks to fair selections.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed to consider any new objectives related to fair return selection within SB/SE's current risk management process framework. In March and April 2017, SB/SE developed a tool (RAFT) to include the fair selection objective (and related activities) into its risk register, which is monitored quarterly. IRS provided documentation from the Exam Risk Council meeting that they have discussed and assessed these risks. IRS is still working on documentation to show they are addressing our recommendations and the associated risks. IRS officials said the documentation is due in August 2017.
    Recommendation: The Commissioner of Internal Revenue should develop and implement consistent documentation requirements to clarify the reasons for selecting a return for audit and who reviewed and approved the selection decision.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed to evaluate the need to improve its documentation of return selection decisions and the review and approval process. In March 2017, various IRS functions completed templates showing the current status of return selection documentation requirements. As a result, they found that they could improve the consistency and clarity in documentation, approval and review requirements across workstreams by clearly defining procedures and ensuring they are formally documented in the IRM. The Director of Exam Case Selection issued a memo directing that documentation requirements be made consistent in the IRM. IRS officials said that revised documentation requirements are due in August 2017, with IRM incorporation at a later date.
    Recommendation: The Commissioner of Internal Revenue should develop, document, and implement monitoring procedures to ensure that decisions made and coding used to select returns for audit are appropriate.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS agreed to review its current procedures for monitoring return selection decisions and coding used to select returns. In April 2017, IRS officials provided documentation showing they had reviewed campus examination selection dollar thresholds and campus source code definitions. They found that improvements could be made in clarifying source code definitions and reviewing dollar thresholds used to categorize and select, respectively, returns for examination. IRS has issued an IRM procedural update to implement these changes. During our meeting with IRS, we clarified that our recommendation covered monitoring selection decisions more broadly, which IRS acknowledged. Officials said that additional documentation on monitoring selection decisions will be due by August 2017.
    Director: Seto Bagdoyan
    Phone: (202) 512-6722

    1 open recommendations
    Recommendation: To help preserve a proven resource supporting the oversight community's analytic capabilities, Congress may wish to consider directing CIGIE to develop a legislative proposal to reconstitute the essential capabilities of the ROC to help ensure federal spending accountability. The proposal should identify a range of options at varying scales for the cost of analytic tools, personnel, and necessary funding, as well as any additional authority CIGIE may need to ensure such enduring, robust analytical and investigative capability for the oversight community.

    Agency: Congress
    Status: Open

    Comments: When we determine what steps Congress has taken, we will provide updated information.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    4 open recommendations
    Recommendation: To facilitate oversight and inform decision making regarding their respective department's interoperability-related activities, the Secretaries of Defense and Veterans Affairs, working with the Interagency Program Office, should ensure related goals are defined to provide a basis for assessing and reporting on the status of interoperability-related activities and the extent to which interoperability is being achieved by the departments' modernized electronic health record systems.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) and the Department of Veterans Affairs (VA) are working to define goals to provide a basis for assessing and reporting on the status of interoperability-related activities and the extent to which interoperability is being achieved by the departments' modernized electronic health record systems. Specifically, according to the DOD/VA Interagency Program Office (IPO), the office, in conjunction with the departments, has employed use cases in the Joint Interoperability Plan to define the interoperability-related goal areas, which are to be used as the basis for the development of outcome-oriented metrics, assessments, and reporting. The departments, the IPO, and workgroups within the Health Executive Committee's data sharing areas have focused on the feasibility and development of metrics aligned to six use cases as they relate to electronic health record interoperability between DOD and VA and outcomes to service members, veterans, and healthcare providers. The IPO reports that the work to establish these goals will be completed by December 2017. GAO will continue to review the results of these efforts.
    Recommendation: To facilitate oversight and inform decision making regarding their respective department's interoperability-related activities, the Secretaries of Defense and Veterans Affairs, working with the Interagency Program Office, should ensure related goals are defined to provide a basis for assessing and reporting on the status of interoperability-related activities and the extent to which interoperability is being achieved by the departments' modernized electronic health record systems.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs (VA) and the Department of Defense (DOD) are working to define goals to provide a basis for assessing and reporting on the status of interoperability-related activities and the extent to which interoperability is being achieved by the departments' modernized electronic health record systems. Specifically, according to the DOD/VA Interagency Program Office (IPO), the office, in conjunction with the departments, has employed use cases in the Joint Interoperability Plan to define the interoperability-related goal areas, which are to be used as the basis for the development of outcome-oriented metrics, assessments, and reporting. The departments, the IPO, and workgroups within the Health Executive Committee's data sharing areas have focused on the feasibility and development of metrics aligned to six use cases as they relate to electronic health record interoperability between VA and DOD and outcomes to service members, veterans, and healthcare providers. The IPO reports that the work to establish these goals will be completed by December 2017. GAO will continue to review the results of these efforts.
    Recommendation: To facilitate oversight and inform decision making regarding their respective department's interoperability-related activities, the Secretaries of Defense and Veterans Affairs, working with the Interagency Program Office, should update IPO guidance to reflect the metrics and goals identified.

    Agency: Department of Defense
    Status: Open

    Comments: According to the Department of Defense (DOD)/Department of Veterans Affairs (VA) Interagency Program Office (IPO), the office has issued an update to the Health Data Interoperability Management Plan that documents the IPO's role and outlines governance for supporting interoperability between the departments. The IPO is also in the process of updating additional guidance to describe the benefits of interoperability and reflect associated outcome-oriented metrics and goals. Specifically, IPO officials reported that the IPO's Joint Interoperability Plan is transitioning to the Joint Interoperability Strategic Plan and is expected to be finalized in November 2017. GAO will review this guidance once it is approved by DOD and VA.
    Recommendation: To facilitate oversight and inform decision making regarding their respective department's interoperability-related activities, the Secretaries of Defense and Veterans Affairs, working with the Interagency Program Office, should update IPO guidance to reflect the metrics and goals identified.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: According to the Department of Defense (DOD)/Department of Veterans Affairs (VA) Interagency Program Office (IPO), the office has issued an update to the Health Data Interoperability Management Plan that documents the IPO's role and outlines governance for supporting interoperability between the departments. The IPO is also in the process of updating additional guidance to describe the benefits of interoperability and reflect associated outcome-oriented metrics and goals. Specifically, IPO officials reported that the IPO's Joint Interoperability Plan is transitioning to the Joint Interoperability Strategic Plan and is expected to be finalized in November 2017. GAO will review this guidance once it is approved by VA and DOD.
    Director: David Powner
    Phone: (202) 512-9286

    5 open recommendations
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to establish and implement an improvement plan to guide the agency in adopting recognized best practices and following agency policy.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA developed a Strategic IT Roadmap to assist the agency's business and IT leadership in prioritizing IT investments. In addition, FSA stated that it will develop and document a comprehensive improvement plan that is to delineate tactical steps, timelines, and performance metrics to track incremental progress in adopting recognized best practices and program management capabilities. We will continue to monitor the agency's progress in documenting and implementing its improvement plan.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in developing and managing system requirements before proceeding with any further system development to deliver previously envisioned MIDAS functionality. Specifically, the Administrator should ensure that requirements are complete, unambiguous, and prioritized; commitment to requirements is obtained through a formal requirements baseline; differences (or gaps) between the requirements and capabilities of the intended solution (including commercial off-the-shelf solutions) are analyzed; strategies to address any gaps are developed; and requirements are traced forward and backward among development products.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA reported that it will improve the rigor and adherence to requirements management processes for all IT projects, utilizing processes and tools that will support the integrity of the requirements throughout the lifecycle, to ensure that requirements are complete, formally baselined, gaps are analyzed, and fully traceable forward and backward. FSA also noted that it is pursuing an enhanced, more comprehensive governance structure that will further support its commitment to increasing rigor and adherence to defined requirements management processes. We will continue to monitor the agency's implementation of these efforts.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in planning and monitoring projects. Specifically, the Administrator should ensure that project plans include predefined expectations for cost, schedule, and deliverables before proceeding with any further system development; updates to the project plan are made through change control processes; and progress against the project plan, including work performed by contractors, is monitored.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA noted that it began an initiative to improve the agency's use of capital planning guidance from the Office of Management and Budget and would prepare corrective action plans to address identified weaknesses in fiscal year 2016. FSA also noted that it was conducting a series of training classes on capital planning and IT project management across the agency, developing a risk management program, and strengthening the use of earned value management. We will continue to monitor the agency's progress on its project planning efforts.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in system testing. Specifically, the Administrator should establish well-defined test plans before proceeding with any further system development, and ensure that testing of (a) individual system components, (b) the integration of system components, and (c) the end-to-end system are conducted.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA stated that going forward the agency will adhere to recognized best practices and agency policy in pursuing consistent or increased rigor around system testing. The agency noted that it plans to demonstrate that its testing capabilities are consistent and repeatable across all FSA IT projects. We will continue to monitor the agency's implementation of these efforts.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in executive-level IT governance before proceeding with any further system development. Specifically, an executive-level governance board should (1) review and approve a comprehensive business case that includes a life cycle cost estimate, a cost-benefit analysis, and an analysis of alternatives for proposed solutions that are to provide former MIDAS requirements prior to their implementation; (2) ensure that any programs that are to accommodate former MIDAS requirements are fully implementing the IT program management disciplines and practices identified in this report; (3) conduct a post-implementation review and document lessons learned for the MIDAS investment; and (4) reassess the viability of the MIDAS technical solution before investing in further modernization technologies.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA stated that, as part of its organizational transformation efforts, the CIO is evaluating its governance structure and updating the charter for the agency-wide IT investment review board with the support of the agency's Executive Leadership Council. FSA also noted that it will adhere to the department's governance framework and processes. We will continue to monitor the agency's implementation of these efforts and how they address our recommendation.
    Director: Clark, Cheryl E
    Phone: (202) 512-9377

    6 open recommendations
    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to develop and implement agency-wide procedures to routinely monitor the accuracy of penalties recorded in taxpayer accounts to timely detect and correct errors.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: During fiscal year 2015, IRS conducted a trial quality review to evaluate the accuracy of penalty assessments recorded in a sample of taxpayer accounts and took action to address the errors it identified. Based on its trial review, IRS developed procedures for performing this type of review in June 2016 and informed us that it would formalize procedures in the IRM to include routine monitoring and testing of the accuracy of penalty assessments in taxpayer accounts. However, as of September 30, 2016, IRS had not implemented these procedures or documented them in the IRM. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to determine the reason(s) why taxpayer assistance centers (TAC) managers and personnel did not consistently comply with existing Internal Revenue Manual (IRM) requirements that TAC managers and personnel (1) perform and document reviews of the Follow-Up Review Log by the last day of the following month, (2) maintain control copies of transmittal forms, and (3) ship taxpayer receipts and information via traceable overnight mail and, based on this determination, establish a process to better enforce compliance with these requirements.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that it has performed a study of the causes of noncompliance with the IRM requirements and will complete all related corrective actions by May 2017. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of IRS should update the IRM to require managers to reconcile transmittal forms with the Follow-Up Review Log to reasonably assure that personnel are properly entering transmittal forms into the log and are appropriately documenting follow-up on unacknowledged transmittals of taxpayer receipts and information.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: While IRS updated the IRM in April 2016 to require TAC managers to (1) perform a semiannual reconciliation of document transmittal forms to the associated Follow-Up Review Log to monitor employee compliance with IRM requirements and (2) document this reconciliation on Form 14698, Field Assistance Taxpayer Assistance Centers Remittance and Non-Remittance Log Reconciliation, our fiscal year 2016 audit testing identified instances where the use of the form was not fully implemented at the TACs we visited. Further, we continued to identify instances where TAC employees did not always (1) track document transmittals on the Follow-up Review Log and (2) follow up on late acknowledgments timely. In one instance, we found that TAC personnel did not document on the log the actions that were taken for a package that was lost; however, the manager had completed a review of the Follow-up Review Log. We will continue to evaluate the results of IRS's corrective actions during our fiscal year 2017 audit.
    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to establish a process to ensure that the requirement for unauthorized access awareness training is explicitly communicated to non-IRS contractors who have unescorted access to IRS facilities.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that by July 2017, it will partner with FPS and GSA to establish a process to help ensure that all contractors who require unescorted access are first approved for interim or final staff-like access and complete mandatory information protection and security awareness training within 10 business days of approved staff-like access. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to establish procedures to monitor whether non-IRS contractors with unescorted physical access to IRS facilities are receiving unauthorized access awareness training.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that by July 2017, it will send out a communication to its FMSS field offices that will include SOPs for monitoring training and acquiring unauthorized access awareness training documentation for each non-IRS contract employee. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to determine why staff did not consistently comply with IRS's existing requirements for the final candling of receipts at service center campuses and lockbox banks, including logging remittances found during final candling on the final candling log at the time of discovery, safeguarding the remittances at the time of discovery, transferring the remittances to the deposit unit promptly, and passing one envelope at a time over the light source, and based on this determination, establish a process to better enforce compliance with these requirements.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that by July 2017, it will identify and analyze the risks associated with candling at the SCCs and lockbox banks, along with any mitigating factors, to determine if further actions are warranted. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Director: Michael J. Sullivan
    Phone: (202) 512-4841

    1 open recommendations
    including 1 priority recommendation
    Recommendation: As DOD plans to significantly increase F-35 procurement funding over the next 5 years, the Secretary of Defense should conduct an affordability analysis of the program's current procurement plan that reflects various assumptions about future technical progress and funding availability.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: In October 2016, DOD had undertaken multiple efforts to re-evaluate the F-35 warfighting requirements. The Deputy Secretary of Defense issued a memo in May 2016 to the congressional defense committees that revalidated the program's current procurement profile. However, the memo noted that there were a number of factors that will need to be analyzed to fully re-evaluate the F-35 warfighting requirements including production and sustainment costs, force structure, and DOD's ability to achieve strategic and operational objectives under its current plans. As of May 2017, the Department was in the process of conducting an affordability analysis and preparing a final response. The final response is expected to be completed in the summer of 2017.
    Director: David Powner
    Phone: (202) 512-9286

    8 open recommendations
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to ensure that all IT investments are assessed for suitability for migration to a cloud computing service.

    Agency: Department of Agriculture
    Status: Open

    Comments: We are in the process of reviewing agency documentation and waiting for additional supporting documentation.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to ensure that all IT investments are assessed for suitability for migration to a cloud computing service.

    Agency: Department of the Treasury
    Status: Open

    Comments: We contacted the agency and are awaiting its response on the status of efforts to implement this recommendation.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to ensure that all IT investments are assessed for suitability for migration to a cloud computing service.

    Agency: Department of State
    Status: Open

    Comments: The Department of State established a requirement for completing a cloud computing service alternatives analysis for all new projects, and that existing IT projects be evaluated for the viability to migrate to a cloud computing environment. Further, the department established key factors for consideration when selecting applications for migration to a cloud environment. However, State has not yet evaluated a majority of its IT investments for cloud alternatives. The department said it plans to complete evaluations for some of these investments by the end of FY2017, but has not yet established plans to evaluate over a third of its investments.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to ensure that all IT investments are assessed for suitability for migration to a cloud computing service.

    Agency: Small Business Administration
    Status: Open

    Comments: We are waiting for a response from SBA on the status of efforts to implement this recommendation.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to establish evaluation dates for those investments identified in this report that have not been assessed for migration to the cloud.

    Agency: Department of Agriculture
    Status: Open

    Comments: We are in the process of waiting for additional department documentation.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to establish evaluation dates for those investments identified in this report that have not been assessed for migration to the cloud.

    Agency: Department of the Treasury
    Status: Open

    Comments: We are waiting for a response from the department on the status of efforts to implement this recommendation.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to establish evaluation dates for those investments identified in this report that have not been assessed for migration to the cloud.

    Agency: Department of State
    Status: Open

    Comments: The Department of State established a requirement for completing a cloud computing service alternatives analysis for all new projects, and that existing IT projects be evaluated for viability to migrate to a cloud computing environment. Further, the department established key factors for consideration when selecting applications for migration to a cloud environment. However, the department has not yet established evaluation dates for the vast majority of the investments that have not been assessed for migration to the cloud. Specifically, the department plans to complete evaluations for some of these investments by the end of fiscal year 2017, but does not plan to do so for most of them.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to establish evaluation dates for those investments identified in this report that have not been assessed for migration to the cloud.

    Agency: Small Business Administration
    Status: Open

    Comments: We are waiting for a response from the department on the status of efforts to implement this recommendation.
    Director: Cary Russell
    Phone: (202) 512-5431

    6 open recommendations
    including 1 priority recommendation
    Recommendation: To help DOD develop an affordable sustainment strategy for the F-35, the Secretary of Defense should direct the Under Secretary of Defense for Acquisitions, Technology and Logistics to direct the F-35 Program Executive Officer to establish affordability constraints linked to, and informed by, military service budgets that will help guide sustainment decisions, prioritize requirements, and identify additional areas for savings by March 2015, at which point the Future Support Construct decision will be approved.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: DOD concurred with our recommendation and stated in April 2017 that the F-35 Program Executive Officer and the F-35 enterprise have expanded their collaborative effort to reduce F-35 operating and support (O&S) costs to ensure that they deliver affordable readiness for the F-35 fleet. In an effort to reduce overall O&S costs, the department has undertaken several initiatives. For example, according to DOD, as of January 2017, a program office "cost war room" initiative had reduced the 2012 F-35 annual cost estimate by $60.7 billion. Additionally, according to DOD, a Reliability and Maintainability Improvement Program has resulted in a $1.7 billion O&S cost avoidance through the program's life cycle. Other efforts are also under way that aim to help reduce O&S costs by better informing sustainment decision-making. While the department is taking steps to try to reduce overall O&S costs, the program has yet to develop affordability constraints linked to the military services' budgets. Without affordability constraints that are linked to military service budgets, it remains unclear the extent to which the military services can afford to operate and sustain the F-35 throughout its life cycle as currently planned.
    Recommendation: To help DOD address key risks to F-35 affordability and operational readiness, and to improve the reliability of its O&S cost estimates for the life cycle of the program, the Secretary of Defense should direct the F-35 Program Executive Officer, to enable DOD to better identify, address, and mitigate performance issues with the Autonomic Logistics Information System (ALIS) that could have an effect on affordability, as well as readiness, to establish a performance-measurement process for ALIS that includes, but is not limited to, performance metrics and targets that (1) are based on intended behavior of the system in actual operations and (2) tie system performance to user requirements.

    Agency: Department of Defense
    Status: Open

    Comments: According to DOD officials, the ALIS Integrated Product Team (IPT) is continuing to work with the Joint Program Office's Performance Based Logistics (PBL) team to further develop and refine appropriate metrics for inclusion into future sustainment contracts. Although DOD has made progress in developing performance metrics for ALIS, as of September 2017, DOD has yet to develop metrics that are based on intended behavior of the system and tie system performance to user requirements. Until this progression is made, this recommendation will remain open.
    Recommendation: To help DOD address key risks to F-35 affordability and operational readiness, and to improve the reliability of its O&S cost estimates for the life cycle of the program, the Secretary of Defense should direct the F-35 Program Executive Officer, to develop a high level of confidence that the aircraft will achieve its R+M goals, to develop a software reliability and maintainability (R+M) assessment process, with metrics, by which the program can monitor and determine the effect that software issues may have on overall F-35 R+M issues.

    Agency: Department of Defense
    Status: Open

    Comments: DOD has an R&M assessment process in place, but as of September 2017, had not developed a process that would focus directly on software reliability and maintainability. Until DOD develops a process more focused on software and its effects on overall R&M issues, this recommendation will remain open.
    Recommendation: To help DOD address key risks to F-35 affordability and operational readiness, and to improve the reliability of its O&S cost estimates for the life cycle of the program, the Secretary of Defense should direct the F-35 Program Executive Officer, to promote competition, address affordability, and inform its overarching sustainment strategy, to develop a long-term Intellectual Property (IP) Strategy to include, but not be limited to, the identification of (1) current levels of technical data rights ownership by the federal government and (2) all critical technical data needs and their associated costs.

    Agency: Department of Defense
    Status: Open

    Comments: DOD has still not developed an overall strategy that would identify data rights ownership, needs, and costs. As of September 2017, the program had taken some steps to develop an Intellectual Property Strategy, but has not identified all critical needs and their associated costs. Program office officials said that they are currently working with the prime contractor to develop a list of technical data requirements. Until this strategy is developed, this recommendation will remain open.
    Recommendation: To help DOD address key risks to F-35 affordability and operational readiness, and to improve the reliability of its O&S cost estimates for the life cycle of the program, the Secretary of Defense should direct the F-35 Program Executive Officer, to understand the potential range of costs associated with the JPO F-35 O&S cost estimate, to conduct uncertainty analyses on future JPO estimates.

    Agency: Department of Defense
    Status: Open

    Comments: As of September 2017, DOD had not applied risk/uncertainty analyses to its cost estimates. Until it does so, this recommendation will remain open.
    Recommendation: To improve the reliability of the CAPE F-35 O&S cost estimate, the Secretary of Defense should direct the Director of CAPE, for future F-35 O&S cost estimates, to conduct uncertainty analyses to understand the potential range of costs associated with its estimates to reflect the most likely costs associated with the program.

    Agency: Department of Defense
    Status: Open

    Comments: According to DOD officials, the Cost Assessment and Program Evaluation (CAPE) has not updated its F-35 estimate subsequent to the release of GAO-14-778. Pending a major program change, CAPE will update the F-35 O&S estimate for the full-rate production decision point in the second quarter of fiscal year 2019. Until CAPE updates its F-35 estimate, we will not be able to determine if they will perform any uncertainty analyses on its cost estimate; therefore, this recommendation will remain open as of September 1, 2017.
    Director: Brian J. Lepore
    Phone: (202) 512-4523

    2 open recommendations
    Recommendation: To better enable NCA to meet its mission of providing reasonable access to burial options at veterans cemeteries, the Secretary of Veterans Affairs should direct the Under Secretary for Memorial Affairs to use the capability of NCA's existing software to estimate the served and unserved veteran populations using census tract data.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: On Nov 12, 2014, VA provided an update on the actions taken in response to the recommendation contained in "VETERANS AFFAIRS: Data Needed to Help Improve Decisions Concerning Veterans' Access to Burial Options" (GAO-14-537) released to the Department, September 9, 2014. In its letter, VA noted that it non-concurred with this recommendation, and identified no actions being taken.
    Recommendation: To better enable NCA to meet its mission of providing reasonable access to burial options at veterans cemeteries, the Secretary of Veterans Affairs should direct the Under Secretary for Memorial Affairs to develop and implement a plan to fully address all the elements required by the Consolidated and Further Continuing Appropriations Act, 2013, in VA's Rural Veteran Burial Access Strategy, including the estimated number and location of unserved veterans and a national map of cemeteries.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: On Nov 12, 2014, VA provided an update on the progress it has made in implementing this recommendation, contained in "VETERANS AFFAIRS: Data Needed to Help Improve Decisions Concerning Veterans' Access to Burial Options" (GAO-14-537) released to the Department, September 9, 2014. VA stated that, as previously reported in its response to VA's Office of Inspector General recommendations, the National Cemetery Administration (NCA) is developing a methodology to identify Veterans living in rural areas. VA also stated that NCA was in the process of establishing a new database intended to enable analysis of Veteran demographics at the county, state, regional, and national levels, including identifying each county in the country as either being served (within the 75-mile service area) or unserved by a VA national or VA-funded state Veterans cemetery and the specific cemeteries that provide service to each served county. In its November 2014 response to GAO, VA stated that NCA had completed the development of the new database and was able to produce a preliminary national map. VA stated that NCA management and staff were in the process of validating the accuracy of the information in the database, and that NCA expected to complete that process by the end of the second quarter of FY 2015. After that point, VA stated that it believed that NCA would then be able to publish the national map and address the other remaining elements required by the Consolidated and Further Continuing Appropriations Act, 2013.
    Director: James R. White
    Phone: (202) 512-9110

    3 open recommendations
    Recommendation: Congress should consider providing the Secretary of the Treasury with the regulatory authority to lower the threshold for electronic filing of W-2s from 250 returns annually to between 5 to 10 returns, as appropriate.

    Agency: Congress
    Status: Open

    Comments: As of March 2017, no legislative action identified. Lowering the threshold would help IRS prevent identity theft refund fraud by enhancing its ability to verify the employment information reported on tax returns before issuing refunds. Additionally, lowering the threshold would reduce the Social Security Administration's administrative costs of processing W-2 information.
    Recommendation: To provide timely, accurate, and actionable feedback to all relevant lead-generating third parties, the Commissioner of Internal Revenue should provide aggregated information on (1) the success of external party leads in identifying suspicious returns and (2) emerging trends (pursuant to section 6103 restrictions).

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of March 2017, IRS had taken steps to address GAO's August 2014 recommendation, including developing timeliness metrics for managing leads and holding six feedback sessions with financial institutions participating in the External Leads Program, but had not provided GAO with documentation that the agency is providing meaningful feedback to external parties. In November 2015, IRS reported that it had developed a database to track leads submitted by financial institutions and the results of those leads. IRS also stated that it had held six sessions with financial institutions to provide feedback on external leads provided to IRS. These quarterly feedback sessions contained various types of information, including overall statistics for the External Leads Program, individual statistics tailored to a specific external party, and solicitations for how to improve the program. In December 2015, IRS officials stated that the agency sent a customer satisfaction survey asking financial institutions for feedback on the external leads process and was considering other ways to provide feedback to financial institutions. In August 2016, an industry group representing financial institutions reported that IRS had not begun providing meaningful feedback to financial institutions that are providing leads to IRS. In March 2017, IRS officials told us they were holding more frequent, monthly, feedback sessions with financial institutions. GAO will follow up with financial institutions to understand the extent to which IRS's feedback has been timely and is actionable. Without accurate, timely, and actionable feedback, the more than 600 external parties participating in the External Leads Program do not know if the leads they provide to IRS are useful and they may not be able to assess their success in identifying IDT refund fraud or improve their detection tools.
    Recommendation: To provide timely, accurate, and actionable feedback to all relevant lead-generating third parties, the Commissioner of Internal Revenue should develop a set of metrics to track external leads by the submitting third party.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of March 2017, IRS had taken steps to address GAO's August 2014 recommendation, including developing timeliness metrics for managing leads and holding six feedback sessions with financial institutions participating in the External Leads Program, but had not provided GAO with documentation that the agency is providing meaningful feedback to external parties. In November 2015, IRS reported that it had developed a database to track leads submitted by financial institutions and the results of those leads. IRS also stated that it had held six sessions with financial institutions to provide feedback on external leads provided to IRS. These quarterly feedback sessions contained various types of information, including overall statistics for the External Leads Program, individual statistics tailored to a specific external party, and solicitations for how to improve the program. In December 2015, IRS officials stated that the agency sent a customer satisfaction survey asking financial institutions for feedback on the external leads process and was considering other ways to provide feedback to financial institutions. In August 2016, an industry group representing financial institutions reported that IRS had not begun providing meaningful feedback to financial institutions that are providing leads to IRS. In March 2017, IRS officials told us they were holding more frequent, monthly, feedback sessions with financial institutions. GAO will follow up with financial institutions to understand the extent to which IRS's feedback has been timely and is actionable. Without accurate, timely, and actionable feedback, the more than 600 external parties participating in the External Leads Program do not know if the leads they provide to IRS are useful and they may not be able to assess their success in identifying IDT refund fraud or improve their detection tools.
    Director: Frank Rusco
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To provide greater assurance that DOE is effectively monitoring its loans, the Secretary of Energy should direct the Executive Director of the Loan Programs Office to fully develop its organizational structure by staffing key monitoring positions.

    Agency: Department of Energy
    Status: Open

    Comments: As of April 2017, while the Loan Programs Office (LPO)had made some progress in filling key monitoring positions, several vacancies in the leadership of the Special Assets and Risk Management Divisions remained. LPO officials noted they were unlikely to fill any of these staffing vacancies given budget and program uncertainties.
    Director: Cristina Chaplain
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To improve DOD's ability to ensure it is fully leveraging investments made in canceled programs, the Secretary of Defense should direct the Office of Acquisition, Technology, and Logistics to develop department-wide processes to improve tracking of assets, including technical data and software, and dissemination of information about assets available for reuse after programs are canceled.

    Agency: Department of Defense
    Status: Open

    Comments: As of September 2017, DOD has not provided evidence of any processes that could improve tracking of assets such as technical data and software.
    Director: Thomas Melito
    Phone: (202) 512-9601

    4 open recommendations
    Recommendation: To improve the efficiency and accountability of the emergency food aid procurement process, the Secretary of Agriculture and Administrator of USAID should direct their staffs to work together to take steps to improve USDA's ability to account for U.S. government funds by ensuring that USAID provides USDA with accurate prepositioned commodity inventory data that USDA can independently verify.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of May 2017, according to USDA officials, they are aware that USAID is working on a Statement of Work for a system to track prepositioned commodity inventory data.
    Recommendation: To improve the efficiency and accountability of the emergency food aid procurement process, the Secretary of Agriculture and Administrator of USAID should direct their staffs to work together to take steps to improve USDA's ability to account for U.S. government funds by ensuring that USAID provides USDA with accurate prepositioned commodity inventory data that USDA can independently verify.

    Agency: United States Agency for International Development
    Status: Open

    Comments: As of May 2017, USAID plans to have a contract to develop a system to track prepositioned commodity inventory data, by the end of fiscal year 2017.
    Recommendation: To improve the efficiency and accountability of the emergency food aid procurement process, the Secretary of Agriculture and Administrator of USAID should direct their staffs to work together to take steps to assess WBSCM's functionality by testing the international procurement functions that have been modified since April 2011 and documenting the results.

    Agency: Department of Agriculture
    Status: Open

    Comments: As of May 2017, USDA has held multiple meetings with USAID as part of its Business Management Improvement initiative, to assess Web Based Supply Chain Management's (WBSCM) functionality and test the international procurement functions, and have documented some of the results of some of those meetings.
    Recommendation: To improve the efficiency and accountability of the emergency food aid procurement process, the Secretary of Agriculture and Administrator of USAID should direct their staffs to work together to take steps to assess WBSCM's functionality by testing the international procurement functions that have been modified since April 2011 and documenting the results.

    Agency: United States Agency for International Development
    Status: Open

    Comments: As of May 2017, USAID has participated in multiple meetings with USDA to assess Web Based Supply Chain Management's (WBSCM) functionality and test the international procurement functions, and are gathering documentation from this process. According to USAID officials, they plan to submit documentation to GAO to close this recommendation by the end of fiscal year 2017.
    Director: Zina Merritt
    Phone: (202) 512-5257

    1 open recommendations
    Recommendation: To provide greater assurance of the accuracy of manpower requirements reports produced by AWPS for use at Army industrial sites, the Secretary of the Army should direct AMC--with assistance as needed from USAMAA--to submit AWPS to USAMAA for review and validation as a manpower requirements determination tool, in accordance with Army regulations.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: In commenting on the final report, the Army concurred and stated that AWPS was developed to address deficiencies in the Army's manpower requirements determination process by capturing and using the actual hours of the work performed in previous periods to project future requirements. The Army also stated that an integrated AWPS/LMP solution may result in a different manpower predictive tool that must be validated through USAMAA, and that it is important the Army focus on developing a business case analysis to include AWPS functionality into the Army's enterprise resource planning systems. In December 2014, the Under Secretary of the Army directed the Commanding General, AMC, to complete the overlap assessment between AWPS and LMP and to submit the approved manpower requirements determination approach to USAMAA for validation. In November 2015, the Army reported that AMC will not submit AWPS to USAMAA for review and validation because additional funding would be needed to modify AWPS to meet USAMAA requirements for a manpower requirements determination tool, and AMC decided not to make those modifications. Furthermore, the Army also reported that, based on its overlap assessment of AWPS and LMP, it plans to integrate AWPS functionality into LMP. Specifically, the Army plans to migrate all AWPS functions related to the collection and reporting of manpower resources executed in support of approved work at the AMC industrial base sites. As of March 2017, Army officials confirmed that the Army will not submit AWPS to USAMAA for review and validation, and that preparations for integrating AWPS functionality into LMP are ongoing.
    Director: David Gootnick
    Phone: (202) 512-3149

    1 open recommendations
    Recommendation: To improve policymakers' and the public's understanding of progress through bilateral dialogues in increasing access to China's markets, the U.S. Trade Representative, in conjunction with the Secretary of Commerce and the Secretary of the Treasury, should work to provide clearer and more comprehensive reporting on the status of China's implementation of its JCCT and S&ED trade and investment commitments. This reporting should include more complete information on the status of implementation of these commitments, as well as a more clearly identified source for consolidated information, which could be an existing report.

    Agency: Executive Office of the President: Office of the U.S. Trade Representative
    Status: Open

    Comments: USTR has taken steps to implement this recommendation, but additional information on the status of specific commitments would further improve understanding of progress in these bilateral dialogues. USTR made changes to the Chinese trade barriers reporting in its 2014 National Trade Estimate Report on Foreign Trade Barriers (NTE report) to align more closely with other Congressional reports prepared by USTR on related issues. USTR also provided updated information in that NTE report on China's compliance with a commitment that had not been reported on in earlier reports. Further, USTR identified the Report to Congress on China's WTO Compliance as the one report among the various annual reports prepared by USTR that provides comprehensive information on the status of the trade and investment commitments that China has made through the U.S.-China Joint Commission on Commerce and Trade (JCCT) and the U.S.-China Strategic and Economic Dialogue (S&ED). As of July 2017, GAO is continuing to track agency progress in reporting on these commitments.
    Director: Garcia-diaz, Daniel
    Phone: (202) 512-3841

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To further improve agency controls that help prevent payments to participants whose incomes exceed eligibility limits, the Secretary of Agriculture should direct the Administrator of FSA to implement a process to verify that accountants' and attorneys' statements accurately reflect participants' incomes as reported on income tax returns and supporting documentation or other equivalent documents.

    Agency: Department of Agriculture
    Status: Open
    Priority recommendation

    Comments: The Department agreed with this recommendation at the time of our report but, as of April 2017, has not acted to implement it because of the sensitive nature of questioning accountants' and attorneys' professional judgement. However, we believe doing so would reduce the likelihood of improper payments supported by U.S. taxpayers and would be an appropriate action for the agency to take.
    Director: White, James R
    Phone: (202)512-5594

    1 open recommendations
    Recommendation: To increase the effectiveness of IRS's examinations individual tax returns, the Commissioner of Internal Revenue should transcribe data from paper-filed Form 1040 Schedules C and E that are not currently transcribed and make that data available to SB/SE examiners for classification. If IRS has evidence that the costs related to transcribing all such data on Schedules C and E are prohibitive, IRS could do one or both of the following actions: (1) transcribe less data by transcribing only the missing data for selected line items, such as certain, large expense line items, or (2) develop a budget proposal to fund an initiative for transcribing Schedule C and E.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of March 2017, IRS had completed its study on whether to transcribe more data from paper-filed returns by comparing the benefits to classifying tax returns for audit from doing this transcription. They said the benefits to be derived from additional transcription are not significant and would not outweigh the added cost. However, IRS has not provided specific information about the costs and benefits from transcribing information from Schedules C and E that we mentioned in our recommendation. Having more data transcribed and electronically available from these areas likely will improve the classification of audits as well as the quality of the audits, according to examiners we spoke with for the report.
    Director: Wilshusen, Gregory C
    Phone: (202)512-6244

    2 open recommendations
    Recommendation: To effectively implement key components of the IRS information security program, the Acting Commissioner of Internal Revenue should update policies and procedures to ensure that they address (1) both methods available for granting all users access to mainframe resources, (2) audit and monitoring of access from one processing environment to another, (3) use of appropriate accounts by multiple databases on a single server, (4) data storage shared between systems, (5) out-of-date security standards, and (6) reconciliation of access privileges.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: We are evaluating IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Recommendation: To effectively implement key components of the IRS information security program, the Acting Commissioner of Internal Revenue should update mainframe test and evaluation processes to improve periodic monitoring of compliance with IRS policies.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: We are evaluating IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.