Skip to main content
.
Share with LinkedInShare with TwitterShare with facebook

Highlights

What GAO Found

Congress and executive agencies have made substantial progress addressing high-risk issues since the previous High-Risk List update in 2021. Sixteen of 34 high-risk areas improved since 2021. This is the most progress in the 8 years since GAO started rating high-risk areas. Two of the 16 areas are being removed from the list: Pension Benefit Guaranty Corporation (PBGC) Insurance Programs and the 2020 Decennial Census. Since our last update, there were approximately $100 billion in financial benefits due to improvements in high-risk areas.

Changes to the High-Risk List Since 2021

The PBGC Insurance Programs area is being removed because Congress provided funding to troubled multiemployer pension plans, which has led to an improved financial position for the PBGC multiemployer insurance program. Additionally, the financial position of the PBGC single-employer insurance program has improved gradually in recent years. PBGC now projects a very low risk of insolvency over the next 15 years for both programs. GAO will continue to monitor the funds.

The 2020 Decennial Census is being removed because the Census Bureau made progress in addressing data quality concerns, chartered a high-level governance group, and implemented priority recommendations. GAO will monitor 2030 Census planning—already underway—for emerging risks and challenges.

GAO is adding one new area to the 2023 High-Risk List: Strengthening Management of the Federal Prison System. This area is being added, in part, due to Bureau of Prisons' (BOP) longstanding challenges managing staff and resources, and planning and evaluating programs that help incarcerated people have a successful return to the community.

In 2022, GAO added two other areas to the High-Risk List.The Department of Health and Human Services’ (HHS) Leadership and Coordination of Public Health Emergencies area was added because, for more than a decade, GAO has found persistent deficiencies in HHS’s leadership role preparing for and responding to public health emergencies and extreme weather events. GAO added the Unemployment Insurance System area because administrative and program integrity challenges in the joint federal-state program have affected the system’s ability to meet the needs of unemployed workers. These challenges also expose the system to significant financial losses.

.

GAO’s 2023 High-Risk List

High-risk area

Change since 2021

Strengthening the Foundation for Efficiency and Effectiveness

Strategic Human Capital Management

Managing Federal Real Property

Funding the Nation’s Surface Transportation Systema, b

n/a

Modernizing the U.S. Financial Regulatory Systema

Resolving the Federal Role in Housing Financea

USPS Financial Viabilitya

Management of Federal Oil and Gas Resources

Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risksa

Improving the Management of IT Acquisitions and Operations

Improving Federal Management of Programs that Serve Tribes and Their Members

U.S. Government’s Environmental Liabilitya

Emergency Loans for Small Businessesc

n/a

Strengthening Management of the Federal Prison System (new)b

n/a

Transforming DOD Program Management

DOD Weapon Systems Acquisition

DOD Financial Management

DOD Business Systems Modernization

DOD Approach to Business Transformation

Ensuring Public Safety and Security

Ensuring the Cybersecurity of the Nationa

Strengthening Department of Homeland Security IT and Financial Management Functions

Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests

Improving Federal Oversight of Food Safetya

Protecting Public Health through Enhanced Oversight of Medical Products

Transforming EPA’s Process for Assessing and Controlling Toxic Chemicals

Government-wide Personnel Security Clearance Process

National Efforts to Prevent, Respond to, and Recover from Drug Misusec

n/a

HHS Leadership and Coordination of Public Health Emergencies (new in 2022)b

n/a

Managing Federal Contracting More Effectively

Acquisition and Program Management for DOE’s National Nuclear Security Administration and Office of Environmental Management

NASA Acquisition Management

DOD Contract Management

VA Acquisition Management

Assessing the Efficiency and Effectiveness of Tax Law Administration

Enforcement of Tax Lawsa

Modernizing and Safeguarding Insurance and Benefit Programs

Medicare Program and Improper Payments

Strengthening Medicaid Program Integritya

Improving and Modernizing Federal Disability Programs

National Flood Insurance Programa

Managing Risks and Improving VA Health Care

Unemployment Insurance System (new in 2022)b

n/a

Legend: indicates area progressed on one or more criteria since 2021; indicates area declined on one or more criteria; ● indicates no change; n/a = not applicable
Source: GAO. | GAO-23-106203

aLegislation is likely to be necessary to effectively address this high-risk area.bNot rated because this high-risk area is newly added or primarily involves congressional action.cRated for the first time because this high-risk area was newly added in 2021.

Why GAO Did This Study

The federal government is one of the world’s largest and most complex entities. About $6.3 trillion in outlays in fiscal year 2022 funded a broad array of programs and operations. GAO’s High-Risk Series identifies government operations with vulnerabilities to fraud, waste, abuse, and mismanagement, or in need of transformation.

This biennial update describes the status of high-risk areas, outlines actions that are needed to assure further progress, and identifies new high-risk areas needing attention by the executive branch and Congress.

Lasting solutions to high-risk problems save billions of dollars, improve service to the public, and strengthen government performance and accountability. In the past 17 years, financial benefits totaled $675 billion.

GAO uses five criteria to assess progress in addressing high-risk areas: (1) leadership commitment; (2) agency capacity; (3) an action plan; (4) monitoring efforts; and (5) demonstrated progress.

What GAO Recommends

Executive branch agencies need to address hundreds of open GAO recommendations to bring about lasting solutions to the 37 remaining high-risk areas. Continued congressional oversight is essential to achieve greater progress and legislation is needed in some cases.

Introduction 


Since the early 1990s, our high-risk program has focused attention on government operations with greater vulnerabilities to fraud, waste, abuse, and mismanagement, or that are in need of transformation to address economy, efficiency, or effectiveness challenges. This effort, supported by the Senate Committee on Homeland Security and Governmental Affairs and by the House of Representatives Committee on Oversight and Accountability, has brought much needed attention to problems impeding effective government and costing billions of dollars each year.

Congressional attention and oversight to improve the management and accountability of government are at the core of the high-risk program. Congressional action, such as passing laws and holding hearings, plays a critical role in making meaningful progress on high-risk areas. For example, since our 2021 high-risk update, Congress provided funding to troubled multiemployer pension plans, which has led to an improved financial position for the Pension Benefit Guaranty Corporation (PBGC) multiemployer insurance program.[1] Additionally, the financial position of the PBGC single-employer insurance program has improved gradually in recent years. PBGC now projects no near-term risk of insolvency for either program and we are removing the area from the High-Risk List.

Congress also passed legislation in the 2 years since our last high-risk update that helped make progress on at least eight other high-risk areas, including the U.S. Postal Service’s Financial Viability and Funding the Nation’s Surface Transportation Infrastructure.[2] Additional examples of congressional actions that led to progress are detailed later in this report.

Congressional attention, Office of Management and Budget (OMB) engagement, and federal agencies’ sustained leadership, planning, and execution are key practices for successfully addressing high-risk areas.[3] Such practices have contributed to hundreds of billions of dollars saved since the High-Risk List was established. Further progress to narrow or remove the 37 areas remaining on the High-Risk List can contribute to saving additional billions of dollars, improving services to the public, and enhancing trust in government. These practices align with our criteria for assessing progress in addressing the areas on our High-Risk List:

  • Leadership commitment to initiate and sustain progress;
  • Capacity (i.e., skilled staff, adequate funding, internal controls, technology, and management and organization infrastructure) to resolve key risks;
  • An action plan to define the root causes and solutions and provide an approach for substantially completing corrective measures;
  • Monitoring to help agency leaders track and independently validate effectiveness and sustainability of corrective measures; and
  • Demonstrated progress in implementing corrective measures that address the root causes of high-risk areas.

We are also removing the 2020 Decennial Census from our High-Risk List because of progress the Census Bureau (Bureau) made consistent with our key practices. Bureau leadership collaborated with independent outside entities, developed strategies for dealing with quality concerns, chartered a high-level governance group, and monitored and demonstrated progress to implement our priority recommendations.[4]

Engagement by OMB is also critical to addressing high-risk areas. OMB can lead and support agencies in addressing high-risk issues by monitoring agency efforts, convening working groups for specific management challenges, and coordinating and reviewing relevant regulations and guidance for implementing laws and clarifying executive branch initiatives. Since our 2021 update, OMB’s Deputy Director for Management convened 10 meetings covering 12 high-risk areas with agency and GAO leaders to discuss progress and solutions to high-risk issues. Some examples of the benefits of these meetings are discussed later in this report.

As shown in figure 1, most high-risk areas identified over the years (roughly 53 percent) have either been removed from the list or narrowed in scope. Many others have shown significant progress in other ways, having met or partially met all five criteria for removal.

Figure 1: Progress in High-Risk Areas from 1990 to 2023

Efforts to address high-risk issues have contributed to hundreds of billions of dollars saved. Over the past 17 years (fiscal years 2006 through 2022), these financial benefits totaled nearly $675 billion or an average of about $40 billion per year. Since our last update in 2021, we recorded approximately $100 billion in financial benefits.[5] Progress on high-risk areas has also resulted in many other benefits that cannot be measured in dollar terms, such as improved service to the public and enhanced ability to achieve agency missions.

Substantial additional efforts are needed to achieve greater progress and to address backsliding in some high-risk areas since the 2021 update. Lasting solutions to the federal government’s high-risk problems can potentially save billions of dollars, dramatically improve services to the American public, strengthen public confidence and trust in government performance and accountability, and ensure the federal government’s ability to deliver on promises. Sustained congressional attention and executive branch leadership remain key to success.

This report describes (1) progress made addressing high-risk areas, the reasons for that progress, and the resulting benefits from agency and congressional actions and (2) additional actions that are still needed. We identified one new high-risk area in 2023—Strengthening Management of the Federal Prison System. We added this issue to the list because of challenges related to management of prison staff and resources; planning for new programs or initiatives that help inmates prepare for a successful return to the community; and monitoring and evaluation of inmate programs, which have led to imprudent spending.

This report is based primarily on reports we issued before March 2023.

Executive Summary 

How We Identify and Rate High-Risk Areas

To determine which federal programs and functions should be designated as high-risk, we use our guidance document, Determining Performance and Accountability Challenges and High Risks.[6]

We consider qualitative factors, such as whether the risk

  • involves public health or safety, service delivery, national security, national defense, economic growth, or privacy or citizens’ rights; or
  • could result in significantly impaired service, program failure, injury or loss of life, or significantly reduced economic efficiency or effectiveness.

We also consider the exposure to loss in monetary or other quantitative terms. At a minimum, $1 billion must be at risk in areas such as:

  • the value of major assets being impaired;
  • revenue sources not being realized;
  • major agency assets being lost, stolen, damaged, wasted, or underused;
  • potential for, or evidence of, improper payments;
  • and presence of contingencies or potential liabilities.

Before making a high-risk designation, we also consider corrective measures planned or underway in response to our recommendations or to resolve a material control weakness and the status and effectiveness of these actions.

To make progress on high-risk areas, administration and agency leaders need to provide top-level attention. Congressional action is also needed. Agencies’ actions should be grounded in the five criteria for removal from the High-Risk List. These criteria are summarized in figure 2.

Figure 2: High-Risk Criteria Essential to Addressing High-Risk Areas

We add clarity and specificity to our assessments by rating each high-risk area’s progress on the five criteria and use the following definitions:

Met. Actions have been taken that meet the criterion. There are no significant actions that need to be taken to further address this criterion.

Partially met. Some, but not all, actions necessary to meet the criterion have been met.

Not met. Few, if any, actions toward meeting the criterion have been taken.

Figure 3 shows a visual representation of varying degrees of progress in each of the five criteria for a high-risk area. Each point of the star represents one of the five criteria for removal from the High-Risk List and each ring represents one of the three ratings: not met, partially met, or met.

An unshaded point at the innermost ring means that the criterion has not been met, a partially shaded point at the middle ring means that the criterion has been partially met, and a fully shaded point at the outermost ring means that the criterion has been met. A plus symbol inside the star indicates the rating for that criterion progressed since our last high-risk update. Likewise, a minus symbol inside the star indicates the rating for that criteria declined since our last update.

Figure 3: Illustrative Example of High-Risk Progress Criteria Ratings

Some high-risk areas are made up of segments or subareas. For example, the Managing Federal Real Property high-risk area includes three segments—Excess and Underutilized Property, Data Reliability, and Facility Security—to reflect the three interrelated parts of the overall high-risk area.

Multidimensional high-risk areas such as these have separate ratings for each segment as well as a summary rating that reflects a composite of the ratings. High-risk areas that are primarily based on the need for congressional action are not rated on the criteria and do not receive a star graphic.

Changes to the 2023 High-Risk List

PBGC Insurance Programs Removed from the High-Risk List

We are removing the PBGC Insurance Programs because the financial position for the single-employer and multiemployer programs has improved and the risk of near-term financial insolvency has decreased significantly. PBGC insures the pension benefits of more than 33 million American workers and retirees who participate in about 25,200 private-sector defined benefit plans with about $128 billion in assets.

Provisions in the American Rescue Plan Act of 2021 (ARPA) provided special financial assistance for certain struggling multiemployer plans, which has significantly delayed projected dates of potential insolvency for the multiemployer insurance program.[7] PBGC projects that the mean projected date of multiemployer program insolvency is now fiscal year 2055, compared to fiscal year 2026 in the projections prior to the law’s enactment. Additionally, the financial position of PBGC’s single-employer program has improved gradually in recent years. The single-employer program has maintained a surplus since the end of fiscal year 2018 and has a projected surplus through at least 2031.

While we are removing this area from the High-Risk List, we will continue to monitor the insurance programs’ finances and other issues. Although ARPA led to significantly delaying the projected insolvency date, important issues remain, including inadequate plan funding rules, premiums that do not fully cover the cost of insurance, and underfunded plans sponsored by companies with credit ratings below investment grade. Therefore, we will continue to monitor the financial position of both programs.

2020 Decennial Census Removed from the High-Risk List

We are removing the 2020 Decennial Census area because of significant progress in all high-risk criteria. For example, in October 2022, the Bureau launched an effort led by agency leaders to transform and update operations to address challenges such as declining census response rates. The Bureau has also committed to developing a plan to improve coordination between its field office staff and community organizations to encourage census participation.

The Bureau took significant steps to implement corrective actions for high-risk cybersecurity weaknesses within prescribed time frames. In addition, in March and July 2020, the Bureau updated its decennial risk management plans to include mitigation and contingency plans and key information needed to manage the risks. The Bureau also improved its budget and progress monitoring by implementing a new system to track its cost variances in 2019. The Bureau curbed the past decades’ trend of steadily increasing census cost while implementing the decennial census during the COVID-19 pandemic. In addition, in the spring of 2022, the Bureau began piloting new procedures for aligning costs of exploring its innovations for 2030 within its overall cost framework.

While we are removing the 2020 Decennial Census area from the High-Risk List, we will monitor the Bureau’s planning for the 2030 Census for emerging risks. It remains important that leaders continue to manage cybersecurity risks, improve resiliency of research and testing in the face of budget uncertainty, and make timely IT-related decisions.

We Added Two Areas to the High-Risk List in 2022

In 2022, we added two other areas to our High-Risk List due to significant and long-standing challenges: the Department of Health and Human Services' Leadership and Coordination of Public Health Emergencies[8] and the Unemployment Insurance System.[9]

Strengthening Management of the Federal Prison System Added to the High-Risk List

We are adding a new area—Strengthening Management of the Federal Prison System—to the 2023 High-Risk List. The Bureau of Prisons (BOP) has consistently experienced several leadership changes and longstanding staffing challenges which represent a serious threat to inmate and staff safety. Additionally, BOP has not always demonstrated sound resource stewardship and lacks the necessary data collection and analytic capacity to prepare for disasters that can affect security.

BOP’s plans to manage some of its key inmate rehabilitation programs are limited. In addition, BOP has not evaluated many of its programs for inmates in decades. Effective planning and ongoing evaluations of programs will be essential as BOP continues to implement requirements of the First Step Act of 2018. These include delivering programs that lower inmates’ risk of recidivism and offer opportunities for certain inmates to earn First Step Act time credits that may reduce the amount of time an inmate is in a BOP facility.[10]

The BOP Director expressed her commitment in addressing these issues. In addition to sustaining leadership commitment, BOP needs to address the four other criteria related to capacity, action plan, monitoring, and demonstrating progress. Moving forward, GAO and BOP will agree upon metrics in order to gauge progress.

High-Risk Areas Have Made Progress Overall

Agencies demonstrate progress by addressing our five criteria for removal from the list: leadership commitment, capacity, action plan, monitoring, and demonstrated progress.[11] As shown in table 1, 21 of the high-risk areas, or a little over half, have fully met one or more of the five criteria. Additionally, areas that are not rated because they primarily involve congressional action can also improve subsequent to laws being enacted or Congress holding hearings on these issues. Since 2021, 16 areas improved with two showing sufficient progress to be removed from the High-Risk List. Table 1 shows the rating changes since 2021 for the areas remaining on the list. Changes are indicated by the up and down arrows.

Table 1: 2023 High-Risk Areas Rated against Five Criteria for Removal from GAO’s High-Risk List

High-risk area

Change since 2021 list

Number of criteria

Met

Partially met

Not met

NASA Acquisition Management

4

1

0

National Flood Insurance Program

3

2

0

DOD Approach to Business Transformation

2

3

0

USPS Financial Viability

2

3

0

Acquisition and Program Management for DOE’s National Nuclear Security Administration and Office of Environmental Management

1

4

0

Ensuring the Cybersecurity of the Nation

1

4

0

Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests

1

4

0

Improving Federal Management of Programs that Serve Tribes and Their Members

1

4

0

VA Acquisition Management

1

4

0

Managing Risks and Improving VA Health Care

0

5

0

Strategic Human Capital Management

1

3

1

Transforming EPA’s Process for Assessing and Controlling Toxic Chemicals

0

5

0

Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risks

0

4

1

U.S. Government's Environmental Liability

0

2

3

DOD Business Systems Modernization

0

4

1

Strengthening Department of Homeland Security IT and Financial Management Functions

3

2

0

Managing Federal Real Property

2

3

0

Medicare Program & Improper Payments

2

3

0

DOD Contract Management

1

4

0

DOD Financial Management

1

4

0

DOD Weapon Systems Acquisition

1

4

0

Enforcement of Tax Laws

1

4

0

Government-wide Personnel Security Clearance Process

1

4

0

Improving the Management of IT Acquisitions and Operations

1

4

0

Protecting Public Health through Enhanced Oversight of Medical Products

1

4

0

Improving and Modernizing Federal Disability Programs

0

5

0

Management of Federal Oil and Gas Resources

0

5

0

Modernizing the U.S. Financial Regulatory System

0

5

0

Strengthening Medicaid Program Integrity

0

5

0

Resolving the Federal Role in Housing Finance

0

4

1

Improving Federal Oversight of Food Safety

0

3

2

Emergency Loans for Small Businessesa

n/a

1

4

0

National Efforts to Prevent, Respond to, and Recover from Drug Misusea

n/a

0

3

2

Funding the Nation’s Surface Transportation Systemb

n/a

0

0

0

Department of Health and Human Services’ (HHS) Leadership and Coordination of Public Health Emergenciesc

n/a

0

0

0

Unemployment Insurance Systemc

n/a

0

0

0

Strengthening Management of the Federal Prison Systemc

n/a

0

0

0

Legend:
↑: area progressed on one or more criteria since 2021
↓: area declined on one or more criteria since 2021
●: no change in rating since 2021
n/a: not applicable
Source: GAO. | GAO-23-106203

Notes: The 2020 Decennial Census and the Pension Benefit Guaranty Corporation Insurance Programs were removed from the list in 2023 and are not shown in this table.aTwo high-risk areas are receiving ratings for the first time because they were newly added in 2021. bFunding the Nation’s Surface Transportation System is not rated because addressing it primarily involves congressional action. cThree high-risk areas are not rated because they are newly added in 2022 and 2023.

High-Risk Area Ratings and Rating Changes

All 33 high-risk areas remaining on the list and that we rated either met or partially met the leadership criterion.[12] Eighteen areas fully met the leadership criterion. We removed one additional area that fully met the leadership criterion—2020 Decennial Census.

Leadership commitment is critical for initiating and sustaining progress, and leaders provide needed support and accountability for managing risks. This criterion is the foundation for progress on the other four high-risk criteria. For example, leadership commitment to develop action plans that address the root causes of problems leads to progress on high-risk areas because action plans establish the basis for effective monitoring, which leads to demonstrated progress.

Figure 4 summarizes the rating status for high-risk areas that remain on the list.

Figure 4: Number of 2023 High-Risk Areas Receiving Met, Partially Met, and Not Met Ratings for Each Criterion

Note: Funding the Nation’s Surface Transportation System did not receive ratings against the five high-risk criteria because progress would primarily involve congressional action. Department of Health and Human Services’ (HHS) Leadership and Coordination of Public Health Emergencies, Unemployment Insurance System, and Strengthening Management of the Federal Prison System were not rated because they were newly added to the High-Risk List.

Table 2 shows current ratings of all 2023 high-risk areas and changes in ratings since our 2021 update. Six areas improved in leadership commitment, three areas improved in capacity, three areas improved in action plan, six areas improved in monitoring, three areas improved in demonstrated progress, and one area regressed in action plan.

Table 2: 2023 High-Risk Area Ratings and Rating Changes on Five Criteria for Removal from GAO’s High-Risk List

Criteria

High-risk area

Leadership Commitment

Capacity

Action Plan

Monitoring

Demonstrated Progress

NASA Acquisition Management

Strengthening Department of Homeland Security IT and Financial Management Functions

National Flood Insurance Program

USPS Financial Viability

DOD Approach to Business Transformation

Medicare Program & Improper Payments

Managing Federal Real Property

Acquisition and Program Management for DOE’s National Nuclear Security Administration and Office of Environmental Management

DOD Contract Management

DOD Financial Management

DOD Weapon Systems Acquisition

Emergency Loans for Small Businessesa

Enforcement of Tax Laws

Ensuring the Cybersecurity of the Nation

Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests

Government-wide Personnel Security Clearance Process

Improving Federal Management of Programs that Serve Tribes and Their Members

Improving the Management of IT Acquisitions and Operations

Protecting Public Health through Enhanced Oversight of Medical Products

VA Acquisition Management

Improving and Modernizing Federal Disability Programs

Management of Federal Oil and Gas Resources

Managing Risks and Improving VA Health Care

Modernizing the U.S. Financial Regulatory System

Strategic Human Capital Management

Strengthening Medicaid Program Integrity

Transforming EPA’s Process for Assessing and Controlling Toxic Chemicals

DOD Business Systems Modernization

Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risks

Resolving the Federal Role in Housing Finance

Improving Federal Oversight of Food Safety

National Efforts to Prevent, Respond to, and Recover from Drug Misusea

U.S. Government's Environmental Liability

Legend: Met

Partially Met

Not Met

Progress

Regress


Source: GAO. | GAO-23-10620

aTwo high-risk areas—Emergency Loans for Small Businesses and National Efforts to Prevent, Respond to, and Recover from Drug Misuse—are receiving ratings for the first time because they were newly added in 2021.One high-risk area—Funding the Nation’s Surface Transportation System—did not receive ratings against the five high-risk criteria because progress would primarily involve congressional action. Three high-risk areas—Department of Health and Human Services’ (HHS) Leadership and Coordination of Public Health Emergencies, Unemployment Insurance System, and Strengthening Management of the Federal Prison System—are not yet rated because they were newly added to the High-Risk List in 2022 and 2023.

Figure 5 shows changes since our 2021 update in ratings on the five criteria for removal from the High-Risk List.

Figure 5: 2023 High-Risk Area Changes by High-Risk Criteria

Note: Two high-risk areas—National Efforts to Prevent, Respond to, and Recover from Drug Misuse and Emergency Loans for Small Businesses—are not rated on progress because they were added to the High-Risk List in 2021 and first rated in 2023. One high-risk area—Funding the Nation’s Surface Transportation System—is not rated because addressing it primarily involves congressional action. Three high-risk areas—HHS Coordination of Public Health Emergencies, Unemployment Insurance System, and Strengthening Management of the Federal Prison System—are not yet rated because they were newly added in 2022 and 2023.

Sixteen High-Risk Areas Have Made Progress Since 2021

Sixteen high-risk areas improved since our last update in 2021. One of the areas improved due primarily to congressional action and improved financial position (PBGC Insurance Programs). Another area improved by meeting all of our high-risk criteria (2020 Decennial Census). Both are being removed from the list. Fourteen more high-risk areas improved but remain on our list because additional progress is needed to address the high-risk issues.

This is the highest level of improvement achieved since we started rating high-risk areas against our criteria in 2015. For example:

National Flood Insurance Program (NFIP). Since 2021, the Federal Emergency Management Agency (FEMA) revised NFIP’s rate-setting methodology and updated its data system. These steps increased its capacity for addressing challenges and completing major projects. FEMA has also completed two action planning efforts directed at improving the NFIP’s financial resilience including completing a comprehensive legislative proposal that identifies actions Congress can take to address NFIP’s financial resilience. In addition, as part of FEMA’s updated rate-setting methodology, the agency continually evaluates the accuracy of the risk models produced by contractors. This is key to monitoring NFIP’s fiscal exposure.

To make further progress, FEMA should continue to monitor its new rate-setting methodology and Congress should consider enacting comprehensive reforms to address NFIP’s financial resilience.

USPS Financial Viability. U.S. Postal Service (USPS) ratings for three of the five criteria increased since 2021 due, in part, to the enactment of the Postal Service Reform Act of 2022, which significantly reduced USPS’s long-term unfunded liabilities.[13] For example, the act repealed a requirement to prepay future retiree health benefits on an annual basis and canceled billions in unpaid past due payments for such prefunding. USPS also paid $500 million toward its required $1.6 billion fiscal year 2022 Federal Employees Retirement System pension payment—the first such payment in 11 years. Additionally, under its new 10-year strategic plan, USPS introduced and initiated actions intended to achieve financial viability.

To make further progress, Congress needs to determine the level of universal postal services the nation requires and how to enable USPS to achieve long-term financial viability. USPS is also continuing to implement and report on its strategic plan.

VA Acquisition Management. In March 2021, the Department of Veterans Affairs (VA) issued its initial action plan to address acquisition management challenges, such as managing contracting officer workload and addressing the lack of reliable contracting and financial data systems. VA identified root causes of these challenges and most recently updated the plan in September 2022. VA improved in the monitoring criterion because, in that same plan, it identified corrective actions, goals, and performance metrics that it will use to measure progress in improving acquisition management. Since our last update, VA improved in the demonstrated progress criterion by implementing 15 recommendations related to acquisition management.

To make further progress, VA needs sustained leadership attention to drive change across the department and address acquisition management challenges including implementing 22 open recommendations.

Managing Risks and Improving VA Health Care. This area improved in the monitoring criterion across several areas of concern—policy, oversight, IT, training, and resource issues—in various ways. For example, VA surveyed users on internal policies, developed a metrics dashboard, identified data-oriented performance measure responsibilities for VA boards and committees, implemented a tool for monitoring training completion, and bolstered review of potential employees. VA improved in the demonstrated progress criterion by implementing our recommendations related to the five areas of concern mentioned above.

To make further progress, VA needs sustained leadership attention to drive change across the department and address remaining challenges. It needs to further develop its metrics to show how actions taken on the five areas of concern are addressing root causes and how progress is sustained over time. VA also needs to continue implementing our 104 open recommendations.

Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risks. Improvements were made across all five of the area’s segments. For example, for the Federal Government as Property Owner segment, the rating for capacity increased to partially met, in part because OMB revised its budget submission guidance in August 2022 to provide that agencies should be able to demonstrate how climate considerations are integrated in risk management and decision-making. For the same segment, the rating for the monitoring criterion increased to partially met because, in October 2022, major federal agencies released their first annual climate adaptation and resilience progress reports.

To make additional progress, the executive branch needs to address 49 open recommendations and Congress needs to consider seven open matters focused on climate resilience and protection from future disasters.[14]

Congressional Action Is Key to Achieving Benefits and Addressing High-Risk Areas

Congressional action, such as passing laws and holding hearings, is critical for making meaningful progress on high-risk areas. Table 3 lists examples of congressional actions that helped make progress on high-risk areas.

Table 3: Examples of Recent Congressional Action Taken on High-Risk Areas

High-risk area

Congressional actions taken

Enforcement of Tax Laws

Congress passed the American Rescue Plan Act of 2021, which contains provisions addressing our recommendation to require more third-party reporting for payments made to online platform workers.a The increased reporting will improve tax compliance by providing IRS with better information about platform workers’ incomes, and by making it easier for certain taxpayers to complete tax returns.

Ensuring the Cybersecurity of the Nation

In September 2020, we recommended that Congress consider legislation to designate a leadership position in the White House that will lead the nation’s efforts to protect its cyber critical infrastructure. In 2021, Congress enacted legislation that established the Office of the National Cyber Director within the Executive Office of the President to serve as the principal advisor to the President on cybersecurity policy and strategy.b The position and new office should facilitate the high-level attention and coordination needed to address cyber threats and challenges facing the nation, including threats to cyber critical infrastructure.

Funding the Nation’s Surface Transportation System

In 2021, Congress passed the Infrastructure Investment and Jobs Act (IIJA) providing approximately $541 billion in funding for surface transportation for fiscal years 2022 through 2026.c Additionally, Congress cumulatively transferred about $273 billion in general revenue to the Highway Trust Fund over 10 occasions from 2008 through 2021, including $118 billion under the IIJA. The Congressional Budget Office projected that, before this most recent transfer, Highway Trust Fund spending would have exhausted available revenues in 2022.

Limiting the Federal Government's Fiscal Exposure by Better Managing Climate Change Risks

The IIJA required the Department of Transportation’s guidance to be updated to address resilience in certain contexts, as we recommended. It also provided funding for pre-disaster hazard mitigation programs.d Additionally, the Inflation Reduction Act of 2022 provided funding for programs related to climate resilience.e

Management of Federal Oil and Gas Resources

In November 2021, consistent with our recommendations, the Department of the Interior issued a report on revising its approach to setting royalty rates and rental rates and better accounting for methane emissions. The Inflation Reduction Act of 2022 addressed many of the recommendations in Interior’s report, including increasing royalty and rental rates for new onshore federal oil and gas leases. f

Managing Risk and Improving VA Healthcare

Consistent with our recommendation, Congress passed the Johnny Isakson and David P. Roe, M.D. Veterans Health Care and Benefits Improvement Act of 2020, which required the Department of Veterans Affairs (VA) to establish a process with timeframes for scheduling appointments under the Veterans Community Care Program.g

National Efforts to Prevent, Respond to, and Recover from Drug Misuse

Since we added this area to the High-Risk List in 2021, Congress confirmed a new Director of the Office of National Drug Control Policy who helped develop and issue the 2022 National Drug Control Strategy.

Pension Benefit Guaranty Corporation Insurance Programs

Congress provided special financial assistance to struggling multiemployer plans through the American Rescue Plan Act of 2021h, which greatly improved the financial position of the multiemployer program.i Pension Benefit Guaranty Corporation now projects a very low risk of insolvency for the program over the next 15 years.

USPS Financial Viability

Congress passed the Postal Service Reform Act of 2022, which significantly reduced the United States Postal Service’s (USPS) long-term unfunded liabilities.j

Source: GAO. | GAO-23-106203

aAmerican Rescue Plan Act of 2021, Pub. L. No. 117-2, § 9674, 135 Stat 4, 185 (2021), codified at 26 U.S.C. § 6050W(e).bWilliam M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Pub. L. No. 116-283, §1752, 134 Stat. 3388, 4144–4149 (2021). cSee, generally, Pub. L. No. 117-58, 135 Stat. 429 (2021).dPub. L. No. 117-58, § 11519(b)(1)(B), 135 Stat. at 602, 1387.eSee, e.g., “An Act to provide for reconciliation pursuant to Title I of S.Con. Res. 14,” Pub. L. No. 117-169, § 40001, 136 Stat. 1818, 2028 (2022) (appropriating funding for the National Oceanic and Atmospheric Administration related to coastal communities and climate resilience).fPub. L. No. 117-169, § 50262, 136 Stat. at 2056–2058.gPub. L. No. 116-315, tit. III, § 3101, 134 Stat. 4932, 4999–5000 (2021).hAmerican Rescue Plan Act of 2021, Pub. L. No. 117-2, §§ 9701–9708, 135 Stat. 4, 186–207 (2021).iPub. L. No. 117-2, §§ 9701–9708, 135 Stat. at 186–207.jPub. L. No. 117-108, 136 Stat. 1127 (2022).

Executive Branch Action on High-Risk Areas also Produced Benefits

Actions that agency leaders took to implement our recommendations in some high-risk areas resulted in significant financial benefits (see table 4).

Table 4: Examples of Recent GAO High-Risk Area Recommendations Leading to Financial Benefits

High-risk area

Executive actions taken

DOD Contract Management

The Department of Defense (DOD) and other federal agencies have increased their use of category management, an initiative intended to help agencies buy more strategically and achieve efficiencies. This has resulted in more than $35 billion in cost savings from fiscal years 2017 to 2020. We also recommended that the Office of Management and Budget set and report on goals for using category management, including at DOD, which exceeded its goal for fiscal year 2022.

Strengthening Medicaid Program Integrity

Since the 1990s, we have repeatedly reported that the Department of Health and Human Services (HHS) allowed states to use questionable methods that resulted in inflated demonstration spending limits and increased the federal government’s fiscal liability. For example, HHS has allowed states to include hypothetical costs in their spending limits for population groups that could have been covered under Medicaid but actually were not. In response, HHS issued a new policy in 2017 to better ensure that these demonstration projects are budget-neutral. HHS estimated that this policy reduced the federal government’s fiscal liability in 10 states by $29.5 billion for 2020.

Managing Federal Real Property

Based on our 2013 recommendation, the General Services Administration successfully implemented its plan to prioritize properties for ownership investments by purchasing the Department of Transportation’s headquarters building in 2020. The General Services Administration estimates that this move to owned space will save taxpayers more than $409 million in lease costs over 30 years.

2020 Decennial Census

We reported several times between 2015 and 2020 on cost growth and schedule challenges related to the Census Bureau’s Enterprise Data Collection and Processing initiative. In response to our work, the Census Bureau reduced the scope of the initiative, which resulted in a reduction of more than $200 million in the estimated costs between fiscal years 2020 and 2024.

U.S. Government’s Environmental Liability

In response to our May 2015 recommendation to improve management and oversight of nuclear waste treatment strategies at the Hanford site by revising cost and schedule estimates in assessing alternatives, the Department of Energy suspended work on the low activity waste pretreatment system facility and pursued a different technology, which it completed in 2022 for a savings of $80 million.

Source: GAO. | GAO-23-106203

High-Risk Areas Needing Significant Attention

All high-risk areas need attention to make progress and resolve risk. However, highlighted below are several areas that require significant attention because of emerging issues requiring government responses, large and rapidly growing costs, or a failure to make any progress in the past several years.

Ensuring the Cybersecurity of the Nation. Attacks on our information systems and infrastructure continue to grow even as the nation makes advances to try to stay ahead of them. Federal agencies and our nation’s critical infrastructures—such as energy, transportation systems, communications, and financial services—are dependent on technology systems to carry out operations and to process, maintain, and report essential information. The security of these systems and data is vital to protecting individual privacy and national security, prosperity, and well-being. Although the rating for leadership commitment increased since 2021, there is still significant work to be done in this high-risk area. Since 2010, we have made more than 4,000 recommendations to agencies aimed at addressing cybersecurity challenges facing the government—over 670 of which were made since the last high-risk update in 2021.

There is an opportunity to make greater progress in this critical area. Federal agencies can strengthen cybersecurity by establishing and effectively implementing a comprehensive national cyber strategy, a government-wide cyber workforce plan, strategies for monitoring privacy programs, and critical infrastructure cyber protections.

National Efforts to Prevent, Respond to, and Recover from Drug Misuse. Drug misuse—the use of illicit drugs and the misuse of prescription drugs—has been a persistent and long-standing public health issue in the U.S. Drug misuse has resulted in significant loss of life and harm to society and the economy. In recent years, the federal government has spent billions of dollars and has enlisted more than a dozen federal agencies to address drug misuse and its effects. In December 2022, HHS announced the renewal of a 2017 determination that marked the opioid crisis as a public health emergency. This coincides with one of the highest numbers of drug overdose deaths reported in a 12-month period (nearly 107,000).

Federal agencies must effectively coordinate and implement a strategic national response to drug misuse and make progress toward reducing rates of drug misuse, overdose deaths, and the resulting harmful effects to society.

U.S. Government’s Environmental Liability. This area needs attention because even as the federal government spends billions each year on cleanup efforts, its environmental liability will likely continue to grow. For example, the federal government's estimated environmental liability nearly tripled from $212 billion in fiscal year 1997 to $626 billion in fiscal year 2022, according to the most recent data available. In addition, some environmental cleanup costs remain unreported to Congress, preventing a more transparent assessment of total fiscal exposure.

As of March 2023, 50 of our recommendations to federal agencies and 14 matters for congressional consideration related to this high-risk area had not been implemented. The federal government needs to take action to get ahead of growing environmental cleanup costs.

The Departments of Energy and Defense, which bear the bulk of this liability, and other agencies need to identify and address environmental risks and better monitor and transparently report on this liability.

Improving Federal Oversight of Food Safety. The food safety high-risk issue needs significant attention because there has not been appreciable progress in any of the criteria for removal from the High-Risk List since we began rating areas using our criteria in 2015. The safety and quality of the U.S. food supply, both domestic and imported, are governed by at least 30 federal laws that are collectively administered by 15 federal agencies. We have long reported on the fragmented nature of the federal food safety oversight system; this fragmentation has caused inconsistent oversight, ineffective coordination, and inefficient use of resources.

In recent years, we have recommended congressional and executive actions that, if implemented would help reduce fragmentation and improve federal oversight of food safety, including a recommendation to establish a national strategy for food safety. However, no entity has assumed leadership responsibility for coordinating food safety efforts across the federal government.

A strong food safety oversight system is critical to protecting Americans, particularly vulnerable groups such as young children. In 2022, a manufacturer recalled infant formula that had been contaminated with a foodborne pathogen at a production site in Michigan after two infants died. Subsequent formula recalls worsened the existing shortage. Infants, particularly those in low income families, can face greater risk of malnutrition when the supply of infant formula is reduced. We have started work examining purchases of infant formula through USDA’s Special Supplemental Nutrition Program for Women, Infants and Children.

Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risks. Numerous studies have concluded that climate change poses risks to many environmental and economic systems and creates a significant fiscal risk to the federal government. This area’s overall rating for monitoring improved to partially met, but no criterion has reached the “met” status needed to make progress in removal from the High-Risk List.

The federal government still needs to take government-wide action to reduce its fiscal exposure such as by developing a cohesive, strategic approach with strong leadership and the ability to manage risks across the entire range of related federal activities. As of February 2023, 49 recommendations remain open in this area including that the federal government needs a comprehensive approach to improve the resilience of the facilities it owns and operates and land it manages.

High-Risk Areas with Decreased Ratings

In the 2 years since our last report, one area—DOD Business Systems Modernization—has regressed in its overall and segment ratings against our criteria for removal from the High-Risk List. The action plan criteria rating declined from partially met to not met, because DOD’s efforts to produce action plans to address this high-risk area have stalled.

One segment of this high-risk area—DOD’s Federated Business Enterprise Architecture—had its ratings for action plan and monitoring decrease to not met. DOD has not provided a date for when it anticipates completing its action plan for this area or developed a plan with tasks and associated milestones to monitor its efforts to update its business enterprise architecture.

Two additional high-risk areas contain segments that have regressed against our criteria without a change in the overall area rating. The Improving and Modernizing Federal Disability Programs high-risk area had two segments pertaining to the Social Security Administration decrease to partially met in the monitoring criteria. The Managing Federal Real Property high-risk area had one segment related to Excess and Underutilized Property that decreased from partially met to not met for capacity and demonstrated progress. This was because of setbacks involved in the implementation of a new, temporary process to increase the federal government’s capacity to identify and dispose of unneeded assets.

Closing 


Our high-risk program continues to be a top priority at GAO. We will maintain our emphasis on identifying high-risk issues across government and on providing recommendations and sustained attention to help address them. We will also continue working collaboratively with Congress, agency leaders, and OMB to address these issues.

As part of this effort, OMB’s role is especially important because many high-risk areas are government-wide or involve multiple agencies. Also, there are resource investments associated with correcting a number of the high-risk problems. Leadership meetings with the OMB Deputy Director for Management, top agency leaders, and GAO to discuss plans and actions to address each of the individual high-risk areas have been critical for achieving progress. OMB accelerated the pace of these meetings in the past 2 years. Since the last high-risk update, it has convened 10 meetings on 12 high-risk areas. These trilateral meetings led to greater progress on high-risk issues as noted by the progress in 16 high-risk areas since our last update in 2021. We expect OMB to continue to hold these meetings with a goal of meeting on all high-risk areas before our next update in 2025.

We are providing this update to the President and Vice President, congressional leadership, the appropriate congressional committees, the Director of OMB, and the heads of major departments and agencies.

Gene L. Dodaro
Comptroller General
of the United States

Congressional Addressees

The Honorable Gary C. Peters
Chairman
The Honorable Rand Paul, M.D.
Ranking Member
Committee on Homeland Security and Governmental Affairs
United States Senate

The Honorable James Comer
Chairman
The Honorable Jamie Raskin
Ranking Member
Committee on Oversight and Accountability
House of Representatives

High-Risk Areas and Appendixes 


IN THIS SECTION


Appendix I: What Is the History of the High-Risk Program?

In 1990, we began a program to report on government operations that we identified as “high risk.” Since then, generally coinciding with the start of each new Congress, we have reported on the status of progress addressing high-risk areas and have updated the High-Risk List. Our last high-risk update was in March 2021. That update identified 36 high-risk areas. In January 2022 and June 2022, we added two high-risk areas—HHS Leadership and Coordination of Public Health Emergencies, and Unemployment Insurance System. This year, we added one high-risk area—Strengthening Management of the Federal Prison System—and removed two which we will continue to monitor—the 2020 Decennial Census and Pension Benefit Guaranty Corporation Insurance Programs. This 2023 update identifies 37 high-risk areas.

Overall, this program has served to identify and help resolve serious weaknesses in areas that involve substantial resources and provide critical services to the public. Since our program began, the federal government has taken high-risk problems seriously and has made long-needed progress toward correcting them. In a number of cases, progress has been sufficient for us to remove the high-risk designation. A summary of changes to our High-Risk List over the past 31 years is shown in table 5.

Table 5: Changes to the High-Risk List, 1990-2023

Number of areas

Original High-Risk List in 1990

14

High-risk areas added since 1990

53

High-risk areas removed since 1990

29

High-risk areas separated out from existing area

1

High-risk areas consolidated since 1990

2

High-Risk List in 2023

37

Source: GAO. | GAO-23-106203

How Can Agencies Use the Criteria to Make Progress on High-Risk Issues?

The five high-risk criteria form a road map for efforts to improve and ultimately address high-risk issues. Addressing some of the criteria leads to progress, while satisfying all of the criteria is central to removal from the list.

In March 2022, we reported on key practices for addressing the five high-risk criteria to facilitate progress on high-risk areas. See figure 6 for key practices that can help agencies demonstrate leadership commitment and sustain continuity for high-risk efforts.

Figure 6: Key Practices to Demonstrate Leadership Commitment and Sustain High-Risk Efforts

What Is the History of Programs Removed from the High-Risk List?

A summary of areas removed from our High-Risk List over the past 33 years is shown in table 6.

Table 6: History of Areas Removed from the High-Risk List

High-risk area

Year removed

Years on list

Federal Transit Administration Grant Management

1995

5

Pension Benefit Guaranty Corporation

1995

5

Resolution Trust Corporation

1995

5

State Department Management of Overseas Real Property

1995

5

Bank Insurance Fund

1995

4

Customs Service Financial Management

1999

8

Farm Loan Programs

2001

11

Superfund Programs

2001

11

National Weather Service Modernization

2001

6

The 2000 Census

2001

4

The Year 2000 Computing Challenge

2001

4

Asset Forfeiture Programs

2003

13

Supplemental Security Income

2003

6

Student Financial Aid Programs

2005

15

FAA Financial Management

2005

6

Forest Service Financial Management

2005

6

HUD Single-Family Mortgage Insurance & Rental Housing Assistance Programs

2007

13

U.S. Postal Service's Transformation Efforts and Long-term Outlook

2007

6

FAA's Air Traffic Control Modernization

2009

14

DOD Personnel Security Clearance Program

2011

6

2010 Census

2011

3

IRS Business Systems Modernization

2013

18

Management of Interagency Contracting

2013

8

Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland

2017

12

DOD Supply Chain Management

2019

29

Mitigating Gaps in Weather Satellite Data

2019

6

DOD Support Infrastructure Management

2021

24

2020 Decennial Census

2023

6

Pension Benefit Guaranty Corporation Insurance Programs

2023

20

Source: GAO. | GAO-23-106203

For a summary describing actions taken that resulted in removal of high-risk areas from 1995 to 2021, please see Appendix II of High-Risk Series: Key Practices to Successfully Address HIgh-Risk Areas and Remove Them from the List.[15]

When Were Areas Added to the High-Risk List?

The areas on our 2023 High-Risk List, and the year each was designated as high risk, are shown in table 7.

Table 7: History of Areas Currently on the High-Risk List

High-risk area

Year designated

DOD Weapon Systems Acquisition

1990

Acquisition and Program Management for DOE’s National Nuclear Security Administration and Office of Environmental Management

1990

Enforcement of Tax Laws

1990

Medicare Program and Improper Payments

1990

NASA Acquisition Management

1990

DOD Contract Management

1992

DOD Business Systems Modernization

1995

DOD Financial Management

1995

Ensuring the Cybersecurity of the Nation

1997

Strategic Human Capital Management

2001

Improving and Modernizing Federal Disability Programs

2003

Managing Federal Real Property

2003

Strengthening Department of Homeland Security IT and Financial Management Functions

2003

Strengthening Medicaid Program Integrity

2003

DOD Approach to Business Transformation

2005

National Flood Insurance Program

2006

Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests

2007

Funding the Nation’s Surface Transportation System

2007

Improving Federal Oversight of Food Safety

2007

Modernizing the U.S. Financial Regulatory System

2009

Protecting Public Health through Enhanced Oversight of Medical Products

2009

Resolving the Federal Role in Housing Finance

2009

Transforming EPA’s Process for Assessing and Controlling Toxic Chemicals

2009

USPS Financial Viability

2009

Management of Federal Oil and Gas Resources

2011

Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risks

2013

Improving the Management of IT Acquisitions and Operations

2015

Managing Risks and Improving VA Health Care

2015

Improving Federal Management of Programs that Serve Tribes and Their Members

2017

U.S. Government’s Environmental Liability

2017

Government-wide Personnel Security Clearance Process

2018

VA Acquisition Management

2019

Emergency Loans for Small Businesses

2021

National Efforts to Prevent, Respond to, and Recover from Drug Misuse

2021

Unemployment Insurance System

2022

HHS Leadership and Coordination of Public Health Emergencies

2022

Strengthening Management of the Federal Prison System

2023

Source: GAO. | GAO-23-106203

Appendix II: Overview for Each High-Risk Area

2020 Decennial Census

The Census Bureau slowed decades of cost growth while completing the 2020 Decennial Census during a pandemic. However, the continuing undercounts of segments of the population as reported by the Bureau signal that 2030 Census planning should be monitored for emerging risks.

Why Area Was High Risk

The cost of the decennial census escalated with double-digit growth rates in its cost per housing unit from the 1970 through the 2010 Census, after adjusting for inflation. To achieve cost savings, the 2020 Census relied on several innovations. These innovations included re-engineering its field data collection with automated case management. Budget uncertainty caused the Bureau to scale back testing of these innovations in 2017.

We are removing the Decennial Census from our High-Risk List because of progress in multiple areas. For example, the Bureau collaborated with independent outside entities for strategies dealing with quality concerns, chartered a high-level governance group, and monitored and demonstrated progress with priority recommendations. We are monitoring the 2030 Census planning—already underway—for emerging risks and challenges. If risks increase or we observe problematic challenges, we will consider moving the Decennial Census back to the High-Risk List.

The Bureau improved its management of the decennial census late in the decade across multiple areas, such as cost estimation, risk management, and cybersecurity.

Leadership commitment: increased to met. During the COVID-19 pandemic, the Bureau relied on a governance group to oversee several teams studying the effects on census data quality of the Bureau’s initial COVID-19 response. The Bureau plans to issue a thematic assessment report based on this governance group’s efforts in 2023. In October 2022, the Bureau launched an effort, headed by agency leaders, to transform and modernize operations to address challenges such as declining response rates. The Bureau’s executive Operating Committee members serve as champions on individual tracks of the transformation program.

Capacity: increased to met. The Bureau improved its capacity to address risks by establishing a team to combat misinformation and disinformation threats to the integrity of the 2020 Census. The team used specialized tools to monitor traditional media and social media and responded accordingly. The Bureau also leveraged the knowledge and skills of external parties during the 2020 Census. For example, the Bureau worked with a group of independent scientific consultants to assess its plans, processes, procedures, and metrics for 2020 Census data quality. The consultants also helped develop a strategy for sharing indicators of the quality of census data. In addition, the Bureau worked with the Department of Homeland Security (DHS) to protect its systems and data for the 2020 Census. DHS provided threat intelligence, vulnerability assessments, and recommendations to the Bureau to strengthen its cybersecurity efforts.

Action plan: increased to met. The Bureau has developed action plans in response to our recommendations. Moreover, it is developing a plan to improve coordination between its field office staff and the Partnership Program. This enlists community organizations to encourage census participation. The plan is due by September 2024 and is intended to address root causes of a long-standing recommendation to create mechanisms for improved coordination. The Bureau has also already begun inviting public comment on ways to improve outreach and self-response methods for the 2030 Census.

Monitoring: increased to met. The Bureau has monitored our open recommendations, scheduling regular follow-up meetings on actions taken. Bureau officials met regularly with departmental leadership to discuss actions taken to close recommendations. The Bureau provided prioritized agendas of the open recommendations, ensuring attention to our priority recommendations. In August 2019, the Bureau implemented a system to track and report variances between actual and expected cost elements. Tracking these variances helped management measure progress against planned outcomes. It will also help provide a basis for its cost estimation for the 2030 Census.

Demonstrated progress: increased to met. The Bureau curbed the past decades’ trend of steadily increasing census cost while implementing the census during a pandemic. The Bureau has also acted on nearly all of our 44 recommendations since 2017. It has made enough progress to close 25 of them. In August 2019, the Bureau provided an update to the 2020 Census cost estimate, which we found to be sufficiently reliable. In the spring of 2022, the Bureau began piloting new procedures for aligning costs of exploring its innovations for 2030 within its overall cost framework. It took significant steps to ensure that corrective actions for high-risk cybersecurity weaknesses were implemented within prescribed time frames. This increased the Bureau’s ability to address future cybersecurity weaknesses.

Monitoring 2030 Decennial Census for Emerging Risks

Our decades of oversight of the decennial census suggest that the severity of risks the census faces can escalate after the initial early years of planning. We will continue our oversight of the early 2030 Census planning and periodically reassess if risks are increasing that necessitate adding the 2030 Census to the High-Risk List. Specifically, we will monitor the following risks:

  • Budgetary uncertainty. Without adequate planning, budgetary uncertainty can disrupt key research and testing.
  • Inadequate testing. Enhancements or other changes in data collection or in response processing should be accounted for and tested fully. Inadequately tested changes could have schedule implications that jeopardize the Bureau’s ability to deliver 2030 Census apportionment and redistricting data products in a timely manner.
  • Late IT decisions. The 2020 Census demonstrated that delayed decisions on IT capabilities can affect schedules and costs. It also showed that large-scale technological changes introduce privacy and cybersecurity challenges and increase risk. The Bureau’s IT-related decisions for future surveys could affect schedules, costs, and plans to protect sensitive data. We have ongoing work evaluating the Bureau’s plans to modernize its IT systems and cybersecurity program for the 2030 Census and other surveys.
  • Declining participation. Uneven coverage of the population in the decennial census has persisted in recent decades. Bureau outreach efforts for the 2030 Census face continuing risks related to distrust in government and the public’s willingness to participate in the census. The Bureau is seeking ways to improve the way people participate in the 2030 Census.

Figure 7: Provisional 2030 Census Life-Cycle Time Frame

What Needs to Be Done to Manage Risks

The Bureau needs to continue implementing successful management practices while building on lessons learned from the recent census.

In a report in February 2022, we noted the importance of the Bureau

  • prioritizing IT decisions early in this decade to mitigate the cost and schedule issues experienced by the 2020 Census; and
  • continuing to manage privacy and cybersecurity risks.

We recommended the Bureau should

  • develop a plan to improve resiliency of its 2030 Census research and testing in response to Bureau-identified budget uncertainty. This would mitigate delays or cancellations of key activity.

We also recommended the Bureau should research and test how innovations, enhancements, or other design changes affect methodologies and time required for data collection as well as postdata collection steps.

Finally, in a report on leading practices for transformation, we found that when implementing organizational change, agency executive committee members should communicate with their respective parts of the organization to facilitate a shift toward a more holistic and less parochial and change-resistant culture. This will be important for the Bureau as it continues work on its multifaceted enterprise transformation effort.

Benefits

Financial benefits to the federal government due to progress in the Decennial Census high-risk area over the past 5 years totaled more than $500 million. There were also more than 60 other benefits to the federal government due to progress in this high-risk area over the past 5 years. For example:

  • In response to our findings about the reliability of the census cost estimate, the Bureau made numerous improvements in its cost estimation. In August 2019, we found the updated cost estimate was reliable;
  • In 2018, we examined challenges the Bureau faced in improving its enumeration of the hard-to-count for the 2020 Census. In response to our questions about coordinating these efforts, the Bureau developed its first comprehensive look at its hard-to-count goal for the decennial. The Bureau then included it within its December 2018 Operational Plan for the 2020 Census. This plan increased visibility of the Bureau's hard-to-count goal and helped integrate efforts across the decennial plan to reach hard–to-count populations; and
  • In 2019, we found that the Bureau did not have mitigation and contingency plans for all risks that required them. In addition, the Bureau did not consistently include key information needed to manage the risks. If not properly managed, those risks, such as for cybersecurity incidents or for operations and system integration, could have affected the cost and quality of the census. In response, in March and July 2020, the Bureau updated its decennial risk management plans to include this information.

Contact Information

For additional information about this high-risk area, contact Yvonne D. Jones at (202) 512-6806 or jonesy@gao.gov.

Pension Benefit Guaranty Corporation (PBGC) Insurance Programs

Provisions in the American Rescue Plan Act of 2021 (ARPA) have led to a significantly improved financial position for PBGC insurance programs, with very low projected risk of insolvency over the next 15 years. Accordingly, at this time, we are removing the PBGC insurance programs from our High-Risk List. However, certain longer-term financial risks remain that should be monitored.

Why Area Was High Risk

PBGC insures the pension benefits of more than 33 million American workers and retirees who participate in about 25,200 private-sector defined benefit plans. With about $128 billion in assets, its portfolio is one of the largest of any federal government corporation.

We added the PBGC single-employer insurance program to the High-Risk List in 2003 because of concerns about the program’s long-term ability to pay statutory guarantees to beneficiaries of plans in which employers could not fund promised benefits. We added the multiemployer program to the High-Risk List in 2009 due to the worsening financial condition of that program. The financial position of both programs has fluctuated between surplus and deficit over the last 30 years.

We are removing the PBGC single-employer and multiemployer insurance programs from the High-Risk List because the financial condition and outlook for both programs have improved. This improvement is due to both action taken by Congress and more favorable underlying financial conditions. However, we will continue to monitor these programs. If risks re-emerge, we will consider placing them back on the High-Risk List.

Provisions in ARPA provided special financial assistance for certain struggling multiemployer plans. This has significantly delayed projected dates of potential insolvency for the multiemployer insurance program. Moreover, the financial position and outlook for the single-employer insurance program have also improved.

Congress Took Action to Address Risks to PBGC’s Multiemployer Insurance Program

ARPA provided funding for special financial assistance (SFA), as administered by PBGC, to assist certain struggling multiemployer plans. Eligible plans generally include certain insolvent plans, plans that received approval to reduce benefits under the Multiemployer Pension Reform Act of 2014, or other financially troubled plans. If a plan applies for and is approved for SFA, the plan receives a one-time payment, or grant, for the amount projected to be sufficient to pay benefits through 2051. Because of improved funding for plans that receive SFA payments, PBGC most recently projects fiscal year 2055 as the mean year of multiemployer program insolvency, compared to fiscal year 2026 in the projections prior to ARPA’s enactment. Even PBGC’s most adverse projection scenarios show the program remaining solvent until at least fiscal year 2036. In addition, a majority of scenarios project solvency beyond the end of a 40-year projection period.

Mainly due to funding provided for SFA under ARPA, the multiemployer program has posted a net surplus in each of the last 2 years. As of the end of fiscal year 2022, the program’s net financial position was $1.1 billion, up from $481 million as of the end of fiscal year 2021. This is a notable improvement from the $63.7 billion deficit the program faced at the end of fiscal year 2020 (see fig. 8), prior to ARPA’s enactment. As of the end of February 2023, PBGC had approved $45.8 billion in SFA payments to plans covering more than 553,000 workers, retirees, and beneficiaries. PBGC estimates that total SFA payments will eventually amount to between $66 billion and $100 billion. ARPA also increases the annual per-participant premiums paid by sponsors of multiemployer plans to $52 starting in 2031. This premium rate is indexed annually to wage inflation. The multiemployer per-participant premium for 2023 is $35.

Figure 8: Pension Benefit Guaranty Corporation’s (PBGC) Net Financial Position of the Multiemployer Program, Fiscal Years 2000 through 2022

The Financial Condition of the Single-Employer Insurance Program Has Improved Gradually

In contrast to the sudden improvement in the multiemployer program financial outlook resulting from the enactment of ARPA, the financial position of PBGC’s much larger single-employer program has improved more gradually in recent years. Underlying conditions for single-employer plans, such as plan funding, have generally become more favorable since fiscal year 2012. At that time, the program had its largest net financial deficit of $29.1 billion. The net financial position has since gradually improved, reporting a surplus each year since the end of fiscal year 2018. As shown in figure 9, it posted a surplus of $37.6 billion as of the end of fiscal year 2022.

Figure 9: Pension Benefit Guaranty Corporation’s (PBGC) Net Financial Position of the Single Employer Program, Fiscal Years 2000 through 2022

PBGC Insurance Programs Has Been Removed from the High-Risk List, but Will Still Be Monitored

Because each program currently has a surplus and PBGC projections for both programs show no near-term risk of insolvency, we have removed the high-risk designation for PBGC Insurance Programs. However, PBGC continues to face certain important challenges. We will continue to monitor PBGC and report on the status of its funds in 2025, and then as needed in future high-risk updates. If the financial position of one or both programs erodes significantly, projections worsen, or new risks emerge, we will consider adding one or both insurance programs back to the High-Risk List.

Multiemployer Program

PBGC’s projections still show fiscal year 2055 as the mean year of multiemployer program insolvency, and insolvency as early as 2036 in the most adverse of the 500 scenarios projected as of September 2022. In addition, provisions in ARPA did not significantly address the fundamental long-term risks facing the multiemployer program. These include inadequate plan funding rules, premiums that do not fully cover the cost of insurance and are not risk based, and exposure to unfavorable investment returns.

We will also continue to monitor SFA’s implementation and how it affects program finances. This will require significant oversight by PBGC and uncertain total outlays by the federal government. The scope of special financial assistance will not be fully known until 2026 or later. Initial applications for the program must be submitted to PBGC by the end of calendar year 2025. This, in turn, could affect PBGC projections for the multiemployer program. PBGC projects that, by 2031, it will incur $10.2 billion in probable multiemployer claims, mostly by plans that are not expected to receive special financial assistance. These claims, in part, account for a projected financial deficit of $5.1 billion in 2031.

Single-Employer Program

While PBGC projects the single-employer program to maintain a surplus through at least 2031, it will continue to face potentially substantial financial risks. For example, as we noted in 2021, the single-employer program is exposed to claims from underfunded plans sponsored by companies with credit ratings below investment grade. PBGC’s fiscal year 2022 financial report estimates this exposure at $52 billion. While the single-employer program has not experienced many large underfunded plan terminations recently, PBGC's experience shows that the single-employer program’s position can change quickly and precipitously. For example, the spate of plan terminations in the airline and steel industries from 2001 through 2006 resulted in the program incurring more than $20 billion of net claims.

PBGC-wide Issues

We have previously recommended that PBGC’s board—composed of the Secretaries of Labor, the Treasury, and Commerce—be expanded to broaden its expertise in areas such as strategic risk assessment and management, and to provide more stable leadership. Further, the board’s ability to provide stable leadership is limited by the turnover of cabinet officials.

Benefits

Progress in addressing the PBGC high-risk area since 2006 has resulted in more than $13 billion in financial benefits and nearly 20 other benefits. For example:

  • Legislation was enacted that included various changes consistent with our recommendations that raised the single-employer premiums that sponsors pay to PBGC and resulted in financial savings.
  • PBGC took actions consistent with our recommendations to improve service delivery, for example through increased transparency of plan statements given to participants and providing key appeals information to participants.

Contact Information

For additional information about this high-risk area, contact Tranchau (Kris) T. Nguyen at (202) 512-7215 or nguyentt@gao.gov.

Strategic Human Capital Management

Continuing efforts of federal agencies and the Office of Personnel Management (OPM) are needed to adequately address skills gaps within the federal workforce.

Why Area Is High-Risk

Mission-critical skills gaps specific to federal agencies and across the federal workforce pose a high risk to the nation. They impede the government from cost effectively serving the public and achieving desired results. This area was added to the High-Risk List in 2001. Agencies often experience skills gaps because of a shortfall in a talent management activity, such as workforce planning or training.

Government-wide skills gaps have been identified in fields such as human resources, science, technology, engineering, mathematics, cybersecurity, and acquisitions. The Office of Personnel Management is responsible for assisting agencies in addressing skills gaps within their workforces.

Since our 2021 High-Risk List update, the rating for one criterion—leadership commitment—increased from partially met to met. The other four criteria remain unchanged.

For more than two decades, we have designated strategic human capital management as a government-wide high-risk area in part because of the need to address current and emerging skills gaps that are undermining agencies’ abilities to meet their missions. OPM plays a unique role as the federal government’s human capital leader. Therefore, it needs a sufficient number of employees with appropriate skills to effectively lead and follow through on its efforts to address this high-risk issue.

Leadership commitment: increased to met. OPM filled and the Senate confirmed leadership for the first time in 5 years. Since our last high-risk update in 2021, OPM has committed to and begun leading multiple efforts to address skills gaps across the federal government. In June 2021, the Senate confirmed the current OPM Director. This affords the high-level attention needed to help address skills gaps. Additionally, in July 2021, OPM resumed stewardship of the Chief Human Capital Officers Council (Council) to help connect OPM’s government-wide human capital policy efforts with agencies’ human capital leaders. For example, to assist the Council in setting its strategic objectives, OPM established an executive steering committee to advise the Council on identifying its priorities. These priorities include building capacity among the federal human resources workforce.

Furthermore, the President’s Management Agenda has placed strengthening and empowering the federal workforce among its top three priorities. The OPM Director leads efforts to address skills gaps. One way of doing this is attracting and hiring qualified applicants for federal employment who reflect the diversity of the country.

Capacity: partially met. OPM has provided agencies with guidance to develop assessment strategies to evaluate federal job applicants based on needed competencies. However, federal human capital managers have stated they experience challenges in their workforce planning efforts because their human resource staff do not have all the skills needed to conduct workforce planning. To help agencies address this challenge, OPM conducted a government-wide hiring effort to fill human resource positions. It also developed a training program for new staff.

With regard to OPM’s own workforce capacity, a recent third-party assessment of its workforce found skills gaps in areas such as project management, organizational performance, leadership development, and data analysis. The assessment concluded these skills gaps may limit OPM’s ability to successfully meet mission requirements and help other agencies close their skills gaps.

Action plan: partially met. OPM’s Fiscal Year 2022-2026 Strategic Plan includes many goals, measures, and milestones aimed at addressing skills gaps across the government in areas such as recruiting, hiring, retention, and training. However, OPM does not have a plan to address skills gaps within its own workforce. OPM’s Human Capital Operating Plan does not explicitly describe strategies for closing the skills gaps of its own workforce, as required in OPM’s guidance to other federal agencies. In February 2023, we recommended that OPM establish an action plan that addresses skills gaps identified in the workforce assessment—either as an update to its Human Capital Operating Plan or a separate effort.

Similarly, other agencies, such as the Food and Drug Administration (FDA) and the Department of the Interior’s Bureau of Land Management (BLM), have not completed plans to address their own workforce needs. In January 2022, we recommended that FDA develop an agency-wide strategic workforce plan with elements for monitoring and evaluating its progress toward its human capital goals. Developing a plan would help ensure its workforce includes the 14 mission-critical occupations with the scientific and technical skills needed to ensure the efficacy and safety of medical products. FDA concurred with our recommendation and reported that it is developing a baseline version of an agency-wide strategic workforce plan. Legislation enacted in December 2022 requires the agency to issue such a plan by the end of fiscal year 2023, and at least every 4 years thereafter. FDA concurred with our recommendation. It reported that it anticipates having a baseline version of an agency-wide strategic workforce plan by the end of fiscal year 2024.

We also recommended in November 2021 that BLM develop an agency-wide strategic workforce plan to address skills gaps partially resulting from the recent relocation of its headquarters from Washington, D.C., to Colorado. Interior concurred with our recommendation. In February 2022, BLM began exploring the use of tools to track permanent employee position vacancies within each of its state offices and in headquarters.

Monitoring: partially met. Although OPM’s strategic plan includes measures and milestones to monitor the closing of government-wide skills gaps, until it develops an action plan for its own workforce as we have recommended, OPM will lack important information needed to close its own skills gaps. OPM also must manage the risks that skills gaps pose to its mission, such as making trade-off decisions in light of resource limitations. Until it documents the risks to its ability to achieve its strategic objectives and identifies strategies to address these risks, OPM may be unable to make fully informed decisions regarding its own workforce. It also may be unable to effectively help other agencies close their skills gaps.

Additionally, in January 2021, we made several recommendations to the Department of Homeland Security’s (DHS) Chief Human Capital Officer to better monitor DHS components’ plans and efforts to improve employee engagement. DHS has consistently ranked the lowest in terms of employee engagement among similarly sized federal agencies. The President’s Management Agenda includes strategies to address skills gaps such as improving employee engagement as measured by the Federal Employee Viewpoint Survey. However, DHS is in the early stages of implementing new processes to monitor employee engagement and use resulting information to adjust, reprioritize, and identify new actions.

Demonstrated progress: not met. In addition to steps taken by OPM, individual agencies need to demonstrate improvement in agency capacity. In October 2022, OPM reported that, in January 2021, it continued its efforts to address government-wide skills gaps by (1) training agencies on conducting root cause analysis to identify skills gaps, (2) developing action plans, and (3) identifying metrics and targets. The report also stated that auditors are no longer a government-wide skills gap, in part because OPM recommended that, based on the progress that has been made, auditors and economists should be removed from the government-wide mission-critical occupations list. However, acquisition, human resource, and cybersecurity occupations are still considered government-wide skills gaps needing attention.

Our prior work indicates that progress to close skills gaps will require demonstrated improvements in agencies’ capacity to perform workforce planning, foster employee engagement, train staff effectively, and recruit and retain the appropriate number of staff with the necessary skills. As outlined in table 8, we found that agencies face challenges in these areas of human capital management. This has contributed to the designation of 22 of the 36 other areas in this update as high risk.

Table 8: Examples of Skills Gaps Related to High-Risk Areas

High-risk area

Examples of skills gaps

Acquisition and Program Management for the Department of Energy’s National Nuclear Security Administration and Office of Environmental Management

Skills, staffing and workforce planning: The National Nuclear Security Administration faces staffing shortages and lacks staff with the right skills in its workforce to oversee its contracts. Additionally, the agency needs to perform a complete and thorough evaluation of the skill gaps across its acquisition workforce.

Department of Defense Business Systems Modernization

Skills and workforce planning: The Department of Defense’s (DOD) Offices of Administration and Management and Chief Information Officer need to determine next steps for identifying skills gaps and other resource gaps associated with its efforts to manage DOD’s portfolio of business systems.

DOD Weapon Systems Acquisition

Skills and staffing: DOD lacks the workforce needed to support large-scale production and testing of hypersonic weapons. It also lacks sufficient staff with the required expertise in software development.

Enforcement of Tax Laws

Staffing and workforce planning: The Internal Revenue Service (IRS) has not fully implemented strategic workforce planning initiatives. Such initiatives could help it address the challenges of carrying out ongoing enforcement and taxpayer service programs. IRS also faces mission-critical gaps for enforcement staff to investigate underreporting and noncompliance.

Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests

Skills and training: DOD has not developed the training needed to help its workforce protect technologies critical to national security interests.

Ensuring the Cybersecurity of the Nation

Skills and workforce planning: Although 18 of the 24 major federal agencies have taken steps to identify and categorize all of their vacant IT and cyber-related positions, federal agencies need to take additional actions to address the federal cybersecurity workforce shortage and implement key IT workforce planning practices.

Government-wide Personnel Security Clearance Process

Workforce planning: The Defense Counterintelligence and Security Agency has yet to complete strategic workforce planning for its personnel-vetting workforce (e.g., investigators, adjudicators).

Improving and Modernizing Federal Disability Program

Staffing: The Social Security Administration has experienced a decrease in the number of staff responsible for processing initial disability claims and deciding appeals.

Improving Federal Management of Programs that Serve Tribes and Their Members

Skills and workforce planning: The Bureau of Indian Affairs needs to assess its workforce composition, continue identifying critical skills, and take steps to address inadequate resources and staff at some offices without the right skills to meet the agency’s goals and tribal priorities.

Improving the Management of IT Acquisitions and Operations

Workforce planning: Nine of the 24 major federal agencies have yet to fully implement our prior IT workforce recommendations, such as recommendations addressing key IT workforce planning practices.

Department of Health and Human Services Leadership and Coordination of Public Health Emergencies

Skills and workforce planning: Some components within the Department of Health and Human Services, such as the Administration for Strategic Preparedness and Response and the Food and Drug Administration, have not conducted certain key workforce planning practices. This could affect the components’ ability to fully meet their lead roles in the nation’s preparedness and response to public health emergencies.

Management of Federal Oil and Gas Resources

Staffing and workforce planning: The Bureau of Land Management has yet to develop an agency-wide strategic workforce plan that reflects emerging mission goals and includes long-term strategies for acquiring, developing, and retaining needed staff.

Managing Federal Real Property

Training: The Federal Protective Service needs to fully implement its tracking system intended to ensure that the contract guard workforce receives the proper training to perform its duties.

Managing Risks and Improving Department of Veterans Affairs Healthcare

Staffing and training: The Department of Veterans Affairs (VA) has yet to develop an enterprise-wide annual training plan and metrics to measure efforts to recruit health care professionals.

National Aeronautics and Space Administration Acquisition Management

Workforce planning: The National Aeronautics and Space Administration needs to develop a workforce planning process to better address longer-term workforce challenges that could affect the success of the Artemis missions that plan to return astronauts to the moon.

Protecting Public Health through Enhanced Oversight of Medical Products

Staffing and workforce planning: The Food and Drug Administration needs to develop tailored strategies to recruit and retain investigators who inspect overseas facilities.

Resolving the Federal Role in Housing Finance

Workforce planning: The Government National Mortgage Association (Ginnie Mae) relies heavily on contractors for many functions and has analyzed the optimal mix of contractor and in-house staff. Ginnie Mae needs to shift some staff from contractor to in-house status, which will occur in phases over multiple years.

Strengthening Department of Homeland Security IT and Financial Management Functions

Skills, staffing and workforce planning: The Department of Homeland Security continues to face broad challenges in workforce planning, employee skills gaps, and employee morale.

Strengthening Management of the Federal Prison System

Staffing and workforce planning: The Bureau of Prisons has yet to implement a reliable method for assessing its staffing levels to fill vacancies and address the growing use of overtime. This situation poses a serious threat to inmate and staff safety.

Transforming the Environmental Protection Agency's Process for Assessing and Controlling Toxic Chemicals

Staffing and workforce planning: The Environmental Protection Agency has yet to address key workforce planning challenges, such as establishing recruitment targets to fill the technical positions necessary to clear a backlog of chemical reviews.

U.S. Government's Environmental Liability

Employee engagement: Frequent reorganizations within the Department of Energy (DOE) have contributed to low morale among employees. It has also slowed cleanup work. Thus, DOE must establish a communication strategy to more fully engage its workforce in developing and implementing reforms.

VA Acquisition Management

Staffing and workforce planning: VA lacks the comprehensive data needed to track the totality and characteristics of its acquisition workforce. This hampers its ability to make data-driven human capital decisions.

Source: GAO analysis of prior work. | GAO-23-106203

What Remains to Be Done

Since we added this area to our High-Risk List in 2001, we have made many recommendations to OPM and other federal agencies focused on this high-risk area and related human capital issues. As of February 2023, 138 recommendations remain open. Twenty-eight of those recommendations concern OPM and skills gaps issues. The remaining 110 concern federal agencies. Additional progress could be made if agencies were to implement open recommendations. For example:

  • In our May 2020 report examining drug education and treatment programs at the Bureau of Prisons (BOP), we recommended and the Department of Justice agreed that BOP develop and document methods for determining the number of additional staff needed to support the expansion of its medication-assisted drug treatment program—a key program related to inmate rehabilitation.
  • Senior officials with the Department of Energy (DOE) have raised concerns that their federal acquisition workforce does not have enough staff with the right skills to manage risks associated with contracting and acquisition processes. In November 2021, we recommended and DOE agreed that the agency should conduct a thorough analysis to identify skills gaps within its acquisition workforce. It also must develop strategies to close these gaps.
  • In February 2023, we recommended that OPM establish an action plan that addresses skills gaps identified in its workforce assessment, either as an update to its Human Capital Operating Plan or a separate effort. OPM agreed with our recommendation. It reported that the agency plans to develop and implement an action plan to address OPM’s specific skills and competency gaps.

Benefits

More than 200 benefits have been achieved through the implementation of several of our recommendations. For example:

In May 2017, we recommended that the National Weather Service (NWS) develop a strategic human capital plan that includes an evaluation of its actions to reduce its hiring backlog and sustain a highly skilled workforce. In response to our recommendation, NWS developed a plan in January 2020. It includes strategies to streamline its hiring processes and metrics to evaluate whether these strategies are creating hiring efficiencies. NWS senior leadership reviews these metrics every pay period to assess whether the strategies are improving hiring efficiency, and achieving NWS's goal to sustain the workforce capacity and skills needed to meet the agency's evolving mission needs.

In October 2019, we recommended that the Veterans Health Administration (VHA) develop a succession planning process that focused on current and future mission requirements rather than on filling existing vacancies with people having the same occupational skills. In response to our recommendation, VHA issued a new workforce and succession plan in July 2022. It includes, among other strategies, a process for identifying a talent pool to fill potential medical center director vacancies. VHA's succession plan and related guidance now incorporate monitoring and evaluations into VHA's succession planning process. This, in turn, will help VHA assess the effectiveness of its planning and identify emerging challenges.

To assist in addressing workforce skills gaps, the Federal Cybersecurity Workforce Assessment Act of 2015 requires agencies, including OPM, to assign work role codes to filled and vacant positions that perform IT, cybersecurity, or cyber-related functions. In March 2019, in response to our recommendation, OPM reviewed and assigned appropriate cybersecurity codes to its IT management positions. This will ensure that the agency will have more reliable information to improve workforce planning.

Contact Information

For additional information about this high-risk area, contact Dawn G. Locke at (202) 512-6806 or LockeD@gao.gov.

Managing Federal Real Property

The federal government could better manage its real property portfolio by effectively disposing of unneeded buildings, collecting reliable real property data, and improving the security of federal facilities.

Why Area Is High Risk

Federal agencies have long struggled with excess and underutilized space, which costs millions of dollars. The amount of space identified as excess is likely to increase as agencies re-evaluate their space needs after the COVID-19 pandemic. However, the process for disposing of federal assets remains complex.

The General Services Administration’s (GSA) efforts to improve the accuracy of addresses in its Federal Real Property Profile database have yet to show tangible results. This makes it difficult to manage federally owned assets.

To ensure the security of federal facilities, the Department of Homeland Security’s (DHS) Federal Protective Service (FPS) has developed two new guard training and monitoring systems. However, currently, they are neither completely implemented nor interoperable.

As we reported in October 2022, the value of deferred maintenance and repairs by civilian federal agencies increased 50 percent from fiscal year 2017 through fiscal year 2021 to $76 billion. We plan to monitor the increase in deferred maintenance through future work to determine the potential causes. We will also determine if it should be included as a part of the managing federal real property high-risk area in future high-risk updates.

Overall ratings for all five criteria remain unchanged since 2021. However, for one of the three segments that comprise this high-risk area—Excess and Underutilized Property—ratings decreased to not met for the capacity and demonstrated progress criteria. The following sections present more detailed information on the three segments summarized in the overall rating.

Excess and Underutilized Property

Leadership commitment: met. In July 2022, an Office of Management and Budget (OMB) memorandum required agencies to restart their annual planning process by developing and submitting agency-wide real property capital planning documents. The memorandum instructed agencies to define the real property resources required for the immediate post-re-entry workplace environment. It also called for them to incorporate evidence-based utilization data into future space requests. OMB requested agencies to submit plans by December 16, 2022. By the end of February 2023, all but two CFO Act agencies had submitted their plans, according to OMB officials.

Capacity: decreased to not met. The Federal Assets Sale and Transfer Act of 2016 (FASTA) established a new, temporary process to increase the federal government’s capacity to, among other things, identify and dispose of unneeded assets. However, GSA and other stakeholders faced setbacks implementing the FASTA process, including delays in selling properties approved for disposal. In October 2022, we found that GSA did not have an approach to leverage knowledge gained from these setbacks. We recommended that GSA collect, share, and apply lessons learned to improve the 2024 round and future disposal efforts.

Action plan: met. OMB’s July 2022 memorandum provides an action plan for agencies to right size their assets based on workplace usage assessments.

Monitoring: partially met. OMB and GSA continue to monitor progress in meeting space-reduction targets using the government-wide real property database called the Federal Real Property Profile. However, the database is not yet sufficiently reliable to produce accurate results.

In addition, we recently concluded that, as agencies begin to assess their federal space needs after the pandemic, GSA is taking steps to make cost-effective decisions through the collection of data on how often employees report to federal offices. However, not all federal agencies have access to or are aware of information on the benefits and costs such data provide. As we recommended in September 2022, GSA should develop a plan to broadly share the information from its space utilization data collection efforts with federal agencies.

Demonstrated progress: decreased to not met. FASTA created the independent Public Buildings Reform Board (Board) to help support a new, temporary three-round process for reducing the federal government’s inventory of federal civilian real property. As we reported in 2019, the Board was sworn in and worked with OMB, GSA, and other federal agencies to identify and recommend the first round of high-value properties for disposal. However, as we reported in October 2022, GSA and other stakeholders have faced setbacks implementing the FASTA process. These setbacks include delays in selling the high-value properties and the Board did not have an executive director and the Board lacked the quorum required to make certain decisions at that time. As of November 2022, the Board reached the quorum required to conduct business.

The 2019 round required the Board to identify at least five “high-value properties” with a combined estimated total fair-market value between $500 million and $750 million for potential sales. As of October 2022, the 2019 round resulted in the sale of 10 properties for a total of $194 million. In addition, the Board submitted its initial list of recommendations for the next round in 2021. However, OMB rejected the submission because it lacked sufficient financial planning, among other issues. The round was later terminated.

Data Reliability

Leadership commitment: met. GSA and the Department of Defense (DOD) continue to demonstrate leadership commitment in improving their data reliability. For example, GSA added goals to its fiscal year 2022-2026 strategic plan to improve the accuracy of its government-wide real property data in the Federal Real Property Profile database. DOD also committed to a timeline for improving its Real Property Assets Database.

Capacity: met. The government continues to take actions to increase the capacity of agencies to submit accurate data. In November 2020, the Federal Real Property Council—which established the Federal Real Property Profile database with GSA—and the council’s data governance working group developed the geospatial validation tool. Agencies can use the tool to help identify incorrect or incomplete location data in the database and make it available to executive agencies. GSA officials said they would monitor the effect of the geospatial tool in the fiscal year 2022 data that GSA will release in 2023.

Action plan: met. In March 2020, the Federal Real Property Council developed and later implemented its corrective action plan to improve the location data on federal assets in response to our February 2020 report. In addition, GSA added goals to its current strategic plan to address data anomalies in the Federal Real Property Profile database.

DOD is also taking steps to improve its real property data. In February 2020, DOD shared its strategy to improve the coordination of corrective action plans to remediate discrepancies in its real property data system. While DOD's estimated completion date for these actions was September 2022, it yet to demonstrate that these actions have been completed.

Monitoring: partially met. As part of the strategic plan to improve the accuracy of government-wide real property data, GSA set a goal to reach 75 percent accuracy for its fiscal year 2022 data set. GSA plans to release the data set later in 2023. Further, GSA found that data anomalies decreased from 15 percent in 2019 to 12 percent in 2020. However, in February 2020, we found that 67 percent of building addresses in the Federal Real Property Profile database were incorrectly formatted or incomplete. This made locating specific buildings difficult.

Demonstrated progress: not met. GSA must rely on federal agencies to submit accurate data to the Federal Real Property Profile database. However, GSA’s Validation and Verification process has ineffectively addressed key errors in the data (see figure 10). For example, GSA published the fiscal year 2021 data. However, agency officials said that the data still contain errors in geolocation information like the ones we identified in 2020. As noted earlier, GSA officials said that they expect the improvements they made to materialize in the fiscal year 2022 data that GSA will release in 2023.

Figure 10: Federal Assets Incorrectly Identified by General Services Administration’s Validation and Verification Process as of February 2020

Facility Security

Leadership commitment: met. The DHS-chaired Interagency Security Committee—established by executive order to set facility security standards—continues to implement its Risk Management Process. The Risk Management Process is a consolidated set of standards required of executive branch agencies for physical security at nonmilitary federal facilities. In addition, FPS continues to take action to address our recommendations to improve building security, including addressing emerging security threats.

Capacity: partially met. The Federal Aviation Administration and the Department of Veterans Affairs have taken some steps to implement our October 2017 and January 2018 recommendations to assess their facility security policies, such as drafting an updated facility security policy. However, they both need to finalize their assessments of these policies consistent with the Interagency Security Committee standards.

Action plan: met. As we reported, the relevant agencies finalized a memorandum of agreement clarifying their respective roles and responsibilities for courthouse security. In addition, FPS and GSA finalized a joint security strategy in 2020.

Monitoring: partially met. In 2019, FPS developed two systems to oversee its contract guard workforce—one that tracks training and one that manages the contract guard workforce. However, FPS has not fully implemented the system that manages the contract guard workforce. Also, the two systems are not yet fully interoperable.

In addition, in FPS’s fiscal year 2022-2026 strategic plan, FPS did not identify performance measures for its strategic objectives of modernizing the FPS infrastructure and developing the FPS workforce, such as training for FPS officials. We recommended that FPS should fully develop performance measures for each strategic objective in its strategic plan. FPS should also and ensure that each of these measures has a related performance target.

Demonstrated progress: partially met. As we reported in 2021, FPS has developed its guard management and guard training system. However, FPS must demonstrate the effectiveness of its guard management system. It also must ensure that the two systems are integrated to help FPS obtain information to assess its guard’s capability to address security risks across its portfolio.

For some federal facilities, such as the U.S. Capitol, responsibility for security is primarily handled by organizations other than FPS. Following the attack on the U.S. Capitol on January 6, 2021, we recommended in February 2022 that the Capitol Police and the Capitol Police Board—which oversees the Capitol Police—finalize and document procedures for obtaining outside assistance in an emergency, address security risks, and consider security recommendations.

What Remains to Be Done

GSA should help federal agencies improve the disposal of excess and underutilized property by

  • applying lessons from the FASTA process to improve the property disposal process; and
  • sharing utilization data to improve agencies’ ability to assess how much space they need.

GSA should help federal agencies improve their data reliability and DOD should improve its data reliability by

  • coordinating with agencies to ensure street address information in the public database is accurate; and
  • coordinating with military services on corrective action plans to remediate discrepancies in its real property data system.

FPS, the United States Capitol Police, and the Capitol Police Board should ensure the security of federal facilities by

  • ensuring FPS’s strategic plan includes performance measures for each strategic objective in its strategic plan and that each of these measures has a related performance target.
  • finalizing and documenting the procedures for the United States Capitol Police and the Capitol Police Board for obtaining outside assistance in an emergency, addressing security risks, and considering security recommendations.

Benefits

Progress in managing the federal real property high-risk area over the past 17 years resulted in more than $3 billion of dollars in financial benefits and more than 200 other benefits. For example:

  • Decreased lease costs led to a narrowing in scope of this high-risk area in 2011. In 2021, we found that the Costly Leasing segment is no longer a high-risk concern. Benefits include $3.6 billion in savings and an estimated additional savings of $4.7 billion in lease cost avoidances through 2023.
  • As we recommended in June 2012, OMB, in collaboration with the Federal Real Property Council, issued the 2015-2020 National Strategy for the Efficient Use of Real Property.
  • As a result of the memorandum of agreement between FPS, GSA, the judiciary, and U.S. Marshals Service, FPS officials said that FPS has formed an Interagency Judicial Security Committee to establish a shared resource management strategy. FPS has also developed shared business processes and policies related to faculty security, among other initiatives.

Contact Information

For additional information about this high-risk area, contact Catina Latham at (202) 512-2834 or lathamc@gao.gov.

Funding the Nation’s Surface Transportation System

Congress should pass a sustainable funding solution for surface transportation.

Why Area Is High Risk

The nation’s surface transportation system—including highways, transit, maritime ports, and rail systems that move both people and freight—is aging and faces increasing demands on its use. At the same time, revenues from motor fuel and truck-related taxes supporting the Highway Trust Fund—the major source of federal surface transportation funding—are currently insufficient to repair and upgrade this system. Because projected spending will exceed these tax revenues, it is also important that federal funding for surface transportation provided to states and other grantees through Department of Transportation (DOT) programs be spent wisely and effectively.

Since our last high-risk update in 2021, Congress passed the Infrastructure Investment and Jobs Act (IIJA). IIJA provided approximately $541 billion in funding for surface transportation for fiscal years 2022 through 2026. This amount included about:

  • $158 billion appropriated from the General Fund, and
  • $383 billion authorized to be appropriated from the Highway Trust Fund. In a separate action, Congress also transferred $118 billion in general revenue from the General Fund to the Highway Trust Fund. This transfer supports spending levels for surface transportation and covers projected revenue shortfalls.

The revenues supporting the Highway Trust Fund are eroding. For example, the 18.4 cent-per-gallon federal tax on gasoline, when priced in 1993 dollars, has about half of the purchasing power relative to its value when federal motor fuel taxes were last raised in 1993. Moreover, the growing adoption of fully electric vehicles may further reduce revenues available from motor fuel taxes. Before this most recent transfer, the Congressional Budget Office (CBO) projected that Highway Trust Fund spending would have exhausted available revenues in 2022.

Congress has cumulatively transferred about $273 billion in general revenue to the Highway Trust Fund over 10 occasions from 2008 through 2021, including $118 billion under IIJA. These transfers each represented a one-time infusion of funding instead of a sustainable long-term source of revenues. Following IIJA’s 2021 enactment, CBO projected in February 2023 that Highway Trust Fund spending would exhaust available revenues beginning in 2028. The agency added that an additional $208 billion would be required to maintain current spending levels plus inflation through 2032 (see fig. 11).

Figure 11: Projected Cumulative Highway Trust Fund Balance, Fiscal Years 2023 through 2032

Note: This projection reflects the $118 billion in general revenue that was transferred to the Highway Trust Fund under the Infrastructure Investment and Jobs Act in 2021. This projection also assumes no further augmentation of highway-related taxes to the Highway Trust Fund after 2022 from general revenues or other sources. By law, the Highway Trust Fund cannot incur negative balances.

To inform congressional efforts to align surface transportation revenues with spending and improve how effectively revenues are spent, we have recently examined (1) user-based funding approaches to supplement eroding revenues from fuel taxes, and (2) DOT’s use of discretionary grant programs to better target existing spending.

User-based funding alternatives. In January 2022, we reported on a Federal Highway Administration program that provided grants to states to pilot and research user-based revenue mechanisms to support the Highway Trust Fund as alternatives to federal motor fuel taxes. Most participating states used program funds to explore mileage fee systems, which charge drivers a fee based on their miles driven.

We found that the Federal Highway Administration has not established criteria to identify whether state pilot approaches could be expanded or applied nationwide to collect revenues to support the long-term solvency of the Highway Trust Fund. Such criteria could include examining whether the use of technologies to track and report mileage deployed in various pilot projects would be feasible or cost effective in a national system. Doing so would better position the Federal Highway Administration to provide information to Congress on the potential of a national mileage fee system to help maintain the long-term solvency of the Highway Trust Fund. DOT agreed with this recommendation. The agency plans to work with subject matter experts to develop these criteria in 2023.

Discretionary grants. IIJA authorized several new surface transportation discretionary grant programs and provided increased funding for many existing programs. In April 2022, we reported on the Infrastructure for Rebuilding America discretionary grant program. We also identified concerns about DOT’s grant review and award process. We found that DOT did not consistently detect or correct inaccurate grant application evaluations. This increased the risk of an ineligible project being awarded funds. As a result, DOT lacks assurance that it is awarding projects that will best address national priorities and achieve the department’s goals. DOT agreed with our recommendation. However, as of February 2023, DOT had not implemented it.

In our reviews over the last decade, we have found numerous challenges with DOT’s management of its discretionary grant programs. In particular, we have found DOT’s approach to evaluating and awarding its discretionary grants has been neither consistent nor transparent. In addition, its decision-making rationale has sometimes been unclear. While discretionary grant programs can help target federal transportation spending, for this to be achieved, DOT should enhance the clarity and transparency of its evaluation process and rationale for making awards.

Congressional Actions Needed

Passage by Congress of a long-term, sustainable plan for funding surface transportation—as we recommended in 2008—is the pivotal action that will determine whether this issue remains or is removed from the High-Risk List.

What Remains to Be Done

Since 2007, we have made numerous recommendations to DOT focused on this high-risk area, 11 of which remain open. DOT could help inform congressional efforts to align revenues and spending as well as to more effectively use existing funding by implementing open recommendations such as:

  • Developing and applying criteria to assess whether state mileage fee pilot projects could be expanded or applied nationwide; and
  • Developing department-wide guidance for its discretionary grant programs to ensure that awards for surface transportation projects are made consistently and transparently. In July 2022, we identified this recommendation as a priority for DOT implementation. However, as of February 2023, DOT had not implemented it.

Benefits

Financial benefits to the federal government related to our work in this high-risk area over the past 17 years totaled more than $500 million. There were also more than 30 other benefits to the federal government due to progress in this high-risk area over the past 17 years. For example:

  • The Moving Ahead for Progress in the 21st Century Act included provisions to move toward a more performance-based surface transportation program by establishing national performance goals in areas such as infrastructure condition, safety, and system performance. Prior to these actions, our work highlighted that, historically, most federal surface transportation programs inadequately tie grant awards to federal goals and performance. We recommended that Congress consider modifying federal surface transportation programs to do so.
  • In 2018, DOT developed a plan that articulated the agency’s goals for the transition to a performance-based approach for funding surface transportation, as well as timelines and specific activities for achieving each goal. Our work had found that DOT needed to develop an implementation plan for the agency’s transition to a performance-based approach. We recommended that it do so.

Contact Information

For additional information about this high-risk area, contact Elizabeth Repko at (202) 512-2834 or repkoe@gao.gov.

Modernizing the U.S. Financial Regulatory System

Financial regulators need to strengthen systemic risk oversight, and Congress may want to consider options to address inefficiencies and inconsistencies that hamper the financial regulatory system.

Why Area Is High Risk

The U.S. financial regulatory structure remains complex. Responsibilities are fragmented among a number of regulators with overlapping authorities. For example, multiple forms of overlap exist among the regulators who perform safety and soundness oversight of depository institutions. The current structure continues to introduce significant challenges for efficient and effective oversight of financial institutions and activities. We added this area to the High-Risk List in response to weaknesses in the financial regulatory system highlighted during the 2007–2009 financial crisis. Modernizing the U.S. financial regulatory system and aligning it to current conditions is essential to ensuring the stability of the financial system.

Recent events have highlighted continued challenges in the regulatory system. In March 2023, bank failures and regulators’ emergency response raised concerns about the effectiveness of bank supervision. We are examining the supervisory actions leading up to these failures and the effectiveness and implications of regulators’ response based on Congressional requests and statutory authority.

Since our 2021 high-risk report, ratings for all five criteria remain unchanged. Actions are needed by financial regulators and Congress to address this high-risk area.

Leadership commitment: partially met. Since policymakers enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) in July 2010, financial regulators have finalized rules to implement its rulemaking requirements. While the act included provisions to better position the financial regulatory system to address financial stability risks, it generally left the financial regulatory structure unchanged. In February 2016, we reported that remaining fragmentation and overlap in the structure have created inefficiencies in regulatory processes and inconsistencies in how regulators oversee similar types of institutions. For example, securities and derivatives markets have become increasingly interconnected. In addition, regulation of these markets by separate agencies has been duplicative and inconsistent at times.

In 2023, we plan to publish a report on the regulation of blockchain-based financial products and services. This report will examine gaps in the regulatory authority of federal financial regulators and coordination across the regulators in regulating these products and services.

Capacity: partially met. The Dodd-Frank Act created the Financial Stability Oversight Council (FSOC). The act also included other provisions to increase the financial regulatory system’s capacity to identify and address risks to the nation’s financial stability. Most of these reforms have been implemented. The May 2018 Economic Growth, Regulatory Relief, and Consumer Protection Act also modified certain provisions of the Dodd-Frank Act, including by relieving small banks from certain regulatory requirements.

In February 2016, we reported that FSOC’s legal authorities may not allow it to respond effectively to certain systemic risks, such as risks from financial activities spanning multiple entities. Specifically, FSOC can recommend but not compel regulators to act with respect to systemic risk arising from such activities. In 2023, we plan to publish the results of a review of FSOC’s use of its authorities and governance structure to address threats to financial stability.

Action plan: partially met. FSOC’s annual report has served as the council’s key accountability document. Each report discusses the progress regulators have made in implementing reforms, identifies newly emerging threats, and includes recommendations to address them.

In December 2020, we reiterated our concern that FSOC’s authorities are limited with respect to risks that arise from financial activities spanning multiple entities. In addition, we reported that FSOC does not conduct scenario-based exercises where participants discuss roles and responses to hypothetical emergency scenarios. As a result, FSOC is missing an opportunity to enhance its preparedness and response to financial stability risks.

FSOC’s annual reports have highlighted the need for regulatory actions to mitigate the vulnerability of certain money market mutual funds to large and unexpected redemptions by investors (called runs). During the 2007-2009 financial crisis, such runs led to severe market disruptions. The Securities and Exchange Commission (SEC) implemented reforms in 2010 and 2014 intended to help address this vulnerability. However, many money market mutual funds experienced runs around the onset of the COVID-19 pandemic. In February 2023, we reported that SEC proposed additional reforms intended to further reduce the risk of runs. Money market mutual funds, industry associations, and other stakeholders had mixed views on whether the proposed reforms would reduce the risk of runs.

Monitoring: partially met. FSOC monitors and reports on indicators of financial stability and potential emerging threats to financial stability. In addition, in 2018, the Federal Reserve began publishing an annual financial stability report that includes its assessment of the U.S. financial system. The Federal Reserve’s stress test programs have also played a key role in supervisory efforts to evaluate and maintain financial stability.

In November 2016, we recommended that the Federal Reserve enhance the effectiveness of these stress test programs by further assessing—and adjusting as needed—the severity of the stress scenarios and other aspects of the test design. Since then, the Federal Reserve has taken steps to enhance its stress testing programs. However, continued actions are needed to improve communication and management of model risk (e.g., accounting for sensitivity of stress test model results). These actions include having a process to communicate information about sources of uncertainty in stress test results concerning financial companies. In September 2020, we also highlighted opportunities for the Department of the Treasury to improve the tracking and prioritization of cyber risk mitigation efforts in the financial services sector according to goals established by the sector. Treasury generally agreed with the recommendations, which remain open.

Demonstrated progress: partially met. The agencies and oversight bodies created under the Dodd-Frank Act have taken actions toward carrying out their missions and coordinating efforts. In March 2021, we noted that Treasury’s Office of Financial Research and the Federal Reserve had taken steps to reduce potential duplication and ensure comprehensive efforts to monitor systemic risks.

As we reported in March 2021, financial regulators can take additional steps to strengthen oversight of systemic risk and improve the efficiency and effectiveness of the financial regulatory system. For example, the Federal Reserve should continue to enhance its stress test programs. In addition, Treasury should improve tracking of its cyber risk mitigation efforts in the financial services sector.

What Remains to Be Done

As of February 2023, there are eight open recommendations to various regulators. For example:

  • The Federal Reserve should design and implement processes to (1) communicate information about the range and sources of uncertainty surrounding the post-stress capital ratio estimates, and (2) articulate tolerance levels for key risks identified through sensitivity testing as well as the degree of uncertainty in the projected capital ratios.
  • Treasury should track and prioritize the financial services sector’s cyber risk mitigation efforts and update the sector’s cyber risk mitigation plan with metrics and other information.
  • We reported concerns in 2020 that FSOC does not conduct scenario-based exercises where participants discuss roles and responses to hypothetical emergency scenarios. We recommended that Treasury, in consultation with FSOC members, should incorporate regular scenario-based exercises into its risk-assessment activities to evaluate individual FSOC member and collective capabilities for responding to crises.

Congressional Actions Needed

Weaknesses in the U.S. financial regulatory structure can be further addressed through additional congressional attention and leadership. We recommended the following actions in February 2016 (GAO-16-175):

Congress should consider whether legislative changes are necessary to align FSOC’s authorities with its mission to respond to systematic risks. Congress could do so by changing FSOC’s mission, its authorities, or both, or the missions and authorities of one or more of the FSOC member agencies.

Congress should consider whether additional changes to the financial regulatory structure are needed to reduce or better manage fragmentation and overlap in the oversight of financial institutions and activities to improve (1) the efficiency and effectiveness of oversight; (2) the consistency of consumer and investor protections; and (3) the consistency of financial oversight for similar institutions, products, risks, and services.

Benefits

There are 69 benefits to the federal government due to progress in this high-risk area including improvements to:

  • collaboration among FSOC and its member agencies on identifying and addressing threats to financial stability;
  • the implementation of key financial stability reforms under the Dodd-Frank Act, such as stress testing for large financial institutions; and
  • financial regulators’ efforts to assess the effectiveness of Dodd-Frank Act reforms including steps taken to strengthen their regulatory analyses.

Contact Information

For additional information about this high-risk area, contact Michael Clements at (202) 512-8678 or clementsm@gao.gov.

Resolving the Federal Role in Housing Finance

Congress should establish objectives for the federal role in housing finance and craft a plan to end the Fannie Mae and Freddie Mac conservatorships under the Federal Housing Finance Agency (FHFA). Also, housing agencies should implement our open recommendations to improve oversight.

Why Area Is High Risk

The federal role in housing finance expanded during the 2007–2009 financial crisis and remains large. We designated this area as high risk because of the government’s large fiscal exposure and because objectives for the future remain unestablished.

As of December 31, 2022, the Federal National Mortgage Association (Fannie Mae) and Federal Home Loan Mortgage Corporation (Freddie Mac)—collectively, the enterprises—had received $191.4 billion in capital support from the Department of the Treasury. If the enterprises were to incur major future losses, they would draw needed amounts from their remaining $254.1 billion in Treasury commitments. The federal government also supports mortgages through insurance and guarantee programs. For example, the Federal Housing Administration (FHA) has an insured portfolio of single-family mortgages of more than $1.2 trillion. The Government National Mortgage Association (Ginnie Mae) guarantees the performance of about $2.3 trillion in mortgage-backed securities with FHA or other federal support.

Since the 2021 High-Risk List, our ratings for the five criteria remain unchanged. In addition, Congress and housing agencies need to address this area.

Leadership commitment: partially met. Housing and regulatory agencies continued to demonstrate leadership commitment. The 2019 housing finance reform plans issued by Treasury and the Department of Housing and Urban Development (HUD) identified recommendations aligning with our housing finance reform framework. They included steps to ensure Fannie Mae, Freddie Mac, and FHA’s mortgage insurance programs are financially sound. In January 2022, we reported that some steps were implemented. Additionally, the current administration has stated its interest in helping shape future reforms.

In 2022, FHFA introduced new public disclosure and reporting requirements for the enterprises. These include public quarterly quantitative and annual qualitative disclosures for areas such as risk management and capital requirements and buffers. Also, FHFA is requiring the enterprises to submit their first capital plans by May 20, 2023, including an assessment of expected sources and use of capital over the planning horizon.

Statutory changes are still needed to resolve the federal role in housing finance. While Congress held hearings on reform, it has yet to enact legislation establishing objectives for the future or a plan to end the enterprises’ conservatorship.

Capacity: partially met. The enterprises have generally operated profitably since 2012. FHFA has directed them to transfer significant credit risk to the private market. The enterprises also increased their combined capital reserves to $97 billion. However, this figure remains well below what they may need to be sufficiently capitalized. Similarly, each enterprise’s risk-based capital ratio levels remain below required levels established in the enterprise regulatory capital framework for when they exit conservatorship (or a later date established for compliance with these levels).

FHA’s Mutual Mortgage Insurance Fund has met its statutory minimum capital requirement annually since fiscal year 2014. However, the requirement is not based on a specified risk threshold. We have previously recommended that Congress consider specifying the economic conditions the fund would be expected to withstand without substantial risk of drawing on supplemental funds, and requiring FHA to comply with a capital ratio consistent with these conditions.

In 2022, Ginnie Mae implemented our recommendation to evaluate whether its guaranty fee for single-family mortgage-backed securities provides sufficient reserves to cover potential losses. In 2023, Ginnie Mae implemented our recommendations to (1) analyze the costs of using contractors for its operations and develop a plan to determine the optimal mix of contractor or in-house staff, (2) assess contract administration options to determine the most efficient and effective use of funds, and (3) assess the costs and benefits of options to revise its compensation structure. Continued growth in Ginnie Mae’s guaranteed portfolio—$150 billion from September 2021 to December 2022—and the ongoing role of nonbank securities issuers have increased its potential loss exposure.

Action plan: partially met. Federal agencies have taken steps to strengthen the mortgage finance system. In 2020, FHFA finalized a new regulatory capital framework for the enterprises to better prepare them for exiting conservatorship. In 2022, FHFA and Ginnie Mae issued updated minimum financial eligibility requirements for entities selling loans to or servicing loans for the enterprises, and for Ginnie Mae issuers. The requirements incorporated lessons learned from pandemic-related market events. Housing and regulatory agencies also took steps on most of the administrative recommendations in HUD and Treasury’s 2019 plans.

Monitoring: partially met. Federal agencies have taken steps to provide monitoring tools for assessing housing finance system changes. For example, FHFA and the Consumer Financial Protection Bureau have a joint initiative—the National Mortgage Database Program—that collects residential mortgage data. This could be used to help examine the effect of mortgage market reforms.

However, FHFA Office of Inspector General (OIG) reports found deficiencies in FHFA’s oversight and monitoring of the enterprises. These include deficiencies in the application of examination guidance, communication of quality control review results, and reporting on conservatorship activities. The FHFA OIG continues to list enterprise supervision and conservator operations among FHFA’s top performance and management challenges. It also cited the need for strengthening controls over agency operations.

Demonstrated progress: not met. It will be difficult to resolve the federal role in housing finance until Congress enacts changes to the housing finance system. Assessing progress against specific goals is not possible until Congress provides a blueprint for the future federal role or the enterprises’ future structure. The ongoing conservatorships could create uncertainties for market participants. In addition, any future economic downturns could adversely affect the enterprises’ portfolios.

What Remains to Be Done

Since adding this area to the High-Risk List in 2013, we have made numerous related recommendations, including three since March 2021. As of March 2023, seven recommendations remain open. For example:

  • HUD and Treasury, as part of developing future housing finance reform plans, should consider recommendations from the 2019 plans that could help address system vulnerabilities and ensure future plans address all our framework elements.
  • FHA should develop a formal plan for evaluating the outcomes of a preconveyance inspection pilot that includes key elements of evaluation design—such as evaluation objectives and measures—and uses participant feedback and control groups, as appropriate.

Congressional Actions Needed

As of March 2023, seven matters for congressional consideration remain open. For example, we maintain Congress should consider

  • legislation that establishes objectives for the future federal role in housing finance, including the enterprises’ structure, and a transition plan to a reformed system that enables the enterprises to exit federal conservatorship, and considers the role of all relevant federal entities, including FHA and Ginnie Mae;
  • reforming Ginnie Mae's oversight structure to help address increasing risks; and
  • specifying the economic conditions FHA’s Mutual Mortgage Insurance Fund would be expected to withstand without substantial risk of drawing on supplemental funds, and requiring FHA to specify and comply with a capital ratio consistent with these conditions.

Benefits

Financial benefits to the federal government due to progress in this area totaled about $3.9 billion since 2013. In addition, there were 18 other benefits. For example:

  • By March 2022, and in response to a 2019 recommendation, Ginnie Mae had implemented a model to periodically evaluate if its guaranty fee for single-family mortgage-backed securities provides sufficient reserves to cover potential losses. This better positioned Ginnie Mae to understand its ability to absorb losses and whether its guaranty fee is set at an appropriate level.
  • As of September 2021, FHA had established metrics for its reverse mortgage portfolio and evaluated foreclosure prevention options in response to a 2019 recommendation. This allows FHA to better oversee the program and inform Congress on program performance.

Contact Information

For additional information about this high-risk area, contact Jill Naamane at (202) 512-8678 or naamanej@gao.gov.

USPS Financial Viability

The U.S. Postal Service (USPS) should continue taking steps to restore its financial viability and Congress should consider additional changes to USPS’s unsustainable business model.

Why Area Is High Risk

USPS’s financial viability is on our High-Risk List because action is needed to address USPS’s poor financial condition. USPS is required by law to provide nationwide postal service—known as the universal service obligation. It has long been expected to be financially self-sufficient by covering its expenses with revenue generated from its products and services. While USPS and Congress have taken significant actions since our last update, USPS still cannot fully fund its current level of services and financial obligations. First-Class Mail volume—USPS’s most profitable product—will likely continue to decline. In the package delivery market, USPS has been losing volume to its competitors in the past few years. Meanwhile, key costs, such as compensation, have continued to rise. In addition, USPS still has large unfunded liabilities.

Ratings for three of the five criteria improved since 2021 due to significant actions taken by USPS and Congress. The ratings for Capacity, Action Plan, and Demonstrated Progress increased since 2021 due to the enactment of the Postal Service Reform Act of 2022 (the 2022 Act). In addition, USPS introduced and initiated actions under its new strategic plan.

Leadership commitment: partially met. In March 2021, USPS released a new 10-year strategic plan that provides a wide-ranging blueprint for organizational change. The plan includes numerous initiatives intended to achieve key goals, including financial viability. In addition, Congress passed the 2022 Act, which granted USPS significant financial relief. However, Congress should still consider the appropriate institutional structure for USPS, among other things, as we reported in 2020.

Capacity: increased to partially met. Since our last update to the high-risk list, the 2022 Act has improved USPS’s financial capacity. The act repealed a requirement to prepay future retiree health benefits on an annual basis and canceled billions in unpaid past due payments for such prefunding. USPS has taken steps to improve its capacity by increasing its revenue and initiating changes intended to reduce costs. USPS also paid $500 million of its required $1.6 billion fiscal year 2022 payment towards its unfunded liability for Federal Employees Retirement System pension benefits—the first such payment in 11 years.

However, USPS’s business model is still unsustainable. First, USPS’s expenses exceeded revenue by about $5.9 billion in fiscal years 2021 and 2022 due to increasing labor compensation costs and declining mail volumes even though many past due payments were canceled. Second, USPS has stated that it will need to make capital investments to ensure that it can perform its universal service mission. However, its revenue might not fully fund these investments. Finally, even after the 2022 Act’s reduction in USPS’s retiree health care benefits liability, USPS will still have to meet its remaining long-term liabilities and debt—of which USPS’s liability for retiree health and pension benefits is the largest part. As of the end of fiscal year 2022, USPS’s long-term unfunded liabilities and debt totaled about $144 billion or about 184 percent of USPS’s fiscal year 2022 revenue (see fig. 12). USPS has stated that it currently cannot provide postal services and meet all of its statutory obligations.

Figure 12: Total U.S. Postal Service’s Unfunded Liabilities and Debt, Fiscal Years 2007-2022

Note: Fiscal year 2022 amount for unfunded liabilities for pension benefits are estimates as of Sept. 30, 2022.

Based on Office of Personnel Management projections, the fund supporting postal retiree health benefits is estimated to be depleted in the early 2030s even with the changes under the 2022 Act. At that point, USPS intends to pay its share of retiree health care premiums out of its revenues. However, those premiums are likely to be more than $5 billion per year. If USPS is unable to pay these amounts, it could potentially result in some combination of reduced benefits, increased payments from retirees or current employees, higher postage rates, or payments from the federal government to fund these premiums.

Action plan: increased to met. USPS’s new 10-year strategic plan includes strategies intended to achieve financial viability. According to USPS, the strategic plan was developed based on analysis of key challenges facing USPS and the postal industry. USPS plans to carry out more than 150 projects to accomplish these goals. It regularly reports to Congress and the public on its progress with the strategic plan.

Monitoring: met. USPS continues to monitor its financial viability through its independently audited financial reports. These reports provide information on financial trends, such as (1) revenues and expenses; (2) unfunded liabilities; and (3) debt obligations. Furthermore, the 2022 Act requires USPS to create a website of its service performance data for certain products. The 2022 Act also directs USPS to provide additional reports to the President, the Postal Regulatory Commission, and Congress on operational and financial information.

Demonstrated progress: increased to partially met. Since our last update, Congress and USPS have made progress toward achieving financial viability for USPS. For example, the 2022 Act significantly reduced USPS’s long-term unfunded liabilities. USPS’s projects supporting its new strategic plan are intended to, in part, improve USPS’s financial viability. Reporting on these projects is intended to provide senior USPS leadership with the ability to track progress and measure outcomes. USPS is 2 years into its 10-year strategic plan. Much work remains to be done.

What Remains to Be Done

There are no open recommendations related to this high-risk area. However, USPS should continue to take actions under its own authority to enhance its financial viability while still meeting its mission to provide universal postal service.

Congressional Actions Needed

There are four open matters to Congress for this high-risk area:

Benefits

Progress in this high-risk area has resulted in more than $1 billion in financial benefits and more than 20 other benefits since 2006. For example:

  • USPS improved its capital investment process. We found that USPS did not follow all leading practices for capital investments. Subsequently, USPS revised its policy for capital investments, including a process for thorough evaluation of investment alternatives.
  • USPS developed better guidance for its initiatives. Our work found that USPS estimates of expected savings from initiatives had limitations that affect their reliability. Subsequently, USPS established guidance for considering, developing, refining, and approving initiatives.

Contact Information

For additional information about this high-risk area, contact David Marroni at (202) 512-2834 or marronid@gao.gov.

Management of Federal Oil and Gas Resources

To enhance its oversight of oil and gas development on federal lands and waters, the Department of the Interior needs to accurately determine and collect revenue and resolve its human capital challenges.

Why Area Is High Risk

Interior may not be collecting its fair share of revenue from oil and gas produced on federal lands and waters. It also continues to face strategic challenges with managing its workforce. This high-risk area comprises two segments representing these ongoing challenges.

For example, Interior faces challenges with accurately valuing offshore oil and gas tracts and making ongoing updates to regulations for methane and oil and gas measurement. These issues hamper Interior’s ability to ensure the public receives a fair return for resources extracted from federal lands and waters. Interior also faces challenges with filling vacancies within the Bureau of Land Management (BLM) and maintaining the workforce BLM needs to manage millions of acres of public lands. We added this area to our High-Risk List in 2011.

Overall ratings for all five criteria remain unchanged since 2021. Two criteria increased in Revenue Determination and Collection—one of the two segments summarized in the overall rating. Three criteria increased in Human Capital Challenges, the other segment. The following sections present more detailed information on these two segments.

Revenue Determination and Collection

Leadership commitment: increased to partially met. In November 2021, Interior issued a report on revising its approach to setting royalty and rental rates and better accounting for methane emissions. In August 2022, Congress passed the Inflation Reduction Act. The act addressed many of the recommendations in Interior’s report, including increasing royalty and rental rates for new onshore federal oil and gas leases.[16]

However, Interior needs to issue regulations addressing methane emissions related to recommendations we made in July 2016. It also needs to issue regulations addressing oil and gas measurement related to recommendations we made in April 2015. Interior estimates it will finalize and issue these regulations in fall 2023 and spring 2024, respectively. The new regulations could better ensure accurate calculations of royalties due.

Capacity: partially met. Interior has taken some steps to improve its capacity to address the weaknesses we have identified in its ability to determine and collect revenue. For example, in 2013, we recommended Interior revise its regulations to permit flexibility in onshore oil and gas royalty rates similar to rate flexibility already available to offshore leases. Interior implemented this recommendation in November 2016 when it issued regulations providing the flexibility to set its onshore royalty rate at or above 12.5 percent for competitive leases. In June 2022, Interior used this flexibility to issue onshore leases with an 18.75 percent royalty rate.

Interior officials also stated that the department was committed to taking steps to address deficiencies in its oil and gas IT systems that we identified in May 2021. However, Interior said these steps would not be completed until spring 2023.

Action plan: increased to met. Interior tracks our open recommendations. Officials provided us time frames for implementing these recommendations. As described above, the department also has two ongoing efforts to issue regulations related to methane and oil and gas measurement.

Monitoring: partially met. Interior tracks its progress toward implementing open recommendations. However, Interior’s Office of Natural Resources Revenue (ONRR) needs to establish goals for tracking the amount of oil and gas royalties subject to compliance review, as we recommended in May 2019. ONRR also needs to develop performance measures to assess whether the cases selected for review help ONRR achieve its compliance goals. As of February 2023, Interior officials told us that ONRR planned to implement these recommendations by July 2023.

Demonstrated progress: partially met. Since 2011, Interior has implemented more than 50 of our recommendations related to revenue determination and collection. For example, BLM recently conducted training and a survey on commingling (when oil and gas are combined from multiple leases before being measured for royalty purposes). These actions were necessary to implement one of our April 2015 recommendations. Additionally, Interior is taking steps to implement the nine remaining open recommendations, according to officials.

Human Capital Challenges

Leadership commitment: increased to partially met. BLM has taken some actions to establish a full workforce planning process. This is consistent with recommendations we made in November 2021. For example, in May 2022, BLM created an executive leadership steering committee to guide the workforce planning process. BLM has also hired a contractor to create a strategic workforce plan. However, BLM has yet to develop an agency-wide strategic workforce plan that reflects emerging mission goals and includes long-term strategies for acquiring, developing, and retaining the staff it needs to achieve its programmatic goals.

Capacity: increased to partially met. After BLM merged or transferred several of its headquarters functions and relocated most of its Washington, D.C.-based headquarters staff throughout the West, headquarters vacancies more than doubled from 121 in July 2019 to 326 in March 2020. BLM officials told us they continue to work on developing an agency-wide strategic workforce plan. Completing and implementing this plan will help BLM better address ongoing challenges resulting from the surge of vacancies it experienced after the relocation.

Action plan: increased to partially met. In November 2021, we recommended that BLM develop a strategic workforce plan. BLM has hired a contractor to begin work toward such a plan. BLM needs to ensure the resulting plan aligns its human capital program with mission goals and includes long-term strategies for acquiring, developing, and retaining staff to achieve the bureau’s programmatic goals.

Monitoring: partially met. In November 2021, we recommended that BLM track data on vacancies to gain a complete picture of its staffing needs. While BLM has developed a temporary process to track vacancies, officials said they have yet to identify a tool to track vacancies with the level of accuracy they would like. As of February 2023, agency officials indicated they were continuing to explore options for an electronic vacancy tracking tool as a part of their workforce planning efforts.

Demonstrated progress: partially met. Interior has begun taking steps to address our November 2021 recommendations related to workforce planning and mitigating the effects of recent staff vacancies. For example, in February 2022, BLM began exploring vacancy-tracking tools. Until it identifies a permanent tool with the capability to track vacancies accurately, BLM is using a temporary process to track permanent employee position vacancies within each state office and in headquarters, according to agency officials.

What Remains to Be Done

As of February 2023, nine recommendations related to royalty determination and collection remain open. These include the following:

  • Establish an accuracy goal (such as identifying the number of companies or percentage of royalties subject to compliance activities) that aligns with the agency’s mission of collecting, accounting for, and verifying royalty payments.
  • Develop performance measures (such as having a specified percentage of compliance cases identify findings of royalty noncompliance or total additional royalties) that assess whether the cases the agency is selecting are helping it achieve its compliance goals.
  • Complete ongoing rulemakings related to onshore methane emissions and oil and gas measurement.

Four of our recommendations to Interior related to human capital management remain open as of February 2023, including the following:

  • Ensure bureau leadership incorporates key practices for effective agency reforms prior to implementing reorganization activities at Interior bureaus.
  • Develop an agency-wide strategic workforce plan that aligns the agency's human capital program with emerging mission goals and includes long-term strategies for acquiring, developing, and retaining staff to achieve programmatic goals.

Benefits

Responses to several of our recommendations have resulted in more than $160 million in financial benefits and more than 70 other benefits to the federal government, including the following:

  • Interior has taken steps to assess the effectiveness of its recruitment, relocation, and retention incentives. It has also identified technical competency needs for all key oil and gas staff within BLM, the Bureau of Safety and Environmental Enforcement, and the Bureau of Ocean Energy Management. In addition, Interior developed a process to assess workforce and leadership development policy. As a result, Interior will be better positioned to recruit, train, and retain the staff it needs to oversee onshore and offshore oil and gas activities. This is particularly true if the oil and gas market shifts and industry begins hiring more employees. These actions will also help better ensure Interior is spending its hiring and training funds effectively and efficiently.
  • ONRR is building, testing, and evaluating multiple risk models for selecting cases to verify accurate royalty payments in response to its March 2021 study. The study found the contractor-built risk model ONRR used was ineffective in improving ONRR's case selection. In response to our recommendation that ONNR periodically analyze its risk model’s effectiveness at identifying potential royalty noncompliance for further review, it has stopped using an ineffective risk model. ONNR is developing new risk models to more effectively identify cases to review for compliance.
  • In June 2022, BLM increased royalty rates for its federal oil and gas leases from 12.5 percent to 18.75 percent. This occurred after it previously revised its regulations to allow it flexibility to set royalty rates, as we had recommended. Although we reported in June 2017 that raising federal royalty rates for onshore oil and gas resources could decrease oil and gas production on federal lands, we also reported that higher rates are expected to increase overall federal revenues and better assure a fair return for taxpayers.

Contact Information

For additional information about this high-risk area, contact Frank Rusco at (202) 512-3841 or ruscof@gao.gov.

Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risks

To reduce its fiscal exposure to climate change, the federal government needs a cohesive, strategic approach with strong leadership and the ability to manage risks across the entire range of related federal activities.

Why Area Is High Risk

Numerous studies have concluded that climate change poses risks to many environmental and economic systems and creates a significant fiscal risk to the federal government.

The federal government needs to take government-wide action to reduce its fiscal exposure, including, but not limited to, its roles in five areas: (1) insuring property and crops, (2) providing disaster aid, (3) owning or operating infrastructure, (4) leading a strategic plan to coordinate federal efforts, and (5) providing data and technical assistance to decision makers.

Since 2021, the federal government has continued to partially meet four of the five criteria. The rating for monitoring increased from not met to partially met overall. However, there were significant improvements across the five segments that comprise this high-risk area. For example, ratings for four criteria increased from not met to partially met for the segment Federal Government as Leader of National Climate Strategic Plan.

Congressional action helped lead to improvements in this high-risk area. For example, the Infrastructure Investment and Jobs Act (IIJA), enacted in 2021, among other things, required the Department of Transportation’s guidance to be updated to address resilience in certain contexts. IIJA also provided funding for predisaster hazard mitigation programs. Additionally, the Inflation Reduction Act of 2022, among other things, provided funding for programs related to climate resilience.[17]

The administration also contributed significantly to progress. For example, it issued and began implementing Executive Orders (E.O.) 14008 on Tackling the Climate Crisis at Home and Abroad (January 2021), 14030 on Climate-Related Financial Risk (May 2021), and 14057 on Catalyzing Clean Energy Industries and Jobs Through Federal Sustainability (December 2021). Also, more than 20 federal agencies released climate adaptation and resilience plans followed by initial progress reports on those plans, as directed by E.O. 14008. These executive orders and action plans were important steps toward demonstrating needed leadership commitment and planning to address the government’s fiscal exposure to climate change.

The following sections present more detailed information on the five areas summarized in the overall rating.

Federal Insurance Programs

Leadership commitment: partially met. Congress passed the Inflation Reduction Act of 2022. Among other things, the act included $24.4 billion in appropriations to the U.S. Department of Agriculture (USDA) related to agricultural conservation and forest restoration, including for hazardous fuels reduction, climate mitigation, resilience, and conservation programs. This funding may help farmers and foresters adopt conservation practices that improve climate resilience. However, the federal government needs to take additional actions to improve the long-term resilience of insured structures and crops. It also needs to address structural weaknesses in its insurance programs.

Capacity: partially met. USDA’s Climate Hubs provide information that can help agricultural producers manage climate change impacts and potentially reduce crop losses covered by the federal crop insurance program. However, to help increase capacity further, USDA needs to analyze options for enhancing climate resilience. This includes expanding technical assistance for producers. In addition, the Federal Emergency Management Agency (FEMA) needs to update its planning documents to address challenges in reflecting flood hazards.

Action plan: partially met. In October 2021, USDA and the Department of Homeland Security (DHS)—which includes FEMA—released climate adaptation and resilience plans that identify actions they plan to take to address their most significant climate risks and vulnerabilities. However, USDA needs to, as appropriate, increase its annual adjustments of federal crop insurance premium rates in areas with higher crop production risks.

Monitoring: increased to partially met. In October 2022, USDA and DHS released their first annual climate adaptation and resilience progress reports detailing their implementation of actions identified in their 2021 climate adaptation and resilience plans. However, it is too early to determine the effectiveness of these monitoring mechanisms.

Demonstrated progress: not met. The federal government has not implemented our recommendations to improve the resilience of federally insured property or address structural weaknesses in each program. This includes incorporating climate resilience into the requirements for receiving payments from federal flood and crop insurance programs, updating flood maps to reflect future hazards, and analyzing options to help enhance producers’ climate resilience and incorporating them, as appropriate, into ongoing climate resilience planning.

Disaster Aid and Resilience

Leadership commitment: partially met. The Disaster Recovery Reform Act of 2018 allows the President to set aside certain funds for predisaster hazard mitigation. As a result, FEMA established the Building Resilient Infrastructure and Communities program. Further, IIJA provided $4.5 billion over fiscal years 2022 through 2026 to FEMA for this program as well as its Flood Mitigation Assistance program. To help demonstrate better leadership, the Executive Office of the President should use information on the potential economic effects of climate change to help identify significant climate risks and craft appropriate federal responses.

Capacity: partially met. FEMA’s Building Resilient Infrastructure and Communities program has made about $3.8 billion in mitigation grants available since 2020. In addition, through the Inflation Reduction Act of 2022, Congress appropriated funding to the National Oceanic and Atmospheric Administration to, among other things, enable coastal communities to prepare for changing climate conditions. However, it is too early to tell whether these measures will improve state and local capacity for disaster aid and resilience. Moreover, FEMA has neither determined what steps are needed to address the nation's emergency management capability gaps, nor considered options to better manage fragmentation, such as consolidating disaster recovery programs.

Action plan: increased to partially met. In October 2021, DHS released a strategic framework for addressing climate change. It also introduced a climate action plan outlining actions it plans to take to integrate climate resilience into agency activities. However, FEMA’s 2019 National Mitigation Investment Strategy does not include a strategic approach to identifying and prioritizing specific climate resilience projects for federal investment.

Monitoring: increased to partially met. In October 2022, DHS released its first annual climate adaptation and resilience progress report detailing the implementation of actions identified in the agency’s 2021 climate adaptation and resilience plans. However, it is too early to determine the effectiveness of the monitoring mechanisms described in the plan.

Demonstrated progress: not met. The federal government has not developed the information necessary to account for its fiscal exposure to climate change or a strategy to reduce this exposure.

Federal Government as Property Owner

Leadership commitment: partially met. IIJA required the Department of Transportation to revise the Federal Highway Administration’s emergency relief manual to, among other things, identify procedures states may use to incorporate resilience into emergency relief projects, in line with what we suggested. Additionally, the National Defense Authorization Act for Fiscal Year 2022 directed the Department of Defense to incorporate climate resilience into acquisition, budgeting, and infrastructure planning. The Disaster Resiliency Planning Act, enacted in 2022, required the Office of Management and Budget (OMB) to establish guidance requiring federal agencies to incorporate natural disaster resilience into real property asset management and investment decisions. Further, E.O.s 14008 (January 2021) and 14057 (December 2021) direct federal agencies, among other things, to incorporate climate resilience into their facilities and managed lands. E.O. 14030 (May 2021), among other things, reinstated a flood risk standard for federally funded projects in flood plains.

However, the federal government needs to finalize guidance on how federal agencies should consider climate change in their National Environmental Policy Act reviews when planning federally funded projects.

Capacity: increased to partially met. OMB revised Circular A-11 in August 2022 to, among other things, provide that agencies should be able to demonstrate how climate considerations are integrated in risk management and decision-making, partially addressing our recommendation. In 2020, the Department of Defense also provided guidance to its installations on how to use a site-specific database of sea level rise projections in planning and project design, as we recommended. However, the federal government needs to further increase capacity by convening federal agencies for an ongoing effort to provide the best available forward-looking climate information to standards-developing organizations for their consideration.

Action plan: partially met. In October 2021, federal agencies released climate adaptation and resilience plans that identify actions intended to address their most significant climate risks and vulnerabilities. However, the Department of Defense has yet to consider climate change impacts for its overseas installations. In addition, the Department of Transportation has yet to implement options we identified to enhance the climate resilience of federally funded roads.

Monitoring: increased to partially met. In October 2022, federal agencies released their first annual climate adaptation and resilience progress reports. These reports document the progress agencies have made implementing the actions identified in their 2021 climate adaptation and resilience plans. However, it is too early to determine the effectiveness of these monitoring mechanisms.

Demonstrated progress: not met. The federal government has not fully implemented our recommendations to improve resilience government-wide.

Federal Government as Leader of National Climate Strategic Plan

Leadership commitment: increased to partially met. E.O. 14008 (January 2021) established the White House Office of Domestic Climate Policy to coordinate the policy-making process with respect to domestic climate-policy issues. E.O. 14030 (May 2021) called for the development of a comprehensive, government-wide strategy regarding, among other things, the measurement, assessment, mitigation, and disclosure of climate-related financial risks to federal government programs, assets, and liabilities. Finally, E.O. 14057 (December 2021), among other things, established the Climate Adaptation and Resilience Federal Leaders Working Group. The group will advance agency coordination, learning, and implementation in areas such as climate data and tools, infrastructure adaptation, and adaptation metrics and evaluation.

However, the federal government has not led the development of a national climate strategic plan or a strategic approach to target federal resources toward high-priority projects that manage some of the nation’s most significant climate risks.

Capacity: increased to partially met. The President’s fiscal year 2023 budget began accounting for some fiscal risks of climate change, as we recommended. OMB also revised Circular A-136 in June 2022 to, among other things, encourage agencies to report certain information related to their climate-related financial risks. However, none of these efforts include clear priorities for climate-related activities of key federal entities.

Action plan: increased to partially met. In October 2021, federal agencies developed and released adaptation and resilience plans to address their most significant climate risks and vulnerabilities, as directed by E.O. 14008. However, the federal government has not developed a strategic plan—with clear priorities and roles and responsibilities of key federal entities—to guide the nation’s efforts to adapt to climate change.

Monitoring: increased to partially met. In October 2022, major federal agencies released their first annual climate adaptation and resilience progress reports, as directed by E.O. 14008. These reports document the progress agencies have made implementing the actions identified in their 2021 climate adaptation and resilience plans. However, it is too early to determine the effectiveness of these monitoring mechanisms.

Demonstrated progress: not met. The federal government has yet to implement all of our recommendations to develop a national strategic plan with clear roles and responsibilities.

Technical Assistance to Federal, Tribal, State, Local, and Private-Sector Decision Makers

Leadership commitment: increased to partially met. Through IIJA, Congress appropriated funds to provide technical assistance for resilience. For example, these appropriations allow the Department of Transportation to provide grants to the Transportation Resilience and Adaptation Centers of Excellence to promote resilient transportation infrastructure. This includes, among other things, supporting climate vulnerability assessments. However, the federal government has not led the development of a government-wide approach for providing decision makers with the best available climate-related information and assistance with translating such information. Nor has climate resilience been incorporated in the planning of all drinking water and wastewater projects that receive financial assistance. This could help ensure that such projects adequately address risks from climate change.

Capacity: increased to partially met. In September 2022, the National Oceanic and Atmospheric Administration launched the Climate Mapping for Resilience and Adaptation portal to help communities understand real-time climate-related hazards and identify federal funds to support their climate resilience projects. However, the federal government has not developed a government-wide approach for providing decision makers with the best available climate-related information and assistance with translating climate-related data into accessible information.

Action plan: not met. The federal government has not developed a plan to implement a system to provide information to decision makers to support climate resilience.

Monitoring: not met. There are neither programs nor mechanisms to monitor government-wide progress addressing the challenges we have identified providing climate-related technical assistance.

Demonstrated progress: not met. The federal government has not demonstrated long-term improvement in its climate-related technical assistance to decision makers.

What Remains to Be Done

This high-risk area was added to the list in 2013. As of February 2023, 49 recommendations remain open. These recommendations address each of the five segments that comprise this high-risk area.

  • Federal Insurance Programs. FEMA and USDA should incentivize climate resilience by incorporating it into the requirements for receiving payments from federal flood and crop insurance programs. FEMA should also update its mapping plans to reflect future flood hazards. USDA should further analyze options to enhance producers’ climate resilience and integrate them, as appropriate, into its ongoing climate resilience planning.
  • Disaster Aid and Resilience. The federal government should develop the information needed to manage disaster assistance programs’ long-term exposure to climate change and fully implement measures that promote resilience. This includes better managing fragmentation across its disaster recovery programs.
  • Federal Government as Property Owner. The federal government needs a comprehensive approach to improve the resilience of the facilities it owns and operates and land it manages. For example, our recommendations to the U.S. Postal Service, Office of Management and Budget, Council on Environmental Quality, and Departments of Commerce, Defense, and Transportation should be implemented.
  • Federal Government as Leader of a National Climate Strategic Plan. The federal government could better reduce its fiscal exposure if federal efforts were coordinated and directed toward common goals, such as improving climate resilience. For example, the entities within the Executive Office of the President should use information on the potential economic effects of climate change to help identify significant climate risks and develop a strategic plan to guide the nation's efforts to adapt to climate change.
  • Technical Assistance to Federal, Tribal, State, Local, and Private-Sector Decision Makers. The federal government needs a government-wide approach for providing federal, tribal, state, local, and private-sector decision makers with the best available climate-related information and assistance with translating climate-related data into accessible information. For example, the Tennessee Valley Authority, National Marine Fisheries Service, Department of Energy, Environmental Protection Agency, and Executive Office of the President should implement our recommendations.

Congressional Actions Needed

There are seven open matters for Congress to consider, including:

  • addressing structural challenges in federal insurance programs related to crop insurance and the National Flood Insurance Program;
  • promoting disaster resilience, including establishing an independent commission to recommend reforms to the federal government’s approach to disaster recovery and providing direction or authority to FEMA to address property acquisition challenges and enhance disaster resilience;
  • supporting strategic planning by establishing (1) a coordinating entity to strategically target federal investments to Alaska Native Villages facing significant environmental threats; (2) a pilot program to identify and provide assistance to climate migration projects; and (3) a federal organizational arrangement to periodically identify and prioritize climate resilience projects for federal investment; and
  • ensuring infrastructure projects that receive financial assistance adequately address risks from climate change, such as considering a requirement that climate resilience be incorporated in the planning of all drinking water and wastewater projects that receive federal financial assistance.

Benefits

Over the past 10 years, the federal government has recognized nearly 30 benefits of limiting the federal government’s fiscal exposure by better managing climate change risks. These benefits include

  • ensuring Department of Defense planning for installations and facilities incorporates sea level change projections, and
  • providing recipients of federal funding for roads more funding and guidance for incorporating resilience into projects.

Contact Information

For additional information about this high-risk area, contact J. Alfredo Gómez at (202) 512-3841 or GomezJ@gao.gov.

Improving the Management of IT Acquisitions and Operations

To better manage substantial annual investments in IT, the Office of Management and Budget (OMB) and other federal agencies should continue to implement critical requirements of federal IT acquisition reform legislation.

Why Area Is High Risk

The executive branch has undertaken numerous initiatives to better manage the more than $100 billion that is annually invested in IT. However, federal IT investments too frequently fail to deliver capabilities in a timely manner. They also incur cost overruns or schedule slippages while contributing little to mission-related outcomes. These investments often lack disciplined and effective management in areas such as project planning, requirements definition, and program oversight and governance. Recognizing the severity of issues related to the government-wide management of IT, in December 2014, Congress and the President enacted federal IT acquisition reform legislation, commonly referred to as the Federal Information Technology Acquisition Reform Act (FITARA). In 2015, we added the government’s management of IT acquisitions and operations to the High-Risk List.

Overall, ratings for all five criteria remain unchanged since 2017. Congress and OMB continue to demonstrate leadership commitment to ensuring agencies implement IT reform initiatives. Additionally, OMB and agencies made progress in implementing our recommendations—73 percent of recommendations have been fully implemented, an increase from 65 percent reported in our 2021 HIgh-Risk List. However, challenges persist, including agencies’ efforts to address the role of their chief information officers (CIO), IT workforce issues, and weaknesses in IT planning and management practices.

Leadership commitment: met. As we reported in July 2022, sustained congressional focus on the implementation of FITARA has led to improvement, as highlighted in agencies’ FITARA implementation scores issued biannually by the House Committee on Oversight and Reform. OMB continues to demonstrate its leadership commitment by issuing guidance for covered agencies to implement FITARA provisions and optimizing federal data centers. OMB must maintain its current level of leadership support and commitment to ensure that agencies successfully execute its guidance on implementing FITARA and related IT reform initiatives.

Capacity: partially met. Progress in improving the role of agency CIOs and IT workforce practices is limited. For example, we found in August 2018 that none of the 24 major federal agencies fully addressed the role of their CIOs, consistent with federal laws and OMB’s FITARA guidance. As of February 2023, 15 of the 24 major federal agencies had yet to fully implement our recommendations.

Further, in September 2022, we compared the responsibilities of the Federal CIO and agency CIOs to private sector CIOs. We recommended that (1) Congress consider formalizing the Federal CIO position and establishing responsibilities and authorities for government-wide IT management, and (2) OMB take steps to increase collaboration between CIOs and other executives and consider managerial skills in CIO hiring criteria.

In addition, nine agencies have yet to fully implement our prior IT workforce recommendations. These include recommendations addressing key IT workforce planning practices. We have also made 24 new recommendations since our 2021 High-Risk List. This includes recommendations that would help the Departments of State and Agriculture improve their respective IT workforce practices.

The Technology Modernization Fund (TMF) was established in December 2017 by legislative provisions commonly referred to as the Modernizing Government Technology Act to assist agencies with funding to replace aging IT systems. Congress initially appropriated $175 million for TMF and appropriated an additional $1 billion to the fund in the American Rescue Plan Act of 2021. According to OMB’s TMF website, the Technology Modernization Board had approved 38 projects across 22 federal agencies, totaling about $688 million, as of February 2023.

However, we had previously identified issues with the collection of fee payments to recover TMF program operating expenses and the reliability of cost estimates for awarded projects. In addition, three of our recommendations made in December 2019 have yet to be fully implemented. In December 2021, we reported that numerous projects had yet to realize any cost savings, narrowed their scopes resulting in reduced TMF award amounts, and continued to use unreliable cost estimates. Thus, we reiterated the importance of implementing our prior recommendations.

Action plan: partially met. Agencies made some progress implementing our prior recommendations to develop plans for modernizing or replacing their legacy systems or shifting their IT services to cloud computing. However, 20 recommendations have yet to be addressed at 14 agencies. This includes recommendations for agencies to document modernization plans for selected legacy systems and better track costs and savings related to cloud computing. We also continue to identify issues with agencies’ efforts to plan their respective IT modernizations. We made 29 new recommendations to three agencies (the Coast Guard and the Departments of Health and Human Services and Defense) aimed at improving their respective IT planning practices since our 2021 High-Risk List.

Monitoring: partially met. Agencies made some progress in implementing our prior recommendations to reduce IT contract duplication, improve IT acquisition practices, and address IT budgeting weaknesses. However, 36 recommendations have yet to be addressed at five agencies. In addition, we continue to identify weaknesses in agencies’ IT management practices. Since the 2021 High-Risk List, we made 29 new recommendations to five agencies to address issues. This includes inadequate oversight of IT programs, cost estimates and schedules, testing, performance measurement, and risk management.

Demonstrated progress: partially met. As of February 2023, OMB and federal agencies had fully implemented about 73 percent of the 1,554 total recommendations we have made since fiscal year 2010 to address shortcomings in IT acquisitions and operations. This is an increase from 65 percent reported in our 2021 High-Risk List. However, agencies need to take significant actions to build on this progress.

In March 2022, we reported that all 24 major agencies met their data center consolidation savings goals for fiscal year 2020 and planned to meet their goals for fiscal year 2021. This represents a cumulative total of $6.6 billion in cost savings and avoidances from fiscal years 2012 through 2021 (as of August 2021). In addition, as of February 2023, agencies had implemented 110 of the 126 recommendations we made since 2016 to help agencies meet their data center optimization targets. However, agencies need to address the 16 recommendations that have yet to be implemented.

Agencies continue to report progress in savings from PortfolioStat. This is a key OMB initiative intended to improve the management of IT investments by consolidating and eliminating duplicative systems, among other things. Agencies have reported a total of about $4.25 billion in savings from fiscal years 2012 through 2021. This accounts for approximately 71 percent of the more than $6 billion in planned PortfolioStat savings, an increase from 45 percent reported in our 2021 High-Risk List. Agencies still have additional opportunities to make progress in savings.

What Remains to Be Done

Agencies should implement our remaining 294 open recommendations related to this high-risk area. For example:

  • improving the effectiveness of agency CIOs;
  • enhancing IT workforce planning practices; and
  • developing plans for modernizing or replacing legacy systems.

Congressional Actions Needed

Congress should consider formalizing the Federal CIO position and establishing responsibilities and authorities for government-wide IT management, an open recommendation for this high-risk area that we suggested in September 2022.

Benefits

Financial benefits due to progress in the IT acquisitions and operations high-risk area totaled more than $6 billion. Additionally, there were nearly 500 other benefits due to progress in this high-risk area over the past 8 years. For example:

  • Our May 2014 work on the federal government’s management of software licenses found that only two of 24 agencies had established comprehensive software license inventories. By December 2020, all 24 agencies had established comprehensive inventories and analyzed software usage to make cost-effective decisions.
  • In January 2018 we found that, although 22 selected agencies reported $14.7 billion in fiscal year 2016 IT contracts, 21 of the agencies did not identify an additional $4.5 billion that we had identified in IT obligations. In addition, 14 of the agencies had not followed OMB guidance to involve the acquisition office in their process to identify IT acquisitions for CIO review. By March 2022, all of these agencies had addressed recommendations to ensure that all IT-related acquisitions are properly identified and the acquisition office is involved in this process.

Contact Information

For additional information about this high-risk area, contact Carol Harris at (202) 512-4456 or harriscc@gao.gov.

Improving Federal Management of Programs That Serve Tribes and Their Members

The Bureau of Indian Education, Indian Health Service, and Bureau of Indian Affairs should take additional actions to improve tribal education and health care programs and better manage development of tribal energy resources.

Why Area Is High Risk

Federal agencies have ineffectively administered tribal education and health care programs. In addition, they have managed the development of tribal energy resources inefficiently. Therefore, we added this area to our High-Risk List in 2017. It includes three components across agencies in two departments: the Bureau of Indian Education (BIE) and Bureau of Indian Affairs (BIA), under the Department of the Interior’s Office of the Assistant Secretary–Indian Affairs, and the Indian Health Service (IHS) in the Department of Health and Human Services (HHS).

Since our 2021 High-Risk Report, the rating for one criterion—leadership commitment—increased from partially met to met. The other four criteria remain unchanged. Within the education segment, the ratings for leadership commitment and action plan increased. The following sections present more detailed information on the three segments summarized in the overall rating.

Education. BIE’s challenges include limited capacity to oversee schools and insufficient monitoring to ensure schools provide students the services and technology they need to support learning.

Health care. HHS’s inadequate oversight has hindered IHS’s ability to ensure American Indian and Alaska Native communities have timely access to quality health care.

Energy. BIA mismanagement of tribal energy resources held in trust has limited opportunities for Tribes and their members to use those resources to create economic benefits and improve community well-being.

Education

Leadership commitment: increased to met. Since our last high-risk report in 2021, BIE has shown commitment to addressing key management weaknesses by maintaining stability in the Director position (see fig. 13). BIE also implemented four of the five recommendations we designated as a priority. In addition, it created a permanent office responsible for overseeing performance and meeting strategic goals. Additionally, in January 2023, the Assistant Secretary–Indian Affairs committed to supporting BIE efforts to address the issues we identified in our reports.

Figure 13: Turnover in the Bureau of Indian Education Director Position from 2007 to February 2023

Capacity: partially met. BIE completed a strategic workforce plan that identified resource needs and recruitment strategies. BIE has also taken steps to reduce its staff vacancy rate, which stood at 50 percent agency-wide in 2019. However, as of February 2023, that rate continues to remain high at 27 percent. In addition, the division primarily responsible for supporting and overseeing schools has a vacancy rate of about 32 percent, according to agency documentation.

Action plan: increased to met. Since our last high-risk report in 2021, BIE has developed plans for corrective actions to address a variety of high-risk challenges. For example, in January 2022, the agency developed and implemented a plan to support schools in promptly addressing facility safety issues, as we recommended in March 2016. Also, in September 2021, the Interior developed a comprehensive long-term capital asset plan to inform how it allocates school facility funds, as we recommended in May 2017.

Monitoring: partially met. Since BIE took over responsibility for all school inspections in fiscal year 2019, it has taken steps to routinely monitor its safety inspection process for schools. However, BIE’s work in addressing other monitoring deficiencies has been insufficient. For example, it has yet to establish a program to routinely monitor and assess technology needs at schools. This has contributed to major delays in providing students with distance-learning devices during the pandemic, as we found in April 2021.

Demonstrated progress: partially met. Since 2021, BIE and related Interior offices have implemented three recommendations on school construction and safety. However, significant work remains to address our nine open recommendations. This includes two recommendations on distance learning, six recommendations on special education, and one on school construction. Continued progress in addressing management weaknesses will depend on the sustained support of senior agency leaders.

Health Care

Leadership commitment: met. Since 2017, IHS has established a new office and programs to oversee the agency’s efforts to promote consistent, high-quality health care across IHS sites. These include the Office of Quality, established in 2019 to consolidate oversight of quality assurance, and the National Compliance Program, established in 2020 within the immediate Office of the IHS Director. IHS officials have also demonstrated leadership commitment by regularly meeting with us to discuss the agency’s progress in addressing this high-risk area.

Capacity: partially met. We previously reported that IHS has made progress filling executive vacancies in health care facilities and has taken numerous steps to enhance its recruitment and retention of providers. In addition, in response to our recommendation, in 2020, IHS developed a system to track contract provider costs. IHS has been using it to make informed decisions about resource allocation and provider staffing.

However, our recent reports have identified deficiencies in IHS’s ability to achieve its mission because of weaknesses in the agency’s management and organizational infrastructure. For example, IHS has been collecting and reviewing data that would enable it to make informed decisions about tradeoffs inconsistently. This includes data about provider vacancies and patient needs. In addition, IHS has not taken steps to ensure consistent oversight and controls across its decentralized management structure. For example, we found that IHS area office practices lacked consistency in their oversight of financial decisions and provider misconduct.

Action plan: partially met. In 2019, IHS finalized a strategic plan. In 2022, it developed an action plan to improve its oversight and administration of health care programs that aligns with its strategic plan. The action plan identifies action items to address health care management weaknesses that others and we identified. This includes those related to assessing patient needs, ensuring adherence to agency policies, standardizing governance processes, and overseeing local budgetary decisions. The plan also identifies corrective actions and measureable targets with clear time frames to address these and other issues. As such, it allows IHS to demonstrate progress toward resolving known issues.

While IHS’s action plan identifies the root causes of health care management weaknesses others and we identified, it focuses on addressing these weaknesses instead of their root causes. IHS should expand its action plan to include strategies for addressing all of the root causes it has identified, such as improving management oversight in the agency and access to services. This step will help the agency ensure it addresses any problems underlying its known issues.

Monitoring: partially met. IHS has taken some steps to monitor the agency’s progress in addressing its management weaknesses. For example, it established a Chief Compliance Officer role to enhance its monitoring of area operations. These steps could significantly improve monitoring. In addition, since 2021, IHS has established a new hotline to simplify the process for reporting suspected abuse within IHS facilities or by IHS staff members. However, IHS should continue to enhance its monitoring. This includes tracking and validating the effectiveness of corrective actions noted in its action plan, and addressing the root causes of its challenges and the sustainability of those efforts.

Demonstrated progress: partially met. Since 2021, IHS has implemented three recommendations related to the management of health care programs. For example, in response to our December 2020 recommendations, IHS established a process for its headquarters to review area offices’ misconduct and substandard performance policies and training. These actions should help ensure consistency in the agency’s management of provider performance across IHS areas.

However, IHS needs to do more to improve its oversight of key areas. For example, IHS should continue to implement our four open recommendations, use data to show, both, that its action plan is being implemented and the root causes of its health care management weaknesses are being addressed, and take actions to ensure that progress is sustained.

Energy

Leadership commitment: met. Since 2021, BIA’s actions have enabled it to continue to meet this criterion. In March 2022, BIA designated the Indian Energy Service Center as the central focal point providing oversight and management of all BIA’s mineral, oil and gas, and other energy leasing and management activities. This move consolidates responsibilities within the Indian Energy Service Center. This, in turn, may enhance the agency’s ability to streamline processes, increase compliance with policies, and improve coordination.

Capacity: partially met. In November 2016, we recommended that BIA assess the critical skills of its workforce and develop a process to assess its workforce composition. This would ensure an adequate workforce with the right skills, aligned to meet the agency’s goals and Tribal priorities. In October 2021, BIA completed an assessment of two energy-related occupations and identified the need for additional training for these critical positions.

In addition, BIA worked with the Office of Personnel Management to develop a process to assess the workforce that implements programs for the Office of Trust Services. BIA initiated this assessment in three pilot regions in 2022.

To continue making progress, BIA should complete workforce assessments across all relevant offices and take steps to address issues identified through these assessments. These actions will help BIA address inadequate resources and staff at some offices that do not have the necessary skills to review energy-related documents effectively.

Action plan: partially met. In October 2022, the Indian Energy Service Center issued a strategic plan for fiscal years 2022 through 2026 that includes goals for reducing processing times for energy-related documents and streamlining policies, as we recommended in March 2022. The service center has also identified actions that could reduce processing errors and increase the timeliness and efficiency of energy-related regulatory processes. For example, the service center plans to work on updating mineral leasing regulations to allow for online lease sales.

However, BIA has not developed a comprehensive plan for assessing its processing time frames. Such a plan could identify the root causes of any delays, corrective actions, resources needed to implement the corrective actions, and measurable targets with clear time frames.

Monitoring: partially met. In response to our June 2015 recommendations, the Indian Energy Service Center established a plan to develop an inventory of pending transactions of key energy development activities at field offices. The plan also called for it to begin meeting regularly with field offices to monitor their processing of these transactions. According to this plan, the service center will review certain transaction types (rights of way and revenue sharing agreements) in fiscal year 2023 and additional transaction types in the following years.

Demonstrated progress: partially met. BIA has made progress with workforce assessment plans, agency coordination, guidance, and training. In March 2022, we reported that the Indian Energy Service Center assisted several field offices with backlogs in work associated with leasing and permitting for energy development. It also hosted training on the roles and responsibilities of Interior agencies involved in energy development to encourage consistency. As noted above, to continue making progress in this area, BIA should complete its ongoing workforce assessments across all relevant offices, monitor the timeliness and efficiency of energy-related processes, and use this information to demonstrate improvements.

What Remains to Be Done

We added this area to our High-Risk List in 2017. As of February 2023, 13 recommendations remain open.

BIE should implement all nine of our recommendations related to education, including

IHS should implement all four of our recommendations regarding health care, including

  • developing processes to guide area offices in systematically assessing how the scope of services provided by federally operated facilities will meet the medical needs of their patients; and
  • developing a process to guide area offices’ review of federally operated health care facilities’ spending proposals.

BIA has no open recommendations. However, to continue making progress in meeting the remaining criteria for this area, BIA needs to complete its workforce assessment and develop an action plan to improve outcomes related to tribal energy development. BIE and IHS also need to take additional actions to meet the remaining criteria for addressing high-risk issues.

Benefits

More than 40 benefits to Tribes and their members over the past 6 years. For example:

  • BIE provided schools with comprehensive training on a wide variety of areas important to student and staff safety, including promptly addressing safety problems with facilities.
  • IHS developed specific agency-wide standards for patient wait times in federally operated facilities. It also created electronic dashboards to monitor wait times in these facilities.
  • BIA contracted with the Office of Personnel Management to conduct competency modeling and gap analyses that included two mission-critical energy development occupations. This came after we recommended the agency assess critical skills and competencies needed to fulfill its responsibilities related to energy development.

Contact Information

For additional information about this high-risk area, contact Anna Maria Ortiz at (202) 512-3841 or ortiza@gao.gov. For questions about our Tribal education work, contact Melissa Emrey-Arras at (617) 788-0534 or emreyarrasm@gao.gov. For our Tribal health work, contact Michelle Rosenberg at (202) 512-7114 or rosenbergm@gao.gov. For our Tribal energy work, contact Frank Rusco at (202) 512-3841 or ruscof@gao.gov.

U.S. Government’s Environmental Liability

The federal government’s environmental liability is vast and growing. The Departments of Energy (DOE) and Defense (DOD), which bear the bulk of this liability, and other agencies need to identify and address environmental risks and better monitor and transparently report on this liability.

Why Area Is High Risk

Even as the federal government spends billions each year on cleanup efforts, its environmental liability likely will continue to grow. For example, the federal government's estimated environmental liability increased to $626 billion in fiscal year 2022 from $212 billion in fiscal year 1997

Of the estimated liability for fiscal year 2022, DOE is responsible for the largest share ($520 billion). This is related primarily to retrieving, treating, and disposing of nuclear and hazardous waste. DOD is responsible for the second-largest share ($91 billion). This is related primarily to environmental cleanup and restoration activities at or near current and former DOD installations. The remaining liability is shared among other agencies, including the Departments of Agriculture (USDA) and the Interior and National Aeronautics and Space Administration (NASA). We added this area to our High-Risk List in 2017.

The rating for monitoring increased from not met to partially met, and the remaining four criteria ratings remain unchanged since 2021. The following sections present more detailed information on the criteria summarized in the overall rating.

Leadership commitment: partially met. As in 2021, federal agencies continue to partially meet this criterion. DOE’s Office of Environmental Management (EM) has increased its attention on environmental liabilities in recent years. EM has also developed new ways of tracking and reporting such information that may be helpful for other agencies to adopt. However, DOE and DOD leaders, in particular, need to increase their focus on their respective agencies’ environmental liabilities, given the size and scope of activities needed to address these long-term federal responsibilities.

EM has developed several key programmatic initiatives and guiding documents over the last 2 years, including a program plan and a 10-year strategic vision. Additionally, EM’s current leader is the longest-serving leader in its history. However, steps are needed to ensure continuity of these improvements beyond his tenure. Furthermore, frequent leadership turnover, inconsistent priorities, and organizational changes at EM over the last 3 decades have slowed cleanup progress. This, in turn, has made it harder for DOE to achieve its complex, long-term mission, as we found in May 2022. DOE also faces technical challenges to future waste retrieval. In addition, it has not developed a long-term plan for closing the waste tank farms at the Hanford Site, as we found in January 2021.

While DOD has established a long-term goal to meet certain cleanup milestones at Formerly Used Defense Sites contaminated with hazardous substances, pollutants, or contaminants, it has no similar goal for sites contaminated by military munitions, as we found in June 2022. Following our June 2022 finding, Congress mandated that DOD establish a target goal for completing cleanup of these sites. However, Congress did not set a deadline by which DOD must do so. DOD could demonstrate leadership commitment by quickly taking action to establish the required cleanup goal.

Capacity: not met. In its multiple reorganizations of EM over the past 2 decades, DOE has not used a communication strategy that ensures continuous, two-way communication among senior leadership, employees, and contractors. These frequent reorganizations have contributed to low morale among employees and slowed cleanup work, as we found in May 2022. EM needs to develop such a communication strategy to more fully engage its workforce in developing and implementing reforms.

Action plan: not met. DOE has not developed formal plans to address its growing environmental liabilities. We and others have identified numerous opportunities for DOE to address and potentially reduce its environmental liability. In 2020, EM began publishing a 10-year strategic vision for cleanup across all of its sites. In 2022, it also developed a program plan for completing cleanup at each site. We have ongoing work evaluating whether the plan meets relevant criteria.

Furthermore, several other departments, including DOD, USDA, and the Interior, could improve transparency about their total cleanup costs by reporting additional information to Congress. For example, DOD does not report information to Congress on long-term management costs for Base Realignment and Closure sites, as we found in September 2022. Similarly, USDA and the Interior do not communicate to Congress all known estimated cleanup costs for abandoned hardrock mines in their budget materials, as we reported in January 2023.

Monitoring: increased to partially met. DOE has taken some steps to improve its ability to monitor and meet cleanup milestones. For example, EM issued a new standard operating procedure that (1) standardized requirements for sites to track milestones, and (2) added a requirement for officials to annually assess root cause trends for missed milestones at sites, as we recommended in February 2019.

However, EM neither systematically tracks spending nor comprehensively evaluates outcomes when managing its research and development projects. This does not fully align with leading practices for collaboration, as we found in October 2021. Fully following these practices would enable DOE to better monitor its investments into research and development of safer, more efficient, and more effective cleanup approaches.

Other agencies have also begun efforts to better understand their growing liabilities. For example, DOD and NASA have taken initial steps to understand the scope of cleanup needed for emerging contaminants known as per- and polyfluoroalkyl substances (PFAS). As of September 2022, NASA had completed preliminary assessments of PFAS contamination at all of its sites, and DOD had completed preliminary assessments at more than 300 installations, according to NASA and DOD officials. In a June 2022 report to Congress, DOD estimated that investigating and cleaning up PFAS contamination across various installations and sites would cost $2.1 billion. DOD expects this estimate to grow as it completes initial assessments and learns more.

Demonstrated progress: not met. Agencies and policymakers have yet to take significant steps to reduce the federal government’s large environmental liability. Specifically, DOE continues to face significant cost and schedule challenges with some projects and activities. For example, DOE will need a significant increase in annual appropriations—almost $6 billion in fiscal year 2030, compared to about $1.6 billion in fiscal year 2022—to sustain its current plan to treat tank waste at Hanford, as we reported in July 2022. However, we found in December 2021 that DOE could save tens of billions of dollars by considering alternate methods of treating and disposing of certain waste at Hanford.

In addition, until policymakers resolve the impasse over a permanent solution for disposal of spent nuclear fuel from commercial reactors—in turn enabling DOE to develop and implement a disposal strategy—the federal government faces significant liability from litigation related to commercial temporary waste storage. DOE estimates this liability at $39.2 billion, which may be an underestimate, as we found in September 2021. DOE does not include these estimated litigation costs in its reported environmental liabilities. However, these costs create additional fiscal exposure for the federal government.

What Remains to Be Done

As of March 2023, 50 of our recommendations related to this high-risk area—of which 16 were made since 2021—had not been implemented. Of these recommendations, 34 pertain to either DOE or DOD and include the following:

  • DOE should revise cleanup policies and develop a program management plan that incorporates the essential elements of a risk-informed decision-making framework.
  • DOE should continue its efforts to engage the public and finalize its draft consent-based siting process for managing commercial spent nuclear fuel.
  • DOD should establish a relevant cleanup goal for Formerly Used Defense Sites contaminated by military munitions.

Congressional Actions Needed

We have raised 14 matters for congressional consideration related to this area, all of which remain unaddressed. For example, Congress should consider

  • clarifying, in a manner that does not impair the regulatory authorities of the Environmental Protection Agency or any state, DOE's authority to determine, in consultation with the Nuclear Regulatory Commission, whether portions of Hanford’s tank waste (including residual tank waste) can be managed as a waste type other than high-level waste and can be disposed of outside the state of Washington;
  • enacting legislation to establish a new, dedicated DOE Under Secretary position for nuclear waste management and environmental cleanup; and
  • enacting legislation to clarify DOE's authority to sell depleted uranium, including any conditions connected to such sales.

Benefits

Nearly $150 million in financial benefits and more than 20 other benefits to the federal government have been realized since this area was added to our list 6 years ago. For example:

  • In response to a recommendation we made in May 2015, DOE suspended work on the Low Activity Waste Pretreatment System facility at Hanford and pursued a different technology, which it completed in 2022 for a savings of $80 million.
  • In August 2021, DOE published procedures that require site officials to annually assess root cause trends for modified (i.e., missed or postponed) milestones at sites, in response to our February 2019 recommendation. This guidance will help EM address the inconsistencies we found in its internal tracking of cleanup milestones. DOE will also be able to report more accurate and useful information on the status of cleanup milestones to decision makers.
  • DOD officials found and corrected a formulaic error in DOD’s environmental liabilities data related to Formerly Used Defense Sites after we found anomalies in the data and alerted DOD. This error had caused information on the reasons for cost increases and decreases in DOD's corporate database to be unreliable. DOD will now be able to provide accurate information to Congress in its future reports.

Contact Information

For additional information about this high-risk area, contact Nathan J. Anderson at (202) 512-3841, andersonn@gao.gov.

Emergency Loans for Small Businesses

The Small Business Administration (SBA) can make additional progress to improve its oversight of emergency loans for small businesses by continuing to develop and implement its fraud risk management efforts and addressing material weaknesses reported by its financial statement auditor.

Why Area Is High Risk

Between March 2020 and March 2022, SBA made or guaranteed more than 16 million loans and grants through the Paycheck Protection Program (PPP) and the COVID Economic Injury Disaster Loan (EIDL) program. This process provided about $1.1 trillion in emergency funding to help small businesses.

SBA quickly set up these programs to respond to the adverse economic conditions small businesses faced. This quick implementation left SBA susceptible to improper payments. Improper payments refer to those made in an incorrect amount or that should not have been made at all, including payments as a result of fraudulent activity. In November 2022, SBA’s financial statement auditor reported (for the third consecutive year) material weaknesses in controls associated with the two programs that led to loans going to potentially ineligible borrowers.

This high-risk issue is being rated for the first time since it was added to the High-Risk List in 2021. Although SBA has made progress toward implementing controls to help address fraud in its emergency loans for small businesses, the following issues remain:

  • SBA has yet to fully implement or provide adequate support for its fraud risk management efforts.
  • SBA has yet to address all of the material weaknesses in internal controls reported by its financial statement auditor.

Leadership commitment: met. SBA has demonstrated leadership commitment in a number of ways (see fig. 14). For example, according to SBA officials, SBA formed a High-Risk Working Group comprised of senior officials, including the Administrator’s Chief of Staff and the Chief Financial Officer, to resolve high-risk issues. The agency also created a special counsel for enterprise risk in the Administrator’s Office to advise the Administrator on fraud and other risk management activities across SBA.

In addition, SBA created the Fraud Risk Management Board in February 2022 and designated it as SBA’s antifraud entity. The board is comprised of executives from across SBA. It reports to the Administrator through the Enterprise Risk Management Board, which manages agency-wide risks such as those posed by its emergency loan programs. Finally, SBA established an audit remediation working group, which includes the Chief Financial Officer and the Administrator’s Chief of Staff, to address the findings from its financial statement audits.

Figure 14: Examples of Small Business Administration Leadership Commitment

Capacity: partially met. SBA used contractors to help with oversight of PPP and EIDL. For example, a contractor reviewed all PPP loans for potential indicators of ineligibility or fraud and another developed fraud risk assessments for both programs. To build capacity to identify and manage fraud risks, SBA conducted agency-wide fraud risk training and plans to conduct ongoing training. SBA officials said they also met with other agencies to discuss best practices related to fraud risk management and formed an advisory team to support its Fraud Risk Management Board. However, officials told us in February 2023 that SBA does not expect to hire a permanent program manager for the board until the end of April 2023. They also said that SBA needs to determine the board’s staffing requirements—both the number and skillsets needed—and provide those resources.

Action plan: partially met. SBA developed a fraud risk management action plan and a multiyear strategic plan intended to support the Fraud Risk Management Board. SBA also implemented an oversight plan for PPP. This plan includes automated screenings of all loans to identify anomalies or attributes that may indicate noncompliance with eligibility requirements, fraud, or abuse. Loans that were identified were considered for additional review, including of compliance with applicable loan forgiveness rules.

Borrowers may have their PPP loans fully forgiven if certain conditions are met. The loan forgiveness process is still ongoing because borrowers have until the maturity date of the loan—either 2 or 5 years from origination, depending on when the loan was made—to apply for forgiveness.

In addition, the agency began implementing controls to validate information provided by EIDL applicants before making the loan and developed an oversight plan for EIDL. Both the PPP and EIDL oversight plans include steps to help SBA identify potentially fraudulent loans. SBA has referred potentially fraudulent loans from both programs for criminal investigation.

However, SBA’s financial statement auditor reported in November 2022 that material weaknesses remained in SBA’s controls over PPP and EIDL. For example, the auditor found that SBA neither sufficiently designed the loan forgiveness review process nor adequately designed and implemented controls to ensure that EIDL loans were provided to eligible borrowers and accurately recorded. SBA will need to develop a corrective action plan to address the material weaknesses related to PPP and EIDL.

Monitoring: partially met. According to SBA officials, its various working groups and boards meet regularly (ranging from weekly to quarterly) to track progress in the high-risk area and on our open recommendations. In addition, Fraud Risk Management Board members’ personal performance plans include participation in board activities. SBA officials said that career, senior, and midlevel program officials’ performance plans encourage the inclusion of internal controls. Lastly, SBA included a risk management strategy in its Fiscal Year 2022–26 Strategic Plan and performance measures in its Fiscal Year 2021 Annual Performance Report. These measures include SBA’s progress towards closing open Office of Inspector General and our recommendations and the number of risk inventories that have been completed.

However, the financial statement auditor found deficiencies related to SBA’s monitoring of PPP lenders and processes performed by its contractor.

Demonstrated progress: partially met. SBA developed and implemented oversight plans for PPP and EIDL, developed data analytics for EIDL, and reported the estimated improper payment amount and rate for PPP. However, SBA received a third consecutive disclaimer of opinion in its fiscal year 2022 financial statement audit because it was unable to provide adequate evidence to support a significant number of transactions and account balances related to PPP and EIDL. The 2022 financial statement audit included 42 recommendations to SBA, including 17 directly related to PPP and EIDL. SBA management concurred with all findings and recommendations included in the audit.

Further, although SBA has created a fraud risk management action plan and other review and oversight plans, it has not developed fraud risk management strategies for PPP and EIDL that meet the criteria in our Fraud Risk Framework. For example, various plans and summary documents SBA provided do not fully articulate a strategic approach to detecting and responding to fraud or communicate PPP and EIDL antifraud strategies to employees and other stakeholders.

What Remains to Be Done

We have made eight recommendations to SBA focused on this high-risk area, two of which remained open as of February 2023. In addition, SBA’s financial statement auditor made numerous recommendations to SBA in November 2022. Additional progress could be made if SBA were to complete actions to implement open recommendations, such as:

  • developing fraud risk management strategies for PPP and EIDL; and
  • addressing the material weaknesses identified by its financial statement auditor.

Benefits

Progress to address the Emergency Loans for Small Businesses high-risk area resulted in more than $3 billion in financial benefits associated with SBA’s implementation of a PPP oversight plan and 9 other benefits since we added it to our list 2 years ago. For example:

  • In June 2020, we found that SBA had limited time to implement safeguards for the PPP loan approval process. Thus, it needed to develop plans to respond to risks in PPP. In response, SBA provided a master review plan for PPP in December 2020 that outlined steps it planned to take to review the PPP loans made in 2020. SBA updated the plan in January 2022 to, among other things, include oversight of loans made in 2021.
  • In November 2020, we found that SBA needed to expeditiously estimate improper payments and report estimates and error rates for PPP. In response, SBA estimated and reported the improper payment amount and error rate for PPP in fiscal year 2022 annual reporting.
  • In March 2021, we found that SBA had not conducted fraud risk assessments for PPP or EIDL. In response, SBA provided both assessments in September 2022.

Contact Information

For additional information about this high-risk area, contact William B. Shear at (202) 512-8678 or shearw@gao.gov.

Strengthening Management of the Federal Prison System

The Bureau of Prisons (BOP) needs to enhance its management of staff and resources and improve planning and evaluation of programs that help inmates prepare for a successful return to the community.

Why Area Is Being Added to the High-Risk List

BOP is responsible for the care, custody, safety, and rehabilitation of approximately 158,000 inmates. It is also one of the largest employers at the Department of Justice (DOJ) with more than 34,000 correctional officers and staff. In fiscal year 2023, BOP’s appropriation was a little more than $8.5 billion.[18] Human capital-related costs and programs, and services for inmates comprised the largest expenditure categories.

In March 2021, we identified management of the federal prison system as an emerging high-risk issue requiring close attention based on our oversight work and knowledge of longstanding challenges. At that time, we identified three key problem areas that continue to pose challenges:

  • management of staff and resources,
  • planning for new programs or initiatives that help inmates prepare for a successful return to the community, and
  • monitoring and evaluation of inmate programs, which has led to imprudent spending.

In addition, BOP has consistently experienced several leadership changes over recent years. Other longstanding issues have been staffing challenges, such as vacancies and the growing use of overtime to help address them, which continue to present a serious threat to inmate and staff safety. BOP also lacks the necessary data and analytic capacity to prepare for and respond to disasters that can affect security. In addition, we found that BOP should improve its efforts to implement certain requirements from the First Step Act of 2018. The Act, among other things, directs BOP to deliver programs that may lower inmates’ risk of recidivism. It also provides inmates with opportunities to earn time credits that may allow them to reduce the amount of time they spend in a BOP facility.[19]

Finally, in December 2022, the DOJ Inspector General cited improving management of the federal prison system as a top management and performance challenge facing the department. These challenges included staffing shortages, contraband, and inmate medical care costs, as well as infrastructure maintenance and staff misconduct.

Leadership commitment: BOP experienced significant leadership changes over recent years. In January 2022, the then-BOP Director announced his retirement. A new BOP Director began leading the agency in August 2022. She is the sixth Director or Acting Director BOP has had in 6 years. Testifying before the Senate in September 2022, she affirmed her commitment to reform operations and stated that addressing BOP’s staffing concerns and implementing the First Step Act are among her highest priorities. The current BOP Director reiterated her commitment to addressing these issues in a March 2023 meeting with our leadership.

In August 2022, the Deputy Attorney General issued a memorandum to all department components stating that effectively resolving our and the Department of Justice Inspector General’s recommendations is important to DOJ leadership and essential to the sound management of each component, including BOP. Given the frequency of leadership changes within the bureau, leadership stability and a commitment from the top to resolving audit findings will remain critically important.

Capacity: BOP’s capacity is limited in large part because of how it has managed staffing levels and resources. For example, our February 2021 report found that BOP did not have reliable methods for assessing its staffing levels. We also found that BOP’s overtime expenses increased more than 100 percent, without adjusting for inflation, from fiscal years 2015 through 2019. We made seven recommendations to BOP. This includes that BOP develop and implement a reliable method for calculating staffing levels, or amend existing methods, and conduct a risk assessment of its overtime use. Four of the seven recommendations remain unresolved as of March 2023, including three that we designated as high priority in June 2022.

Further, in May 2020, we recommended that BOP develop and document its methods for determining the number of additional agency personnel it needed to support expansion of its medication assisted drug treatment program—a key program related to inmate rehabilitation. As of March 2023, BOP had not fully implemented this recommendation, along with two others related to inmate drug treatment efforts.

In 2021 and 2022, committees of both the House and the Senate held BOP oversight hearings focused on COVID-19 management, allegations of BOP employee misconduct, and general staffing challenges. Assessing staffing shortages will be essential for BOP to ensure it has the staff needed to offer sufficient programs—including offering certain programs and productive activities pursuant to the First Step Act. Related to this issue, in March 2023, we recommended that BOP develop a mechanism to monitor if the amount of recidivism reduction programs and activities it offers is sufficient to meet the needs of its incarcerated population. BOP agreed and we will continue to monitor BOP’s efforts to implement this recommendation.

Finally, members of Congress have raised concerns about BOP’s implementation of the First Step Act, its management of infrastructure maintenance and repair projects, and efforts to reduce recidivism. The House’s Bureau of Prisons Reform Caucus was chartered in 2020 and in February 2022, the Senate’s Prison Policy Working Group was established. In early 2023, members of the House announced the creation of the Bipartisan Second Chance Task Force to promote policies that improve reentry outcomes and reduce employment barriers for formerly incarcerated individuals.

Action plan: BOP’s plans to manage some of its key inmate rehabilitation programs are limited. Based on the latest available data, which BOP released in September 2021, nearly 45 percent of individuals were either rearrested or returned to BOP custody within 3 years of completing their federal sentences and being released to their communities.

Given that the First Step Act generally requires the Attorney General to research and analyze certain programs related to their effectiveness at reducing recidivism, it will be critically important that BOP have an effective plan to do so.[20] In March 2023, we recommended that BOP ensure its plan for evaluating recidivism reduction programs has pre-established, quantifiable goals that align with the First Step Act, and includes clear milestone dates. BOP agreed, and we will continue to monitor BOP’s efforts to implement this recommendation.

Monitoring: BOP has not evaluated many of its programs for inmates in decades, though BOP has made some recent progress in this area. In response to our July 2020 recommendation, BOP completed an evaluation of its Federal Prison Industries program in September 2021. Subsequently, BOP set a measurable goal for recidivism reduction for inmates participating in the program. This program is designed to help inmates develop marketable job skills and successfully re-enter society. Also in September 2021, BOP initiated an evaluation of its drug treatment programs. The assessment is ongoing.

In March 2023, we recommended that BOP collect and monitor participation data for unstructured productive activities that incarcerated people are able to participate in and earn First Step Act time credits. BOP did not concur with this recommendation. We believe taking such actions should be a priority and would better position BOP to know the status of each incarcerated person’s successful participation in programs for the purposes of First Step Act time credits.

In addition, BOP lacks the data collection and analytic capacity needed to prepare for disasters and protect its physical resources. In February 2022, we recommended that BOP establish cost-effective and feasible analytic features, such as project milestones and cost indicators, as well as queries and alerts. This would give BOP better visibility into disaster-related projects. In February 2023, BOP reported that it would conduct a cost-benefit analysis of adding analytical features after its transition to a new management system is completed by the end of the fiscal year.

Demonstrated progress: Since we identified BOP as an emerging high-risk issue in March 2021, the bureau has addressed 22 of our recommendations. This has included developing approaches to capture and share best practices and lessons learned related to managing COVID-19 resources, and ensure the facilities apply these practices as appropriate.

However, we have made another 26 recommendations to BOP since March 2021. In total, 28 recommendations related to this high-risk area need to be fully addressed, including those from reports issued prior to March 2021.

What Remains to Be Done

In addition to sustaining leadership commitment, BOP needs to address the four other criteria related to capacity, action plan, monitoring, and demonstrating progress. Moving forward, GAO and BOP will agree upon metrics in order to gauge progress. Within this context, BOP also needs to complete actions to implement our 28 recommendations.

For example:

Potential Benefits

Enhancing management of staff and resources, and improving the planning and evaluation of inmate programs, would allow BOP to more effectively deliver services, enhance its emergency preparedness and safety, determine if its investments are facilitating inmates’ successful re-entry into the community, and effectively implement the First Step Act. Successful implementation of the First Step Act could reduce the amount of time inmates serve in prison, the recidivism among federally incarcerated people, and costs to the U.S. taxpayer.

Contact Information

For additional information about this high-risk area, contact Gretta L. Goodwin at (202) 512-8777 or goodwing@gao.gov.

DOD Weapon Systems Acquisition

The Department of Defense (DOD) needs to improve oversight of its weapon systems and make better informed investment decisions to ensure the timely delivery of critical capabilities to the warfighter.

Why Area Is High Risk

DOD is continually challenged to rapidly deliver capabilities to its warfighters in an increasingly innovative and ever-changing global environment. Further, DOD programs are more software driven than ever before and face global cybersecurity threats. As of December 2021, DOD expected to spend more than $1.9 trillion dollars to acquire weapon systems. It identified the modernization of its weapon systems as critical to the nation’s ability to achieve competitive advantage with potential adversaries. Legislation, such as acquisition reforms outlined in the National Defense Authorization Acts for Fiscal Years 2016 and 2017, has prompted DOD to take actions to improve the outcomes of systems that were consistently costing more, taking longer to develop, and performing at lower-than-anticipated levels. We added this area to our High-Risk List in 1990.

Since our 2021 High-Risk Report, our assessment of DOD’s performance against our five criteria remains unchanged. For this report, we divided the overall high-risk area into four segments—acquisition policy and oversight, software and cybersecurity, defense industrial base, and innovation investments—that reflect key areas of risk for DOD weapon systems acquisition. Since these are new segments, we will not rate DOD on them separately until our next High-Risk Report in 2025.

Leadership commitment: met. DOD senior leadership continues to demonstrate a strong commitment to improving the management of its weapon systems acquisition. For example, in May 2021, the Deputy Secretary of Defense took action to address portfolio management challenges we identified in August 2015 by establishing Integrated Acquisition Portfolio Reviews. These reviews examine how multiple weapon systems fit into a broader portfolio of capabilities. Additionally, the Office of the Under Secretary of Defense for Acquisition and Sustainment and military department leadership continue to update acquisition policies and develop oversight plans since our last High-Risk Report in 2021.

Capacity: partially met. Since our 2021 report, DOD has taken steps to increase its capacity for addressing risks related to weapon systems acquisition. For example, in November 2021, DOD established the Software Modernization Senior Steering Group. This group coordinates DOD’s software modernization efforts and promotes the adoption of modern software development practices across the department. The Under Secretary of Defense for Acquisition and Sustainment, the Under Secretary of Defense for Research and Engineering, and the DOD Chief Information Officer oversee the group.

However, DOD still needs people with the necessary expertise and sufficient resources to improve weapon systems acquisition. For example, in February 2022, we reported that officials from the Office of the Under Secretary of Defense for Acquisition and Sustainment told us they had no dedicated funding for efforts to improve acquisition reporting. They also said that the office responsible had recently been directed to cut its staffing levels. Further, DOD faced reduced capacity among its leadership while awaiting the confirmation of a new Under Secretary of Defense for Acquisition and Sustainment, which occurred more than a year after the 2021 change in presidential administration.

Action plan: partially met. DOD continues to make progress in developing plans to improve certain aspects of weapon systems acquisition. For example, in February 2022, the Acting Assistant Secretary of Defense for Acquisition approved a plan explaining how DOD would assess the effects of recent acquisition reforms, as we recommended in June 2019. However, the department has yet to develop plans to address other aspects of this high-risk area. We reported in July 2022 that the department had yet to develop a consolidated and comprehensive strategy to mitigate industrial base risks such as reliance on foreign and single-source suppliers for critical materials.

Monitoring: partially met. DOD has made progress in its efforts to conduct data-driven oversight on the effectiveness of defense acquisition system changes. In February 2022, we reported on the Office of the Under Secretary of Defense for Acquisition and Sustainment’s multiyear effort to improve acquisition data management. While officials from that office described these efforts as significant, we continue to identify challenges with the data available to DOD for effectively monitoring recent acquisition reforms. For example, in February 2023, we reported that DOD’s ability to conduct effective data-driven oversight of its middle tier of acquisition pathway was hindered by a lack of clear reporting guidance and a data framework that obscured key program details. These challenges were compounded by inaccurate data provided by DOD components. An acquisition pathway allows for the rapid prototyping or fielding of capabilities.

Demonstrated progress: partially met. DOD continues to work to implement our past recommendations to help address the high-risk area. For example, in 2021 and 2022, DOD addressed recommendations through actions such as monitoring costs for programs using new acquisition pathways, developing policies and guidance to increase planning for weapon systems sustainment during the acquisition process, and improving software development for its costliest weapon program, the F-35.

However, DOD has yet to address many of our other recommendations that could help improve cost, schedule, and performance outcomes. Additionally, in our June 2022 annual weapon systems assessment, we were unable to assess DOD’s progress in reducing unplanned cost growth due to the lack of available data. We noted in our report that DOD still struggled with schedule delays despite congressional legislation and departmental efforts in recent years emphasizing the timely delivery of warfighting capabilities.

The following sections discuss the four segments related to the overall high-risk area of DOD Weapon Systems Acquisition.

Acquisition Policy and Oversight

DOD has yet to implement some of the improvements to its acquisition policies that we have identified. For example, in March 2022, we found that DOD’s acquisition policies incorporate some leading principles that private sector companies use to drive innovation and speed in product development. These principles include developing cost, schedule, and performance parameters to define goals before allocating funding. However, DOD missed opportunities for positive outcomes by not addressing others. We recommended—and DOD agreed—that the department update its acquisition policies to fully address leading principles.

Further, DOD has yet to fully determine key program oversight aspects for the Adaptive Acquisition Framework. This framework provides six acquisition pathways that are each tailored for the unique characteristics and risk profile of the capability being acquired. As a result, Congress and senior DOD leadership may lack the information they need to ensure the department’s acquisition efforts are on track. For example, in February 2023, we found that DOD components had yet to establish and document processes that DOD directed them to develop to inform execution and oversight of DOD’s middle tier of acquisition pathway. Additionally, in February 2022, we reported that many open questions remained about how DOD would track and report on program performance. We made recommendations to strengthen DOD’s efforts to improve acquisition program reporting (see figure 15).

Figure 15: The Department of Defense Has Yet to Address Open Questions Related to Its Proposed Reporting Approach

Software Development and Cybersecurity

Cyberattacks can target any weapon system that depends on software. Software has become a key component of weapon systems. Yet DOD has been challenged to modernize its software development approach, address workforce shortfalls, and improve cybersecurity—a fact that senior DOD leadership has acknowledged. In June 2022, we reviewed 59 DOD acquisition programs. We found that these programs had made limited progress in implementing software development practices recommended by the Defense Science Board in 2018. Such practices include providing training in modern software development approaches for program managers and staff. These programs also reported continued software development workforce challenges. Nearly half of the programs said it is difficult to find staff with the required expertise. More than one-third reported difficulty hiring staff in time to perform planned work.

Further, the programs we reviewed have not fully implemented recommended cybersecurity practices. For example, they did not consistently complete certain types of testing that assess a system’s ability to execute critical missions and defend against cyber threats. In addition, in March 2021, we found that programs did not always include complete cybersecurity requirements in their contracts. We also found that DOD’s related guidance was insufficient, increasing the potential for cybersecurity risks.

Defense Industrial Base

DOD recognizes it needs a healthy defense industrial base with secure supply chains, skilled workers, robust competition, and access to innovative, cutting-edge technology to keep pace with strategic competitors. Without these elements, DOD programs could face acquisition cost overruns, schedule delays, and performance issues. For example, we reported in January 2021 that the Navy’s submarine programs rely on materials produced by an atrophied supplier base. We also found that risks in the supplier base contributed to schedule and quality challenges for the lead Columbia class submarine.

Congress has recently taken steps that help DOD address these challenges, such as providing funds that the Navy used to expand and develop the submarine supplier base. As of May 2021, the Navy’s submarine programs had budgeted nearly $900 million to address suppliers’ capacity and workforce risks and to develop additional sources of supply. However, in July 2022, we found that DOD did not have enterprise-wide performance measures to monitor the aggregate effectiveness of its numerous risk mitigation efforts, which cost billions of dollars.

We also reported that DOD’s Industrial Base Policy office does not have a consolidated and comprehensive strategy to mitigate industrial base risks. For example, we found that DOD had yet to develop an analytical framework for mitigating risks. Such a framework could support its planning efforts and was required by Congress. We also recommended in June 2022 that DOD update its industrial base assessment instruction. Such a move would ensure that DOD has greater insight into industrial base risks across the department.

Innovation Investments

Responding to threats from strategic competitors, such as China and Russia, requires DOD to invest in innovative technologies for the warfighter. DOD, however, faces challenges in delivering such innovation quickly. The department typically focuses on developing near-term, less risky, incremental innovation at the expense of long-term, disruptive innovation. DOD did not concur with our recommendations and has yet to implement our priority recommendations from June 2017 to (1) define the desired mix of incremental and disruptive innovation investments within military departments, and (2) annually assess whether that mix is achieved to better align with leading commercial companies’ approaches to innovative technology development.

In addition, in March 2021 and June 2022, we identified gaps in DOD’s leadership and oversight of innovative investments in hypersonic missiles. We also found that DOD lacked the workforce needed to support large-scale production and testing of hypersonic weapons. Further, in April 2022, we found that DOD’s prototyping plan for uncrewed maritime systems lacked key strategies to successfully transition the efforts to acquisition programs and help maximize its significant investments.

What Remains to Be Done

As of February 2023, 163 recommendations related to DOD weapon systems acquisition remain open, including that DOD should

  • update DOD acquisition policies to fully implement the key product development principles used by leading companies;
  • develop and use performance measures to monitor the aggregate effectiveness of mitigation efforts for DOD-wide industrial base risks; and
  • define the desired mix of incremental and disruptive innovation investments within military departments and annually assess whether that mix is achieved.

Congressional Actions Needed

There are two open recommendations for congressional consideration. To help DOD improve weapon systems acquisition, Congress should consider

  • requiring DOD to report on each major acquisition program's systems engineering status in the department's annual budget request, beginning with the budget requesting funds to start development; and
  • revising Section 224(d) of the National Defense Authorization Act for Fiscal Year 2017, Pub. L. No. 114-328, to extend DOD's reporting requirement for Block 4 of the F-35 program until all Block 4 capabilities are fielded to ensure that Congress is aware of cost and schedule growth beyond 2023.

Benefits

Progress in the acquisition of DOD weapon systems has led to more than $250 billion in financial benefits and more than 400 other benefits. For example:

  • DOD implemented the Weapons Systems Acquisition Reform Act of 2009, which codified a number of leading acquisition practices we first recommended, to avoid an estimated $36 billion in development costs and $136 billion in procurement costs over 5-year periods.
  • DOD established a plan, approved in February 2022, to assess the effects of recent acquisition reform efforts. Our work found that, without such a plan, DOD risked not achieving an effective balance between oversight and accountability and efficient program management.
  • In March 2022, the U.S. Army issued guidance for acquisition programs on how to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts.
  • DOD updated guidance in July 2022 to provide more useful information about the total cost of warfighting capabilities that use multiple efforts or acquisition pathways.

Contact Information

For additional information about this high-risk area, contact Shelby S. Oakley at (202) 512-4841 or oakleys@gao.gov.

DOD Financial Management

The Department of Defense (DOD) needs to continue to improve its information systems, action plans, and monitoring efforts to produce reliable, useful, and timely financial information.

Why Area Is High Risk

DOD’s financial management faces long-standing issues including ineffective processes, systems, and controls; incomplete corrective action plans; and the need for more effective monitoring and reporting.

DOD financial management has been on our High-Risk List since 1995. DOD’s spending makes up about half of the federal government’s discretionary spending. Its physical assets comprise almost 68 percent of the federal government’s physical assets. DOD has not yet received an audit opinion on its annual department-wide financial statements. It has been unable to accurately account for and report on its spending or physical assets.

DOD’s financial management issues extend beyond financial reporting as long-standing control deficiencies adversely affect the economy, efficiency, and effectiveness of its operations. Sound financial management practices and reliable, useful, timely financial and performance information would help improve DOD’s accountability over its extensive resources and would support more efficient management of these resources.

The ratings for all five criteria remain unchanged since 2021.

Leadership commitment: met. Since our last high-risk update in 2021, DOD leadership continued its commitment to financial management improvements by (1) updating its Financial Management Strategy, (2) prioritizing audit remediation efforts, (3) continuing to phase out legacy systems while migrating to newer financial management systems, and (4) embracing G-Invoicing—a common platform for recording and processing intradepartmental transactions which should be in agreement and must be eliminated as part of preparing consolidated agency financial statements.

Capacity: partially met. DOD’s updated fiscal year 2022-2026 Financial Management Strategy continues to focus on the need to build and maintain a premier financial management workforce. It also continues to reduce the number of legacy financial management systems and leverage a single enterprise data and analytics platform to assist with fiscally informed decisions and management reporting. In September 2020, we reported that DOD’s Information Technology strategic plan lacked performance measures for tracking progress in achieving the strategy’s goals. We also reported that DOD could not identify a complete listing of its financial management systems that support the preparation of the department’s financial statements. DOD has not yet fully addressed these issues. Additionally, in February 2022, we reported that the U.S. Air Force did not have a systems migration plan that followed leading practices for transitioning from its legacy system to its new core accounting system.

Action plan: partially met. DOD and its components continue to take steps to prioritize audit remediation efforts and develop corrective action plans to address findings reported by its external auditors. To this end, the Secretary of Defense has targeted three priority areas in fiscal year 2022 for improving financial statement audit results: (1) Fund Balance with Treasury – to establish processes and controls to more timely record cash collections and disbursements, (2) Establish User Access Controls – to enhance security over critical IT systems, and (3) Creating a Universe of Transactions and Financial Reporting Internal Controls – to help DOD compile and validate a complete listing of transactions from all accounting systems.

However, in the recently completed FY 2022 financial statement audits, material weaknesses remain for each of these priority areas. Additionally, DOD has not yet fully addressed key deficiencies we reported in October 2020 pertaining to its corrective action plan process, such as ensuring a root cause analysis is performed and documented. Also, DOD has not yet issued the detailed implementation plans to carry out the financial management transformation strategies included in its newly issued FY 2022-2026 Financial Management Strategy.

Monitoring: partially met. DOD continues to prioritize financial statement audit remediation areas for addressing material weaknesses. In addition, DOD components are developing roadmaps for how they can achieve clean audit opinions. These roadmaps outline critical remediation tasks, dependencies, and timelines for completion. They also can serve as a mechanism for DOD’s leaders to monitor the department’s audit remediation progress. However, these roadmaps are inconsistent across the components and measures of success are vague.

Demonstrated progress: partially met. DOD continues to make some progress in addressing its financial management challenges. For example, in FY 2022, it completed its fifth entity-wide financial statement audit. However, the DOD Inspector General reported 28 material weakness in its FY 2021 and FY 2022 DOD audits compared to 26 at the time of our 2021 high-risk update. Additionally, DOD has remediated audit deficiencies at a slower rate in recent years as it works to address more complex issues such as weaknesses in its financial management systems.

What Remains to Be Done

We have made more than 150 recommendations to DOD focused on this high-risk area, 67 of which remain open as of February 2023. Additional progress could be made if DOD were to complete actions to implement open recommendations, such as

  • establishing specific time frames for developing an enterprise road map to implement DOD's financial management systems strategy, continuing efforts to identify a complete inventory of financial management systems, and developing detailed system migration plans where new systems will replace legacy accounting systems;
  • improving its corrective action plan review process, including ensuring that (1) data elements missing from corrective action plans are appropriately identified and communicated to DOD’s components and resolved; (2) Notices of Findings and Recommendations (i.e., auditors’ findings and recommendations) are appropriately linked to the appropriate corrective action plans to address them; and (3) components document their rationale for accepting the risk associated with certain deficiencies and identify such instances in the Notice of Findings and Recommendations Database; and
  • continuing efforts to implement policies and procedures to address suspense account deficiencies (see fig. 16) including developing and implementing DOD-wide guidance for identifying and remediating the root causes of control deficiencies in its suspense account processes. Suspense accounts temporarily hold financial transactions—such as transactions with missing or incomplete documentation—that require further research before they are permanently recorded to the proper accounts in an accounting system.

Figure 16: DOD Actions to Address Deficiencies with Suspense Account Transactions

Benefits

Over the past 17 years, our work has identified nearly $4 billion in financial benefits to the federal government. We have also identified more than 200 other benefits including enhanced internal controls, improved oversight, and more reliable information to support management decision-making related to this high-risk area. Additionally, since DOD’s department-wide financial audits started in 2018, DOD leadership identified a number of financial management–related benefits, as well as, operational improvements. Specifically, DOD stated that the audits have been a catalyst for business process and business systems reform. DOD officials also stated that the agency’s audit remediation efforts will ultimately result in better support for the warfighter and preservation of military advantage. They described additional benefits such as, greater financial data integrity, enhanced demonstration of stewardship, and increased transparency for Congress and the American people. Some of the specific benefits noted by DOD include:

  • Its audits have helped identify assets such as spare parts and material that it did not know existed. In turn, DOD has been able to fill thousands of open requisitions more quickly, which improves military readiness without incurring additional purchase costs. For example, in fiscal year 2022, the U.S. Navy stated it had identified more than $4.4 billion in previously untracked material through inventory clean up and redeployment programs dating back to 2018. Such efforts have also resulted in the identification and removal of unneeded inventory. This process has freed storage space.
  • In 2018, the U.S. Army found 39 Blackhawk helicopters that had not been recorded in the property system. Similarly, the Air Force identified 478 buildings and structures at 12 installations that were not in the real property systems.
  • In fiscal year 2021, DOD reported that it automated the quarterly review process of its obligations. This automation eliminated inefficiencies and provided analysts the time and insights needed to identify $316 million that could be put to better use before these funds expired or were canceled.
  • DOD stated the audit process improved the accuracy of the IT systems inventory and resulted in the retirement of 18 vulnerable IT systems.
  • DOD reported it identified $43 million in contract de-obligations as a result of better management of its obligations. This finding allowed DOD to reprogram funds to more immediate mission-support and mission-critical needs.
  • In fiscal year 2022, DOD reported that the U.S. Army and the U.S. Navy deployed robotic process automation tools to improve data timeliness and accuracy. The use of these tools enabled the reprioritization of an estimated 150,000 and 90,000 labor hours, respectively.

Contact Information

For additional information about this high-risk area, contact Asif A. Khan at (202) 512-9869 or khana@gao.gov.

DOD Business Systems Modernization

The Department of Defense (DOD) needs to improve management of its business systems acquisitions and complete updates to its federated business enterprise architecture and the realignment of responsibilities previously assigned to the former Office of the Chief Management Officer (CMO).

Why Area Is High Risk

DOD spends billions of dollars each year to acquire and modernize business systems, including ones that address key areas such as personnel, financial management, health care, and logistics. However, significant challenges impede DOD’s efforts to improve this systems environment. This high-risk area comprises three segments that address critical challenges facing DOD: (1) improving business systems acquisition management, (2) improving business systems investment management, and (3) leveraging DOD’s federated business enterprise architecture. Addressing these three critical areas could assist DOD to achieve better cost, schedule, and performance outcomes; manage its portfolio of business system investments more effectively and efficiently; and help identify and address potential duplication and overlap.

Overall ratings for four criteria remain unchanged since 2021. However, action planning decreased to not met because DOD is revisiting its approach to its business enterprise architecture. Thus, its previous planning for that high-risk segment is now irrelevant. In addition, the department’s efforts to develop an action plan to address this high-risk area have stalled since 2021. The following sections present more detailed information on the three segments summarized in the overall rating.

DOD’s Business Systems Acquisition Management

Leadership commitment: partially met. We reported in our 2021 High-Risk Report that the National Defense Authorization Act (NDAA) for Fiscal Year 2021 repealed the CMO position. Thus, DOD needed to implement statutory requirements regarding the roles and responsibilities for business systems acquisition management previously assigned to the CMO. DOD has begun implementing these requirements. For example, we reported that, in September 2021, the Deputy Secretary of Defense assigned the Under Secretary of Defense (Comptroller) (USD(C)) and the Chief Information Officer (CIO) with the shared responsibility for issuing supporting guidance for coordinating and making decisions about covered defense business systems.

In addition, we reported in June 2022 that a DOD official stated the department planned to change its defense business systems investment management policy and guidance for the fiscal years 2023 and 2024 investment review and approval cycles. For example, according to DOD, the guidance will require business systems to align to specific performance measures. DOD officials also stated the department plans to subsequently adjust acquisition policies and guidance.

However, DOD leaders need to exercise consistent leadership to ensure the department successfully implements its plans to update key guidance, as we have reported in our past High-Risk Report updates. Consistent with what we reported in 2019, DOD has faced frequent changes in leadership positions responsible for managing its business system investments. In addition, DOD has not taken consistent and sustained steps toward completing planned actions and addressing our long-standing open recommendations.

Capacity: partially met. In September 2021, DOD reassigned policy, guidance, and business systems investment oversight responsibilities to the DOD CIO and USD(C). As of February 2023, officials from DOD’s Offices of the Director of Administration and Management and Chief Information Officer stated that the department plans to revisit a human capital analysis previously developed by the former Office of the CMO. Additionally, they will determine the appropriate next steps for implementing the outstanding planned actions. These planned actions included reviews intended to, among other things, identify skills and other resource gaps. However, DOD officials did not provide a date for when they anticipate completing these planned actions.

Action plan: not met. In December 2022, officials within the Office of the CIO stated that the department intends to develop a plan to address this high-risk area. However, these officials did not provide a date for when they anticipate completing this action plan.

Monitoring: partially met. DOD provides information to the federal IT dashboard. This dashboard is a public website that allows federal agencies and the public to view details of federal IT investments and to track their progress over time. It may allow the department to document progress in improving business system acquisition outcomes. However, DOD does not have the means to monitor broader progress in improving its business systems acquisition management efforts. It does not have an action plan with milestones and metrics to allow the agency to measure progress.

Demonstrated progress: partially met. DOD has had mixed success in delivering business systems investments that meet cost, schedule, and performance commitments. For example, we reported in June 2022 that each of the 25 major DOD business IT programs had identified metrics for reporting performance on the federal IT dashboard. However, we also reported that major DOD business IT programs were not reporting complete data to the federal IT dashboard. For example, as figure 17 shows, six programs fully reported performance data, eight programs reported incomplete data, and 11 programs did not report performance data. Officials from the Office of the CIO stated that programs that have performance measures should be reporting them to the dashboard.

Figure 17: Officials for DOD’s 25 Major IT Business Programs Reported Performance Data to the Federal IT Dashboard, as of June 2022

DOD’s Business Systems Investment Management Process

Leadership commitment: partially met. As we reported in our 2021 High-Risk Report, the NDAA for Fiscal Year 2021 repealed the CMO position. Thus, DOD needed to implement statutory requirements regarding the roles and responsibilities for business systems acquisition management previously assigned to the CMO. In response, in September 2021, the Deputy Secretary of Defense directed a broad realignment of the responsibilities previously assigned to the CMO. As a result, DOD leadership needs to re-establish momentum for addressing our recommendations regarding the investment process.

Capacity: partially met. In September 2021, DOD reassigned policy, guidance, and business systems investment oversight responsibilities to the DOD CIO and USD(C). As of February 2023, officials from DOD’s Offices of the Director of Administration and Management and Chief Information Officer stated that the department plans to revisit a human capital analysis previously developed by the former Office of the CMO. At that point, DOD will determine the appropriate next steps for implementing the outstanding planned actions. These planned actions included reviews intended to, among other things, identify skills and other resource gaps. However, DOD officials did not provide a date for when they anticipate completing these planned actions.

Action plan: not met. In December 2022, officials within the Office of the DOD CIO stated that the department will develop a plan to address this high-risk area. However, these officials did not provide a date for when they anticipate completing this action plan.

Monitoring: not met. DOD cannot measure progress on addressing this segment of the high-risk area because it still lacks an action plan. Action plans should contain milestones and metrics to allow DOD to monitor progress toward improving its business system investment management process.

Demonstrated progress: partially met. In response to the NDAA for FY 2021 repealing the CMO position, DOD has directed a broad realignment of the responsibilities previously assigned to the CMO. This includes responsibilities for updating its business systems investment management guidance. However, DOD needs to show continued progress in addressing our recommendations associated with the investment management process, such as developing improved investment management guidance.

DOD’s Federated Business Enterprise Architecture

Leadership commitment: partially met. In response to the NDAA for FY 2021 repealing the CMO position, DOD has directed a broad realignment of the responsibilities previously assigned to the CMO. This includes responsibilities for managing the business enterprise architecture. For example, the DOD CIO was charged with developing and maintaining the DOD business enterprise architecture to guide the development of integrated DOD business processes.

However, since our 2021 High-Risk Report, the department has again revamped its efforts to improve its business enterprise architecture. DOD needs to ensure that it exercises consistent leadership over the business enterprise architecture. It also needs to ensure that planned updates to the architecture are competed. For example, we reported in June 2022 that DOD officials stated the department was reviewing its portfolio management processes. They added that DOD is also working to integrate those processes with the business enterprise architecture and the associated information enterprise architecture. In January 2023, officials from the Office of the DOD CIO stated that DOD will begin coordinating the modernized business enterprise architecture framework across the department no later than March 2023.

Capacity: partially met. DOD’s business enterprise architecture is a tool to provide DOD with the capacity to make sound investment decisions. It also serves as a blueprint for the department’s business transformation efforts. However, we reported in July 2015 that DOD’s business architecture was not fully achieving its intended outcomes. As of February 2023, the offices taking on former CMO responsibilities have yet to update the business enterprise architecture.

Action plan: decreased to not met. In December 2022, officials within the Office of the DOD CIO stated that the department will develop a plan intended to include specific actions and associated milestones to address this high-risk area. However, these officials did not provide a date for when they anticipate completing this action plan.

Monitoring: decreased to not met. As of February 2023, the department had not developed a plan with tasks and associated milestones to monitor its efforts to update its business enterprise architecture.

Demonstrated progress: partially met. DOD has established the capacity to identify potentially duplicative investments. It also provided examples of benefits attributed, at least in part, to its business enterprise architecture. Nevertheless, the department is revamping its approach to its business enterprise architecture. It has yet to demonstrate that it is assessing potential duplication and overlap actively and consistently to eliminate duplicative systems. Further, DOD needs to demonstrate progress in addressing our remaining open recommendations. These include solidifying its approach to improving the business enterprise architecture and integrating its business and IT architectures.

What Remains to Be Done

As of February 2023, 14 recommendations remained open. DOD needs to:

Benefits

We have identified more than $3 billion in financial benefits and nearly 60 other benefits since 2006. Specifically, DOD took the following actions:

  • DOD cancelled the Air Force's Expeditionary Combat Support System because of increased oversight, issues with program life-cycle costs, and implementation weaknesses. As a result, DOD avoided almost $1 billion in planned program expenditures.
  • DOD completed business process re-engineering documentation for the Integrated Personnel and Pay – Army system. This helps ensure that its business processes are streamlined and as efficient as practicable.
  • DOD improved the information used to develop its budget requests and make oversight decisions. This reduces the risk that it will make investment decisions based on unreliable information.

Contact Information

For additional information about this high-risk area, contact Vijay A. D'Souza at (202) 512-7650 or DSouzaV@gao.gov.

DOD Approach to Business Transformation

The Department of Defense (DOD) should strengthen its guidance and monitoring efforts to help the department engage in business reform and ensure that transformation occurs.

Why Area Is High Risk

DOD spends billions of dollars each year to maintain key business operations intended to support the warfighter. This includes systems and processes related to the management of contracts, finances, the supply chain, support infrastructure, and weapon systems acquisition. Weaknesses in these areas adversely affect DOD’s efficiency and effectiveness. They also render its operations vulnerable to waste, fraud, and abuse. DOD’s approach to transforming these business operations is linked to its ability to perform its overall mission. This, in turn, affects the readiness and capabilities of U.S. military forces.

We added DOD’s overall approach to managing business transformation as a high-risk area because DOD had not taken the necessary steps to achieve and sustain business reform on a broad, strategic, department-wide, and integrated basis. In addition, it did not initially have an integrated plan for business transformation improvements.

Since our 2021 High-Risk Report, we have increased the rating for Leadership Commitment from partially met to met. The ratings for all other criteria remain unchanged. Consistent with congressional direction, DOD has transitioned some business transformation responsibilities from the former Chief Management Officer (CMO) to other DOD components. However, according to DOD officials, because of the substantial work required to complete that transition, there have been delays in some business reform efforts. This includes the department’s Performance Improvement Framework.

Leadership commitment: increased to met. Since the dissolution of the CMO position in January 2021, DOD has taken the approach of relying on the authority of the Deputy Secretary of Defense as Chief Operating Officer (COO) to lead and manage reform efforts. The Deputy Secretary of Defense has taken such actions as issuing guidance in September 2021 and January 2022 on the role of the Director of Administration and Management. The latter also serves as the Performance Improvement Officer (Director/Performance Improvement Officer). The Deputy Secretary of Defense also has announced reform and performance improvement efforts. In addition, she has approved a revised Defense Business Council charter in January 2022.

The council supports business transformation by overseeing the coordination of DOD business planning and reporting and aligning both with business operation plans and resources. The Defense Business Council is tri-chaired by the Director of Administration and Management, the Under Secretary of Defense (Comptroller)/Chief Financial Officer, and the Chief Information Officer. Council membership consists of the Under Secretaries of Defense, DOD General Counsel, the Director of Cost Assessment and Program Evaluation, the Director of the Joint Staff, and the Military Departments’ Chief Management Officers. DOD has also taken steps to build performance improvement efforts into core department operations, such as the Planning, Programming, Budgeting, and Execution process and performance evaluations of DOD’s Senior Executive Service members. In part because of these actions, DOD has taken sufficient action to close our 2015 recommendation that it ensure the COO leads Agency Priority Goal meetings.

Moving forward, it will be important for DOD to demonstrate that this new leadership approach, focused on the Deputy Secretary, allows for crosscutting department-wide reforms, where needed, to be developed and implemented. DOD officials have stated that the Director/Performance Improvement Officer will use the Deputy Secretary’s priorities and reforms identified at the component levels to identify potential sources for crosscutting reforms. The Director/Performance Improvement Officer does not plan to initiate crosscutting reforms because as Office of the Director of Administration and Management (Director’s Office) officials told us, they do not have the authority to direct specific reform efforts without direction from the Deputy Secretary of Defense. They also said that their work is inherently cross functional. They are currently re-establishing relationships across the department since the disestablishment of the CMO position. Moving forward, we will assess the extent to which DOD’s new leadership approach, focused on the Deputy Secretary, allows for department-wide reforms to be developed and implemented.

Capacity: partially met. DOD established the Performance Improvement Directorate within the Director of Administration and Management’s Office in February 2022. As of December 2022, Director’s Office officials stated they were still hiring staff and building capacity to oversee DOD reform efforts. Director’s Office officials stated that a recent reorganization put DOD’s Audit Management function under Director’s Office control. They say they expect this to augment their office’s capacity. As a result, these officials stated that the office is budgeted for 45 full-time equivalent staff. As of December 2022, the officials stated that the office had filled 35 of these positions. It will be important for the Director’s Office to fill open positions and ensure its full-time equivalent staff is sufficient to support the office’s responsibilities to monitor reform initiatives across the agency effectively.

In addition, DOD’s new approach to business transformation places greater emphasis on the involvement of component heads and principal staff assistants. This includes the Under Secretaries of Defense and other Office of the Secretary of Defense officials who report directly to the Secretary or Deputy Secretary of Defense. Such action will allow for the development and implementation of reform efforts. As a result, the capacity of these organizations to fulfill these responsibilities directly affects the department’s overall capacity to engage in business reforms. For example, an official from the Office of the Under Secretary of Defense for Acquisition and Sustainment stated that the dissolution of the CMO position shifted responsibility for one reform effort to his office. This, in turn, he said limited his office’s capacity to implement this effort. In addition, according to Navy officials, the Navy office responsible for overseeing reform efforts was considerably downsized from a team of 21 staff to four. This occurred after DOD’s CMO position was eliminated because of a shift in Navy priorities. The Navy has recently begun rebuilding that office’s team up to nine staff according to Navy officials. Further, as discussed in our other high-risk areas involving DOD business operations, such as business systems modernization, the capacity of the department to address ongoing challenges within these operations remains a concern.

Action plan: met. DOD released its Strategic Management Plan in August 2022. The plan replaced its previous National Defense Business Operation Plan, which was in place through fiscal year 2022. The Strategic Management Plan reflects the department’s new approach of incorporating performance improvement efforts into existing processes and forums. It includes reforms to specific business areas within some of its identified goals, such as modernizing and consolidating DOD networks and services. Other reforms include ensuring supply chain resilience and implementing health care transformation efforts. Department officials are now implementing the Strategic Management Plan and its related Performance Improvement Framework, including developing more detailed guidance and reporting tools.

Monitoring: partially met. DOD continues to enhance its monitoring efforts by, among other things, developing new management frameworks and expanding its data analytics platform called Advana. DOD’s Strategic Management Plan includes a framework for monitoring progress on the plan, including establishing performance baselines. In addition, DOD’s Performance Improvement Framework provides a new approach to identifying, tracking, and reporting on reform efforts in the department.

In November 2022, the Director/Performance Improvement Officer and the Under Secretary of Defense (Comptroller) issued guidance for data collection to support reporting under the Performance Improvement Framework using an application housed in the Advana platform. DOD plans to use an Advana application called Pulse for reporting under the framework, as well as for monitoring implementation of the Strategic Management Plan. Pulse will also incorporate DOD’s existing Business Health Metrics application. This application provides DOD leadership with an overview of how the department’s business operations are performing. According to Director’s Office officials, parts of the reporting tools in Pulse are still under development. In addition, regular reporting using them has yet to begin.

Demonstrated progress: partially met. Consistent with statutory requirements, DOD has made progress in transitioning the former CMO’s responsibilities to appropriate elements and organizations within the department, such as the Director/Performance Improvement Officer and other principal staff assistants. In addition, Director’s Office efforts over the last year to integrate performance improvement into key institutional functions show that department officials are working to ensure that any progress in reform efforts can be sustained across fiscal years and across administrations. The work to lay this foundation, which Director’s Office officials stated will take years to fully implement, has taken place concurrently with reorganizing and reassigning responsibilities that had been the purview of the CMO. This contributed to delays in issuing both the Strategic Management Plan and the Performance Improvement Framework. They were initially required to be issued in February 2022 (the required date for the Framework was later extended) but were issued in August and October 2022, respectively.

According to Director’s Office officials, responsibility for reform initiatives previously led by cross-functional teams that reported to the CMO were moved to the relevant DOD offices. For example, responsibility for the effort to improve and standardize the department’s time-to-hire measure, as a part of its human resources service delivery, moved to the Office of the Under Secretary of Defense for Personnel and Readiness. However, it is unclear whether these offices have maintained the efforts. As a part of its data collection for the Performance Improvement Framework in November 2022, the Director/Performance Improvement Officer has requested information on the status of these initiatives.

Staff from the military departments and offices within the Office of the Secretary of Defense told us that some of their individual reform efforts continued during the period of CMO dissolution. However, some staff also told us that reform was de-emphasized when the CMO position was disestablished. They added that they were awaiting guidance from the Director/Performance Improvement Officer on how to define and report on the ongoing efforts.

DOD’s Annual Performance Report for Fiscal Year 2021 reported progress on various business reform efforts in support of the department’s strategic goals. This includes data center consolidation, business system modernization, and improvements to financial management. However, the report lacked outcome-oriented reporting on business reform efforts because, according to Director’s Office officials, the group responsible for monitoring these efforts was disbanded at the same time the CMO was disestablished.

According to Director’s Office officials, full reporting under the new Performance Improvement Framework will not begin until fiscal year 2024. However, they plan to issue an initial report in 2023. DOD officials have stated that they are placing less emphasis on financial savings as the primary indicator of progress. Instead, they are considering other performance indicators to determine progress. We will monitor reporting under the new framework to assess the extent to which DOD reform efforts are demonstrating meaningful progress, whether financial or otherwise.

What Remains to Be Done

Since we added this area to our High-Risk List in 2005, we have made numerous recommendations to DOD focused on this high-risk area. Six of these recommendations remain open as of February 2023, including that DOD

  • routinely and comprehensively monitor and evaluate ongoing efficiency initiatives, including establishing baselines from which to measure progress, periodically reviewing progress made, and evaluating results; and
  • consistently report reform savings based on definitions of reform.

In addition, DOD should continue to implement the Performance Improvement Framework. This includes integrating it into relevant department processes and following through on the development of implementing guidance where required.

DOD should also demonstrate that its new leadership approach allows for crosscutting department-wide reforms, where needed, to be developed and effectively implemented.

Benefits

Progress in the DOD approach to business transformation high-risk area totaled more than $50 million as a result of DOD’s increased use of private labels at its commissaries and nearly 20 other benefits to the federal government.

It will be important for DOD to continue to ensure that it updates and follows through on actions that yielded these benefits in the past.

Contact Information

For additional information about this high-risk area, contact Elizabeth Field at (202) 512-2775 or fielde1@gao.gov.

Ensuring the Cybersecurity of the Nation

Federal agencies can strengthen cybersecurity by fully establishing and effectively implementing a comprehensive national cyber strategy, a government-wide cyber workforce plan, strategies for monitoring privacy programs, and critical infrastructure cyber protections.

Why Area Is High Risk

Federal agencies and our nation’s critical infrastructures—such as energy, transportation systems, communications, and financial services—depend on technology systems to carry out operations and process, maintain, and report essential information. The security of these systems and data is vital to protecting individual privacy and national security, prosperity, and well-being.

However, risks to technology systems are increasing. In particular, malicious actors are becoming more willing and capable of carrying out cyberattacks. Such attacks could result in serious harm to human safety, the environment, and the economy. Agencies and critical infrastructure owners and operators must protect the confidentiality, integrity, and availability of their systems and effectively respond to cyberattacks.

We have designated information security as a government-wide high-risk area since 1997. We expanded this high-risk area in 2003 to include protection of critical cyber infrastructure. In 2015, we expanded it again to include protecting the privacy of personally identifiable information.

The rating for Leadership Commitment increased from partially met to met as a result of Congress establishing the Office of the National Cyber Director in the White House to lead the nation’s cybersecurity effort. The remaining four criteria ratings remain unchanged since 2021. Although federal agencies have made some improvements, continued issues challenge the federal government’s efforts to ensure the cybersecurity of the nation, including the urgent need for

  • a fully established and implemented comprehensive cybersecurity strategy and plans;
  • more concentrated efforts to determine whether the 16 critical infrastructure sector owners and operators have adopted a cybersecurity framework;
  • more complete efforts to fully develop privacy programs (e.g., establish policies and procedures for cross-agency activities such as workforce planning and managing privacy risks to IT systems); and
  • improved cybersecurity workforce management activities (e.g., a plan that addresses workforce shortages).

Leadership commitment: increased to met. In January 2021, Congress enacted the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, which established, within the Executive Office of the President, the Office of the National Cyber Director to lead the nation's cybersecurity effort. The presence of this leadership should facilitate the high-level attention and coordination needed to address cyber threats and challenges facing the nation. Thus, our rating increased from partially met to met.

Capacity: partially met. Federal agencies have made progress in improving their cybersecurity workforce practices. For example, 18 agencies have taken steps to identify and categorize all of their vacant IT and cyber-related positions. However, federal agencies need to take additional action to address challenges faced by federal and nonfederal critical infrastructure entities in hiring, training, and retaining their cybersecurity and privacy workforces. For example,

  • The Office of Management and Budget needs to develop a government-wide workforce plan that addresses the federal cybersecurity workforce shortage.
  • Eleven of the 24 Chief Financial Officer Act agencies need to continue to identify cyber workforce needs and fully implement key IT workforce planning practices.
  • Thirteen of the 24 Chief Financial Officer Act agencies need to fully define and document processes for privacy workforce management, including assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy.

Action plan: partially met. Federal agencies have issued several plans to outline actions that need to be taken to address cybersecurity and privacy challenges, such as the current administration’s May 2021 cybersecurity executive order. However, we recommended in September 2020 that the federal government should develop a national cybersecurity strategy that addresses all of the desirable characteristics of national strategies. On March 2, 2023, the White House issued the National Cybersecurity Strategy to articulate the administration’s planned approach to managing the nation’s cybersecurity. In particular, the National Cybersecurity Strategy includes goals and objectives focused on securing critical infrastructure, disrupting malicious cyber threat actors, and advancing U.S. interests in cyberspace through continued international diplomacy, among others.

The goals and strategic objectives included in the recently issued strategy provide a good foundation towards establishing a more comprehensive strategy, but more effort is needed to address all of the desirable characteristics of national strategies (e.g., milestones, performance measures, resources needed to carry out goals and objectives, and fully defined roles and responsibilities). According to the National Cybersecurity Strategy, the Office of the National Cyber Director will work with federal agencies to develop an implementation plan to articulate the lines of effort needed to implement this strategy. Until the federal government fully establishes and carries out an implementation plan for the National Cybersecurity Strategy, overall progress in addressing this urgent area will remain limited.

Monitoring: partially met. Federal agencies continue to monitor progress toward meeting cybersecurity-related targets for cross-agency priority goals and implementing effective cybersecurity programs. However, federal agencies need to take additional action to measure the performance of their cybersecurity and privacy programs, as well as progress that critical infrastructure organizations are taking to manage cyber risk. For example:

  • The federal government needs to fully establish and implement a comprehensive national cyber strategy that includes, among other things, assigning roles and responsibilities.
  • Six of the nine sector risk management agencies—agencies that assist in protecting critical infrastructure owners and operators, including enhancing cybersecurity—need to better measure the progress that critical infrastructure entities are making toward addressing cybersecurity risk.
  • Federal financial regulatory agencies need to improve practices needed to monitor privacy protections, such as maintaining a full inventory of personally identifiable information for all agency-owned applications and establishing metrics to monitor privacy controls.

Demonstrated progress: partially met. Although agencies have made some improvements, they need to urgently address the 10 critical actions associated with four major cybersecurity challenges that we have identified (see figure 18).

Figure 18: Ten Critical Actions Needed to Address Four Major Cybersecurity Challenges

In particular, the federal government needs to

  • fully establish and implement a comprehensive national cyber strategy to have a clear roadmap for overcoming the cyber and privacy challenges facing our nation;
  • fully establish and implement cyber risk management programs;
  • develop methods for determining the level and type of adoption of the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity by the critical infrastructure entities; and
  • fully establish privacy programs by appointing a senior-level official with privacy as a primary area of responsibility.

What Remains to Be Done

Since 2010, we have made more than 4,000 recommendations to agencies aimed at addressing cybersecurity challenges facing the government. More than 670 of these recommendations were made since the last high-risk update in 2021. As of February 2023, more than 850 recommendations had not been fully implemented, including 52 of 133 priority recommendations, which we believe warrant priority attention from heads of key departments and agencies.

Specifically, we have made recommendations to address the four cybersecurity challenges facing the nation and improving the security of federal and critical infrastructure systems. For example, federal agencies need to

  • fully establish and implement the national strategy;
  • fully establish and implement cybersecurity risk management programs;
  • increase their efforts to develop methods for determining the level and type of adoption of National Institute of Standards and Technology’s cybersecurity framework by the critical infrastructure entities; and
  • fully establish privacy programs to ensure that they are consistently implementing privacy protections for sensitive information.

Congressional Actions Needed

We have four matters for Congress related to protecting digital privacy. We recommended that Congress

  • consider legislation to designate a senior privacy official—a position with the organizational placement necessary to coordinate with other agencies and the necessary authority to ensure that privacy requirements are implemented—at agencies that currently lack such a position;
  • provide the Federal Trade Commission with civil penalty authority to ensure that the agency can enforce the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act more effectively;
  • strengthen the consumer privacy framework to reflect the effects of changes in technology and the marketplace and review issues such as the adequacy of consumers’ ability to access, correct, and control their personal information, and privacy controls related to new technologies; and
  • amend laws, such as the Privacy Act of 1974 and the E-Government Act of 2002, because they may not consistently protect personally identifiable information.

Benefits

Progress to address this high-risk issue has resulted in more than $10 million in financial benefits and more than 3,500 other benefits. For example:

  • In September 2020, we recommended that Congress consider legislation to designate a leadership position in the White House that will lead the nation’s efforts to protect its cyber critical infrastructure. In 2021, Congress enacted legislation that established the Office of the National Cyber Director to serve as the principal advisor to the President on cybersecurity policy and strategy.
  • In December 2018, we reported numerous deficiencies in the Centers for Disease Control and Prevention’s cybersecurity program and controls. These deficiencies placed sensitive information at risk, including unauthorized disclosure and modification. In response, the Centers for Disease Control and Prevention implemented all of the 195 recommendations we made to strengthen its cybersecurity controls.
  • In December 2018 and June 2019, we reported that the Transportation Security Administration’s pipeline security program had several weaknesses, including not having a documented process to update pipeline security guidance regularly. In response, the Transportation Security Administration fully addressed 10 of 13 recommendations by clarifying its pipeline security guidelines and improving performance monitoring, among other areas.

Contact Information

For additional information about this high-risk area, contact Marisol Cruz Cain at (202) 512-5017 or cruzcainm@gao.gov.

Strengthening Department of Homeland Security IT and Financial Management Functions

The Department of Homeland Security (DHS) has made progress addressing major management challenges but needs to address remaining challenges in IT—specifically IT security controls and information systems—and financial management.

Why Area Is High Risk

In 2003, DHS began operations and had to transform 22 agencies—several with major management challenges—into one department. DHS has made progress in these efforts. This high-risk area has evolved over time.

For example, in 2011, we identified that DHS needed to focus its efforts on five management areas—human capital, acquisitions, IT, financial, and management integration. Since then, DHS has made sustained progress in some, but not all, of these areas. Therefore, we have narrowed this high-risk area to focus on DHS’s remaining work in areas that continue to experience significant challenges: IT and financial management.

For instance, DHS manages an annual budget of at least $50 billion. However, DHS has faced challenges securing federal IT systems and information and it continues to face significant challenges with its financial management systems. The department needs to do more to address these most pressing management challenges.

Since the 2021 High-Risk List, the criteria ratings are unchanged. While DHS demonstrated substantial progress in some of its management functions, it has critical additional work to do in the areas of IT and financial management.

Leadership commitment: met. DHS’s top leaders have continued to demonstrate commitment and support for addressing the department’s management challenges. For instance, the Secretary of Homeland Security made addressing our high-risk recommendations part of a department-wide transformation initiative in 2022, thus ensuring a sustained focus on these areas.

Capacity: partially met. Since 2021, DHS has made progress developing the capacity needed to address outstanding issues in IT and acquisition management. For example, DHS changed how it identifies and tracks certain IT positions. This improved its workforce planning activities. In addition, DHS improved how it ensures certain acquisition officials are qualified for their positions. However, DHS needs to continue taking action to address capacity-related issues that we and its financial statement auditor identified. This includes implementing its multiyear strategy to modernize its financial systems. For example, DHS will need additional resources for the modernization efforts at the Federal Emergency Management Agency (FEMA) and U.S. Immigration and Customs Enforcement (ICE).

Action plan: met. In January 2011, DHS produced its first Integrated Strategy for High-Risk Management. It has issued 20 updated versions since. The most recent update, from September 2022, describes DHS’s progress and planned actions to further strengthen its management functions.

Monitoring: met. In its September 2022 Integrated Strategy for High-Risk Management, DHS included status updates and plans for actions that are in progress.

Demonstrated progress: partially met. Since 2021, DHS has made substantial progress implementing actions identified by us and agreed to by DHS in 2010—what we have referred to in prior high-risk reports as outcomes. These outcomes represent actions that are critical to addressing the challenges within DHS’s management areas. Since 2010, DHS has fully addressed all but eight of 30 outcomes, with work remaining in the areas of IT and financial management. Progress in these areas in turn affects DHS’s management integration progress (see fig. 19).

Figure 19: Percentage of Management Outcomes That Have Been Fully Addressed by the Department of Homeland Security as of February 2023

  • Human capital management and acquisition management. Since our 2021 High-Risk List, DHS has fully addressed its human capital management outcomes. DHS implemented a strategic human capital plan, established a mechanism to centrally collect training data from across the department, and used training data to inform management decisions.

    However, like many other federal agencies, DHS continues to face broader challenges in workforce planning, employee skills gaps, and employee morale. We will continue to monitor DHS’s efforts to address these workforce issues, including its efforts to improve employee engagement, as a part of government-wide efforts in our Strategic Human Capital Management high-risk work and through our priority recommendations to DHS.

    DHS has also taken steps to fully address its remaining outcomes in acquisition management including maturing its requirements development process and improving its acquisitions workforce management. DHS has also implemented new policies and processes to improve acquisition data quality and oversight to help ensure that its major programs achieve their cost, schedule, and capability goals.

  • IT management. DHS has made progress implementing recommendations from DHS’s Office of Inspector General (OIG) and addressing our high-risk IT management outcomes. However, more work remains for DHS to strengthen its information security program.

    For instance, in 2022, the OIG found that DHS’s information security program was ineffective for fiscal year 2021 because it did not apply security patches and updates in a timely manner, among other things. Additionally, in 2022, DHS’s financial statement auditor continued to designate deficiencies in IT systems control as material weaknesses for financial reporting purposes. These deficiencies included ineffective design and implementation of controls to address security management, access controls, configuration management, and segregation of duties.

    To help address these long-standing issues, DHS’s July 2021 Improving Cybersecurity Implementation Report to the Office of Management and Budget mentioned that the department implemented a model to guide how it measures cybersecurity maturity. DHS also consolidated security and network operations to improve operational and security situational awareness.

    DHS also has plans to improve its cybersecurity in response to the 2020 compromise of SolarWinds Orion, an enterprise network management software suite that was the target of a widespread hacking campaign. For example, DHS plans to strengthen its threat identification and response capability by implementing an endpoint detection and response tool. This will allow it to effectively monitor and protect against malicious activities in its networks that an anti-virus software or host-based intrusion prevention tool was unable to monitor.

    However, until DHS mitigates the vulnerabilities identified by its OIG and financial statement auditor, the data maintained on its systems will remain at increased risk of unauthorized modification and disclosure and systems will remain at risk of disruption.

  • Financial management. DHS received an unmodified (clean) audit opinion on its consolidated financial statements for 10 consecutive years—fiscal years 2013 to 2022. However, DHS continued to receive a separate adverse opinion on its internal controls over financial reporting also for the 10th consecutive year because it did not design and fully implement control activities to provide reasonable assurance its financial management systems would produce reliable reporting of financial information.

    The fiscal year 2022 audit found that prior material weaknesses in internal controls in the areas of (1) financial reporting, and (2) IT controls and information systems remain unresolved. Further, because of persistent issues related to insurance liabilities, the auditor reported this area as a material weakness, elevating it from a significant deficiency as reported in fiscal year 2021. In addition, for fiscal year 2022, a fourth material weakness was reported for the U.S. Coast Guard’s newly implemented financial management system’s ineffective design of controls over review of obligations incurred and the accuracy of expenditure records. The DHS auditor also continued to report that agency financial management systems did not comply substantially with Federal Financial Management Improvement Act of 1996 requirements. This includes federal financial management system requirements, applicable federal accounting standards, and the U.S. Standard General Ledger at the transaction level.

    Much work remains to modernize DHS components' financial management systems and business processes. FEMA and ICE’s modernization efforts remain in the planning stages, with the estimated implementation initially planned for 2025 and 2026, respectively. In addition, the Coast Guard needs to resolve (1) internal control issues identified by the auditor related to the implementation of its new system, and (2) other serious findings identified in its system testing results prior to declaring full operational capability. Without implementing modernized systems with fully effective controls, DHS is at an increased risk of errors and inconsistent or incomplete financial information from the use of manual and other control solutions.

  • Management Integration. DHS has implemented actions in each of its four management functions. It is working to address its remaining challenges. To fully address the remaining management integration outcome, DHS must continue to demonstrate sustainable progress integrating its management functions within and across the department. This is particularly true with respect to integrating its financial management and IT systems. DHS must also address the remaining seven outcomes in financial and IT management.

What Remains to Be Done

As of February 2023, there were several open recommendations related to DHS management. In addition to addressing these recommendations, DHS’s progress depends on addressing its remaining work in IT and financial management, particularly those we, its OIG, and the financial statement auditor identified, including

  • making improvements to its IT security program,
  • continuing its financial system modernization efforts and remediating known issues; and
  • continuing efforts to ensure key controls are in place to address material weaknesses.

Benefits

Financial benefits to the federal government due to progress in the DHS management high-risk area over the past 15 years are more than $2 billion. There are also more than 200 other benefits to the federal government due to progress in this area. For example:

  • Our work found that DHS acquisition programs were not matching their needs with available resources before starting product development. We recommended DHS update its acquisition policy, which it did in 2021.
  • Our work identified a need for DHS and component human capital officials to examine the root causes of its employee engagement data and to link its results to action plans. DHS addressed these by establishing a committee and using new survey analysis techniques.
  • Our work found a need for improvements in how DHS develops operational requirements for its acquisitions. In response, DHS issued a policy directive requiring components’ requirements development policies to be consistent with agency level policy, and that these policies be shared within DHS to ensure alignment with DHS policy.

Contact Information

For additional information about this high-risk area, contact Chris Currie at (404) 679-1875 or curriec@gao.gov.

Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests

Agencies have made some progress protecting critical programs and technologies to maintain U.S. military superiority. However, several areas need more attention such as monitoring the effectiveness of protection measures.

Why Area Is High Risk

The Department of Defense (DOD) spends billions of dollars each year to develop and acquire technologies that provide an advantage for the warfighter. Many of these technologies are sold or transferred to promote U.S. economic, foreign policy, and national security interests. Foreign entities may also target these technologies for unauthorized transfer, such as theft, espionage, reverse engineering, and illegal export.

This high-risk area involves DOD’s efforts to (1) identify and protect its critical programs and technologies; (2) coordinate with protection efforts of other agencies, including the Departments of Commerce, Homeland Security, Justice, State, and the Treasury; and (3) develop metrics to determine the effectiveness of protection measures.

Since our 2021 High-Risk Report, the rating for leadership commitment increased from partially met to met. The four other criteria ratings remain unchanged. The following sections present more detailed information on actions that DOD and other federal agencies have taken to address this high-risk area.

Leadership commitment: increased to met. DOD has taken actions to improve its leadership in this high-risk area. For example, DOD officials assigned the responsibility for overseeing protection of critical programs and technologies to the Office of the Under Secretary of Defense for Research and Engineering. This move addressed a recommendation we made in January 2021.

Since then, Research and Engineering has taken an active role in overseeing protection actions, including coordinating with senior military service leaders to create an annual list of critical programs and technologies. In addition, in July 2022, the office issued a Technology and Program Protection Guidebook. This guidebook provides guidance to science and technology managers and engineers on implementing a DOD instruction on technology and program protection. According to DOD officials, the office is also updating a DOD-wide instruction that will standardize definitions and clarify terms used in technology protection. Military service leaders said that they are also updating their policies that guide service actions to protect critical programs and technologies. Further, the White House identified core technologies that need to be protected by updating its National Strategy for Critical and Emerging Technologies in 2022.

Capacity: partially met. In April 2021, Treasury officials stated that the agency coordinated with member agencies of the Committee on Foreign Investment in the United States to assess their staffing requirements, as we recommended in February 2018. Treasury officials said additional resources—including those authorized by the Foreign Investment Risk Review Modernization Act of 2018—have improved the committee’s ability to carry out core functions. In addition, DOD Research and Engineering officials told us that their department received a few additional staff to help carry out functions relating to the protection of critical programs and technologies, in addition to other office activities.

However, DOD officials said they have yet to determine the full costs of implementing measures to protect critical programs and technologies across the department. Also, DOD is continuing efforts to build capacity to conduct cost assessments and train its workforce.

Action plan: partially met. DOD is continuing to implement the four-step process it uses as its action plan to identify and protect critical programs and technologies (see fig. 20). For example, in January 2021, the Deputy Secretary of Defense issued guidance detailing how DOD would communicate its annual list of critical programs and technologies internally and with other federal agencies, as we previously recommended.

Figure 20: Overview of DOD’s Process to Identify and Protect Programs and Technologies Supporting Critical Military Capability

Commerce and State provided additional guidance and outreach related to university-specific export control issues that addresses recommendations we made in May 2020. U.S. Immigration and Customs Enforcement also acted to protect against sensitive technology transfer and unauthorized exports by implementing recommendations we made in June 2022.

As of February 2023, Commerce and the Federal Bureau of Investigation indicated that they are taking actions to address measures in university-related export control recommendations, and we are currently in the process of evaluating those efforts. Specifically, we recommended that agencies periodically assess the relevance and sufficiency of risk factors they use to identify universities at greater risk for sensitive technology transfers and unauthorized exports.

Monitoring: partially met. DOD took some initial steps to monitor the effectiveness of protection efforts. For example, in 2021, DOD began partnering with a federally funded research and development center to develop metrics for assessing protection measures, as we recommended in January 2021. A DOD official stated that it will likely take a couple of years before the metrics are developed. Officials said that DOD also initiated—but has not completed—actions to develop corresponding metrics for and measure progress of its antitamper program. This is intended to deter or delay exploitation of critical programs and technologies by foreign adversaries.

Demonstrated progress: partially met. Agencies made some progress protecting critical programs and technologies. For example, the Office of Research and Engineering seeks to help stakeholders improve the protection of sensitive, unclassified information related to critical programs and technologies. In addition, DOD officials told us they have put increased emphasis on identifying technologies that need protection early in the acquisition life cycle. This focus has resulted in a significant increase in the number of technologies included on DOD’s list, according to DOD officials.

However, DOD is in the early stages of implementing its process to identify and protect critical programs and technologies. It also needs metrics to determine the effectiveness of protection efforts. Further, as of February 2023, we continue to assess other agencies’ actions to protect sensitive, unclassified information, including research conducted in a university setting.

What Remains to Be Done

DOD can improve its protection of critical programs and technologies by implementing its assigned protection measures. Additional progress could be made if DOD, Commerce, and other agencies fully implement the 11 open recommendations associated with this high-risk area, such as

  • identifying, developing, and periodically reviewing appropriate metrics to assess the implementation and sufficiency of the assigned protection measures; and
  • identifying, sharing, and assessing relevant risk factors to identify universities at greater risk for sensitive technology transfers, including unauthorized deemed exports.

Benefits

There were more than 60 benefits to the federal government due to progress in this high-risk area over the past 16 years. For example:

  • DOD designated the Office of the Under Secretary of Defense for Research and Engineering to oversee the protection of critical programs and technologies. This involves the protection of controlled unclassified information.
  • DOD formalized a process to share its list of critical technologies with other federal agencies and ensure consistent protection across the government.
  • The Committee on Foreign Investment in the United States received additional resources to increase its efficiency in reviewing covered transactions such as certain foreign acquisitions and mergers.

Contact Information

For additional information about this high-risk area, contact William Russell at (202) 512-4841 or russellw@gao.gov

Improving Federal Oversight of Food Safety

A government-wide approach is needed to address fragmentation in the federal food safety oversight system.

Why Area Is High Risk

The safety and quality of the U.S. food supply, both domestic and imported, are governed by at least 30 federal laws that are collectively administered by 15 federal agencies. We have long reported on the fragmented nature of the federal food safety oversight system. This fragmentation has caused inconsistent oversight, ineffective coordination, and inefficient use of resources. In addition, the Food and Drug Administration (FDA) and the Department of Agriculture (USDA) both have responsibilities related to infant formula. FDA oversees the product’s safety. USDA provides supplemental foods, including formula, to low-income families through its Special Supplemental Nutrition Program for Women, Infants, and Children. We have started work examining purchases of infant formula through this program. In recent years, we have recommended congressional and executive actions that, if implemented, would help reduce fragmentation and improve federal oversight of food safety.

Strengthening the food safety oversight system is critical to protecting Americans. Each year, foodborne illness sickens roughly one in six Americans (48 million people). Of that number, about 128,000 are hospitalized and 3,000 die, according to the most recent estimate from the Centers for Disease Control and Prevention (CDC). Certain groups, including young children and the elderly, are particularly vulnerable. In 2022, a manufacturer recalled infant formula that had been contaminated with a foodborne pathogen at a production site in Michigan after two infants died. Subsequent formula recalls worsened the existing shortage. Infants, particularly those in low income families, can face greater risk of malnutrition when the supply of infant formula is reduced.

All five criteria ratings remain unchanged since 2021.

Leadership commitment: partially met. Since 2021, USDA and the Department of Health and Human Services (HHS) have demonstrated leadership by continuing to include crosscutting food safety efforts in their strategic and planning documents, as we recommended in December 2014. For example, in 2021, FDA issued a plan to improve its response to foodborne outbreaks. According to the plan, FDA will work with other federal agencies to identify strains of foodborne pathogens.

However, federal agencies have developed neither a national plan nor strategy for food safety. The Food Safety Working Group (FSWG) previously provided a mechanism for a government-wide strategic approach. FSWG was established in 2009 to coordinate federal efforts and develop goals to make food safer. However, as we reported in 2014, the group had not met since 2011 (see fig. 21).

Furthermore, Congress has not directed the Office of Management and Budget to develop a government-wide performance plan for food safety to address our December 2014 matter. In addition, the administration has developed neither such a plan nor, alternatively, a national strategy for food safety, as we recommended in January 2017.

Figure 21: Key Food Safety Working Group Activities and Related Actions

Capacity: partially met. Federal food safety agencies would benefit from a centralized collaborative mechanism on food safety. Agencies within USDA and HHS have engaged in specific collaborative activities. This includes a workgroup convened by FDA and USDA in 2022 to collaborate on produce safety activities. These agencies, along with others, also work together as part of the Healthy People 2030 Initiative. This initiative sets data-driven national objectives to improve health and well-being over the next decade. However, these efforts do not include key elements that the FSWG previously provided, such as broad-based collaboration and discussion of resources.

Identifying resources needed to carry out the food safety mission is an important part of a government-wide performance plan or, alternatively, a national strategy for food safety that includes nonfederal stakeholders. Developing such a plan or strategy that encompasses the contributions of all federal agencies with a food safety role would increase federal capacity to improve food safety oversight. It could also address our December 2014 matter and our January 2017 recommendation.

Action plan: not met. The lack of a government-wide performance plan or a national strategy for food safety hampers decision makers in identifying agencies and programs that address similar missions. It also prevents them from setting priorities, allocating resources, and restructuring federal efforts, as needed, to achieve long-term goals. Without such a centralized collaborative mechanism, agencies are limited in their ability to develop broad-based food safety goals and objectives.

Monitoring: not met. A government-wide performance plan or national strategy for food safety could facilitate effective monitoring of federal food safety efforts. This is particularly true for those involving more than one agency. Such a plan or strategy could also better inform Congress and the public. In addition, it could identify areas needing corrective measures.

Demonstrated progress: partially met. FDA and USDA continue to collaborate on food safety through joint working groups and information sharing practices, such as the Interagency Risk Assessment Consortium. While these types of collaborations can help the federal government move toward developing a government-wide performance plan for food safety, the current agency-by-agency focus does not provide the integrated perspective necessary to guide decision-making and inform the public. A government-wide performance plan or national strategy could enhance collaboration among agencies that have a food safety role, such as CDC, the National Marine Fisheries Service, and Customs and Border Protection.

What Remains to Be Done

There has not been appreciable progress since our last update. No entity has assumed leadership responsibility for coordinating food safety efforts across the federal government. Since we added food safety to our High-Risk List in 2007, we have made numerous recommendations to enhance collaboration among agencies with food safety responsibilities. As of February 2023, three recommendations remain open, of which one is significant for removing this area from the High-Risk List:

  • In January 2017, we recommended that appropriate entities within the Executive Office of the President, in consultation with relevant federal agencies and other stakeholders, develop a national strategy for food safety that, among other things, establishes high-level sustained leadership, identifies resource requirements, and describes how progress will be monitored. The Executive Office of the President did not provide comments on our recommendation.

Congressional Actions Needed

As of February 2023, three matters for congressional consideration remain open and are significant for removing food safety from the High-Risk List. These matters request that Congress consider

  • directing the Office of Management and Budget to develop a government-wide performance plan for food safety that includes results-oriented goals and performance measures, and a discussion of strategies and resources; and
  • formalizing the FSWG to help ensure sustained leadership across food safety agencies over time.

If weaknesses in food safety oversight persist, Congress may wish to consider

  • commissioning the National Academy of Sciences or a blue ribbon panel to conduct a detailed analysis of alternative organizational food safety structures and report the results of such an analysis to Congress.

Benefits

Since we added this area to our list in 2007, there have been more than 70 benefits to the federal government, including the following:

  • In 2020, FDA and USDA each took actions to clarify that FDA will oversee cell-cultured seafood other than catfish, in response to our April 2020 recommendation. The public and other key stakeholders now have greater clarity on the agencies' oversight responsibilities in this area.
  • Also in 2020, FDA and USDA began ongoing discussions of relevant food safety research, including detection methods in contaminants in food. We found that the agencies did not have a mechanism to coordinate their research on such methods. These discussions will help FDA and USDA enhance their ability to use their resources efficiently and avoid potentially duplicative efforts.

Contact Information

For additional information about this high-risk area, contact Steve Morris at (202) 512-3841 or morriss@gao.gov.

Protecting Public Health through Enhanced Oversight of Medical Products

The Food and Drug Administration (FDA) needs to take steps to ensure drug availability and oversee the quality of global medical product supply chains.

Why Area Is High Risk

FDA has the vital mission of protecting the public health by overseeing the safety and effectiveness of medical products—drugs, biologics, and medical devices—marketed in the U.S. and used daily at home and in health care settings. FDA faces multiple challenges in this role, including (1) rapid changes in science and technology; (2) globalization; (3) unpredictable public health crises, such as the COVID-19 pandemic; and (4) an extensive workload.

We previously reported on FDA’s progress through two separate segments—response to globalization and drug availability. However, given the global nature of medical products FDA oversees, these areas are increasingly interrelated. Thus, we now report on them together.

Overall ratings for all five criteria remain unchanged since our last high-risk report in 2021. The following sections present more detailed information on actions that FDA has taken since then to address the oversight of medical products.

Leadership commitment: met. The agency continues to demonstrate leadership commitment to overseeing foreign medical product manufacturers through its response to the COVID-19 pandemic. The pandemic affected FDA’s ability to conduct inspections of foreign manufacturers. This limited a critical source of information about the quality of medical products manufactured for the U.S. market. The agency took a number of actions to maintain oversight during this period, including monitoring disruptions in the medical devices supply chain. FDA also assessed drug supply chain vulnerabilities in the U.S. market. In addition, it provided recommendations to improve resiliency as part of a White House-led effort on strengthening domestic supply chains. Since our last high-risk update in 2021, the Senate has confirmed an FDA Commissioner, a position that has faced frequent turnover in the past. The continued presence of Senate-confirmed leadership will be important to maintain the high-level attention needed to help address agency challenges.

Capacity: partially met. FDA increased its reliance on alternative sources of information to maintain oversight of medical products when it paused routine inspections during the COVID-19 pandemic. For example, FDA relied on documentation from manufacturers and reports from other regulators’ inspections for oversight information. In January 2021, we recommended that FDA fully assess these alternatives and consider their applicability for future use. FDA agreed. In June 2022, it reported it had initiated a workgroup to assess these alternatives. FDA also developed guidance for industry and agency staff.

To help recruit and retain a sufficient level of medical product staff, FDA leveraged hiring and pay flexibilities. It also followed some leading practices for effective workforce planning. However, we recommended in January 2022 that FDA develop an agency-wide strategic workforce plan with elements for monitoring and evaluating its progress toward its human capital goals. Legislation enacted in December 2022 requires the agency to issue such a plan by the end of fiscal year 2023, and at least every 4 years thereafter. Additionally, to address persistent vacancies, we also recommended in January 2022 that FDA fully develop tailored strategies focused on recruiting and retaining investigators who conduct inspections in overseas facilities (see fig. 22). As of March 2023, FDA had made significant progress implementing a workgroup and strategies in response to this recommendation.

Figure 22: Number of Vacancies for Food and Drug Administration (FDA) Foreign Drug Inspection Specialists

Note: FDA’s dedicated foreign drug cadre are investigators based in the U.S. who only conduct inspections of facilities located in foreign countries. In contrast, FDA also has investigators located in its foreign offices in China and India who conduct drug facility inspections in those countries.

FDA has also reported challenges overseeing over-the-counter drugs. In March 2020, it was authorized to collect user fees from manufacturers of over-the-counter drugs, which can be used to increase its capacity. While the agency has begun collecting such fees and increased its hiring, FDA officials said that it will take time before the agency is able to fully realize any benefits. It takes at least 2 years for any newly hired FDA staff to complete training and become fully effective in their respective positions.

Action plan: partially met. We identified multiple areas in which additional planning would benefit FDA’s oversight of medical products. For example, in January 2021, we recommended that when developing inspection plans for future years, FDA should identify, analyze, and respond to issues resulting from a delay in routine inspections during the COVID-19 pandemic. Since then, FDA issued a plan for addressing this inspection backlog, though we will continue to monitor its implementation.

Additionally, FDA still needs to take action to respond to our May 2016 recommendation to address shortcomings in broader strategic planning efforts. It could enhance coordination between the centers overseeing medical products. Some of this coordination has been paused because of leadership changes and the agency responding to the pandemic.

Monitoring: partially met. FDA has been taking steps to better monitor drug manufacturers such as by refining its process for identifying and prioritizing foreign establishments subject to inspection. However, in January 2021, we found that gaps persist in the drug manufacturing information the agency needs to help identify and mitigate supply chain vulnerabilities. FDA is in the process of implementing a CARES Act requirement that companies report the amount of drugs they manufacture. However, implementation of this reporting requirement has been delayed. In addition, FDA has indicated that the requirement will not fully address the gaps we identified. It does not expressly require manufacturers to provide detailed information about their respective supply chains. FDA has also sought additional authority from Congress to collect more complete drug manufacturing information.

Additionally, FDA has made progress in its efforts to assess the effectiveness of its foreign offices as we recommended in September 2010 and December 2016. In December 2022, FDA described multiple planning efforts it was undertaking, including development of performance measures. As of March 2023, FDA had implemented these performance measures, with targets, related to the contribution of the offices toward helping FDA follow up on prior inspections that identified deficiencies.

Demonstrated progress: partially met. The collective steps FDA has taken to improve its oversight of medical products demonstrate some progress. The agency has overcome long-standing challenges to conducting foreign inspections. For example, FDA has created a pilot program to study if the agency’s practice of giving foreign manufacturers notice of an inspection affects inspection quality. However, these steps are preliminary and the pandemic has impeded their progress. Moreover, FDA still needs to take actions to fully implement our other recommendations to improve its oversight of medical products.

What Remains to Be Done

As of March 2023, 22 recommendations to FDA remain open. FDA should implement these recommendations, including

  • ensuring it fully develops tailored strategies focused on recruiting and retaining investigators to conduct foreign drug inspections;
  • ensuring that future inspection plans identify, analyze, and respond to the issues presented by the delay in routine inspections that occurred during the COVID-19 pandemic; and
  • developing a set of performance goals and measures that can be used to demonstrate foreign office contributions to outcomes related to the regulation of imported products.

Benefits

There have been nearly 50 benefits to the federal government due to progress in this high-risk area since it was added to the list in 2009. For example:

  • Our work had identified concerns that FDA was not initially consistent in the information it made available on drugs and biologics that received emergency use authorizations during the COVID-19 pandemic. By uniformly disclosing the evidence to support these authorization decisions, as we recommended, FDA improved the transparency with which it makes such decisions. This potentially increases the public’s trust in these products during an emergency.
  • In response to our suggestion, Congress required manufacturers to notify FDA 6 months in advance of any plans to discontinue manufacturing certain critical drugs, or if they anticipate an interruption in manufacturing that is likely to lead to a meaningful disruption in the drug's supply. This requirement was enacted in July 2012. It has allowed FDA to take steps to prevent and mitigate shortages of these critical drugs more quickly.
  • Our work found that FDA needed to conduct more inspections to ensure that foreign establishments are inspected at a frequency comparable to domestic establishments with similar characteristics. In response, FDA expanded the number of staff dedicated to conducting foreign drug inspections. It also implemented a risk-based model for selecting establishments for inspection, regardless of their foreign or domestic location.

Contact Information

For additional information about this high-risk area, contact Mary Denigan-Macauley at (202) 512-7114 or deniganmacauleym@gao.gov or John E. Dicken at (202) 512-7114 or dickenj@gao.gov.

Transforming EPA’s Process for Assessing and Controlling Toxic Chemicals

The Environmental Protection Agency (EPA) needs to strengthen workforce planning to assess and control toxic chemicals that pose risks to human health and the environment more effectively.

Why Area Is High Risk

EPA’s ability to implement its mission of protecting public health and the environment effectively depends on its assessing the risks posed by chemicals in commerce and those that have yet to enter commerce in a credible and timely manner. EPA supports the evaluation of such risks by using its long-standing chemical assessment program, the Integrated Risk Information System (IRIS), and by implementing the Toxic Substances Control Act (TSCA). TSCA provides EPA with the authority to review chemicals already in commerce and chemicals yet to enter commerce.

  • IRIS. EPA prepares assessments of chemical hazards to human health that contribute to risk management decisions, policies, and regulations under a variety of statutes, such as the Safe Drinking Water Act and the Clean Air Act.
  • TSCA. TSCA, as amended, established deadlines for evaluating and managing the risks of existing chemicals. It also directed EPA to make formal determinations on all new chemicals before they can be manufactured.

Because EPA had not developed sufficient chemical assessment and risk information under these programs to limit exposure to many chemicals that may pose substantial health risks, we added this issue to the High-Risk List in 2009.

Overall ratings for four criteria—leadership commitment, capacity, action plan, and demonstrated progress—remain unchanged since 2021.The overall rating for monitoring increased to partially met. For IRIS, leadership commitment, monitoring, and demonstrated progress increased to partially met. For TSCA, leadership commitment increased to met and action plan and monitoring increased to partially met. The following sections present more detailed information on the two segments summarized in the overall rating.

Integrated Risk Information System (IRIS)

Leadership commitment: increased to partially met. As we reported in March 2019 and December 2020, EPA senior leadership in the Office of Research and Development (ORD), changed the program’s workload and processes without input from program staff. ORD houses the IRIS Program. Since 2021, IRIS leadership has improved how the program meets user needs across the agency. For example, it times requests for assessment nominations to better match timelines for completing IRIS assessments.

Additionally, in 2021, IRIS leadership began clearly outlining the criteria the program uses to accept nominations for chemical assessments. This greater transparency helps EPA offices plan their nominations better. However, ORD leadership has yet to gather timely information from the IRIS Program about its resource and workforce needs and how changes to resource levels might affect its ability to meet user needs.

Capacity: partially met. In 2019, ORD reorganized its Health and Environmental Risk Assessment (HERA) national research area, of which the IRIS Program’s work is a part. The reorganization was designed to better reflect the breadth of its topics, research areas, and outputs. As updated in October 2022, HERA’s strategic research plan describes its efforts to integrate with other research programs across EPA and with external partners. Additionally, ORD’s strategic plan called for a focus on workforce planning. In February 2023, the IRIS Program provided us with a resource analysis that examined human and financial resources needed to carry out programmatic work outlined in the HERA strategic research plan. The analysis concluded that the program does not have sufficient resources to carry out its current workload, and future demand for IRIS assessments and other HERA assessments is not expected to decrease.

Action plan: partially met. The IRIS Program has continued actions to coordinate its work with other chemical assessment producers internal and external to EPA, such as EPA’s Office of Chemical Safety and Pollution Prevention (OCSPP). This helps avoid duplicative efforts and ensures that standards for chemical assessments are consistent across EPA offices. Additionally, ORD’s strategic plan includes many goals, but lacks specific actions and metrics to measure progress. As such, ORD and the IRIS Program may be unable to ensure accountability for improvement efforts.

Monitoring: increased to partially met. This rating increased to partially met because the IRIS Program implemented our recommendation to assess its chemical nomination survey in 2021. It also adjusted the survey schedule to align with the time needed to produce an IRIS assessment. However, the program has yet to systemically monitor its activities to validate the effectiveness and sustainability of its assessment production process. For example, as of February 2023, the program has begun to analyze the resources required to effectively produce chemical assessments, but it has not yet defined metrics to evaluate the effectiveness of workforce recruitment and retention strategies, and other efforts.

Demonstrated progress: increased to partially met. This rating increased to partially met because of the IRIS Program’s efforts to standardize assessments, release assessments, and meet EPA user needs. It does this by offering assessments and related products to support EPA’s wide-ranging statutory and regulatory needs. Since 2021, IRIS has increased coordination with other EPA offices. For example, the program worked with OCSPP to develop methodologies for assessing new or data-poor chemicals. The collaboration also ensures systematic review processes—the backbone of chemical assessments—are consistent across EPA offices.

Additionally, the IRIS Program has released three final assessments and made progress on several others. The program is also using several assessment products to meet user needs, including Provisional Peer-Reviewed Toxicity Assessments and Integrated Science Assessments. These other assessments are typically faster to produce. The program has been able to use this mix of assessment types to deliver toxicity values to users on timelines that meet user needs.

To continue making progress, the IRIS Program needs to issue final IRIS assessments and other products and make those products easy for internal and external users to find. In addition, ORD leadership needs to examine its current workforce to determine the resources it needs to help better meet its goal of supporting chemical risk management across EPA.

Toxic Substances Control Act (TSCA)

Leadership commitment: increased to met. Since 2021, EPA leadership has elevated its commitment to implementing its TSCA responsibilities. For example, EPA’s budget request to implement these responsibilities increased from $75.5 million in fiscal year 2022 to $124.2 million in fiscal year 2023 (see fig. 23.) This represents the highest requested funding level since TSCA was amended in 2016.

Figure 23: Budget Request Information for the Environmental Protection Agency’s (EPA) “Toxic Substances: Chemical Risk Review and Reduction” Program Project, Fiscal Years 2016–2023

At the direction of senior management, in December 2020, OCSPP’s Office of Pollution Prevention and Toxics (OPPT) conducted a workforce analysis that provided an overview of the office’s workforce structure. The analysis also identified mission-critical occupations for its TSCA chemical review programs.

Capacity: not met. According to EPA officials, since 2016, the agency has missed TSCA chemical review deadlines primarily due to resource constraints, including insufficient capacity in mission-critical occupations. In February 2023, we reported that EPA’s workforce for implementing its TSCA responsibilities included 305 full-time equivalent staff for fiscal year 2022. EPA requested funding to support 532 full-time equivalent staff for these activities in fiscal year 2023. In addition, we reported that OPPT has faced challenges filling some positions in mission-critical occupations, such as toxicologists and biologists.

Action plan: increased to partially met. Since 2019, EPA has taken additional planning steps to implement its TSCA responsibilities. For example, OPPT published its overarching Strategic Plan FY 2021 – FY 2023. The report describes how the office plans to fulfill its obligations under TSCA and other statutes. However, OCSPP has yet to develop a strategic workforce plan to help ensure the agency meets TSCA chemical review deadlines and develops long-term strategies for recruiting, developing, and retaining staff. The officials noted that they are developing a comprehensive plan to ensure employees have the training they need to complete new chemical reviews more consistently.

Monitoring: increased to partially met. OPPT has identified some workforce planning and monitoring improvements for implementing its TSCA responsibilities. In March 2021, OPPT completed a skills gap assessment to provide hiring targets and anticipated attrition counts for mission-critical and other occupations for fiscal years 2021, 2022, and 2025. OCSPP officials told us they plan to hire a contractor to help the office update its assessment. The assessment no longer reflects current workforce needs.

Additionally, OPPT’s strategic plan includes elements related to workforce planning. For example, according to the plan, OPPT’s division that conducts new chemical risk evaluations aims to improve how it allocates resources and develops its workforce. It also identifies some performance indicators associated with these improvements, such as updating human health training materials and developing standard operating procedures. However, the strategic plan does not address other key workforce planning challenges, such as recruitment targets for filling mission-critical occupations.

Demonstrated progress: partially met. Although EPA has taken some steps toward completing existing and new chemical reviews on time, it has missed most statutory deadlines. TSCA, as amended, established specific deadlines for evaluating and managing the risks of certain existing chemicals.[21] For example, as we reported in February 2023, although EPA met the first two evaluation-related deadlines for the initial 10 existing chemicals, it missed all but one of the subsequent deadlines for those chemicals.[22] Moreover, among those new chemical pre-manufacture reviews that EPA completed from 2017 through 2022, the agency typically completed the reviews within the 90-day TSCA review period less than 10 percent of the time. In addition, some of these reviews remained under review years after EPA received them.

OPPT has planned or has ongoing efforts to address these missed deadlines for new chemical reviews. For example, in July 2022, EPA conducted a webinar for external stakeholders to provide an in-depth look at common issues that cause missed deadlines for new chemical submissions.

What Remains to Be Done

As of February 2023, five recommendations related to the management of toxic chemicals remain open. For example:

  • Periodically assessing the demand for chemical assessments and the resources needed to produce IRIS assessments.
  • Developing a process and timeline to ensure EPA’s workforce planning efforts fully align with relevant planning principles and incorporating the results, as appropriate, into EPA's annual plan for chemical risk evaluations under TSCA. This will help ensure the agency can effectively implement its TSCA review responsibilities. We have reported that strategic workforce planning is essential in helping agencies align their workforces with their current and emerging missions. It also helps them develop long-term strategies for recruiting, developing, and retaining staff.

Congressional Actions Needed

Continued congressional oversight of EPA’s workforce planning efforts is needed to help ensure EPA identifies the resources it needs to assess and control toxic chemicals.

Benefits

This area has realized more than 10 benefits since it was added to the High-Risk List in 2009, including the following:

  • The IRIS Program increased its coordination with other EPA offices and external federal entities. This will help ensure the offices avoid duplicative work on chemical assessments, can assist each other with obtaining chemical data, and use many of the same chemical evaluation tools and techniques for greater consistency in final products.
  • OPPT completed a skills gap assessment in March 2021 that included hiring targets and anticipated attrition counts for various years. This helped EPA better understand its future workforce needs for implementing TSCA and informed its budget request for fiscal year 2023.

Contact Information

For additional information about this high-risk area, contact J. Alfredo Gómez at (202) 512-3841 or gomezj@gao.gov.

Government-wide Personnel Security Clearance Process

Agencies responsible for reforming the personnel security clearance process need to make further progress by implementing our open recommendations. These include improving the timely processing of clearances, measuring quality in all stages of the clearance process, and addressing IT system challenges.

Why Area Is High Risk

A high-quality security clearance process is necessary to prevent the unauthorized disclosure of information that could cause exceptionally grave damage to U.S. national security. While the ongoing reforms in this area are promising, challenges remain regarding the timely processing of clearances, a lack of performance measures to assess quality at all stages of the process, and addressing IT system challenges.

Since we issued our 2021 High-Risk List, agencies responsible for reforming the personnel security clearance process have made considerable progress in implementing Trusted Workforce 2.0 (hereafter personnel vetting reform or reform). This reform is designed to transform and align the three personnel vetting processes that determine: eligibility to access classified information or to hold a sensitive position (personnel security clearance process), suitability for government employment or fitness to work on behalf of the government (suitability/fitness process), and eligibility to access agency systems or facilities (personnel credentialing process).

Leadership commitment: met. The Security Clearance, Suitability, and Credentialing Performance Accountability Council (PAC) is the government-wide entity responsible for reforming the personnel security clearance process. The PAC continued to demonstrate leadership in addressing challenges in this process. It has four principal members: the Deputy Director for Management of the Office of Management and Budget, the Director of National Intelligence, the Under Secretary of Defense for Intelligence and Security, and the Director of the Office of Personnel Management (OPM). Since our 2021 issuance, the PAC has continued to oversee the implementation of personnel vetting reform that it initiated in 2018. For example, in December 2021 and at the recommendation of the PAC, the Assistant to the President for National Security Affairs issued a memorandum that directed departments and agencies to immediately begin implementing actions to reform personnel vetting agreed to by a national security working group, including the PAC.

The Trusted Workforce 2.0 reform includes a new vetting framework called the one-three-five framework. The one-three-five framework is designed to establish one policy framework to align the three vetting processes, speed up processing times, reduce duplication and complexity, and improve mobility. See figure 24.

Figure 24: Trusted Workforce 2.0 One-Three-Five Framework

Capacity: partially met. The PAC issued the Trusted Workforce 2.0 Implementation Strategy in April 2022. It states that executive branch agencies’ implementation plans should account for a fully trained personnel security workforce (investigators, adjudicators, personnel vetting practitioners). In addition, the Defense Counterintelligence and Security Agency established a milestone of September 2023 to complete strategic workforce planning for its personnel-vetting workforce. As of February 2023, the agency had completed two of seven steps in its planning process— leadership interviews and competency workshops. It is working on three additional steps: workforce data analysis, a competency assessment, and the development of mitigation strategies to address current and future workforce competency gaps and challenges. By September 2023, the Defense Counterintelligence and Security Agency plans to complete the two remaining steps to refine its mitigation strategies and develop a report with its strategic workforce plan.

The Defense Counterintelligence and Security Agency is also continuing to develop the National Background Investigation Services (NBIS) system. This IT system will be a key component of personnel vetting reform. Since early in fiscal year 2021, the agency has introduced some NBIS capabilities to selected personnel responsible for personnel vetting at an increasing number of federal agencies and industry organizations. However, we found in 2021 that the Defense Counterintelligence and Security Agency lacked a reliable schedule to help manage the NBIS program. We are assessing the NBIS program schedule and plan to report our findings in 2023.

Action plan: partially met. The PAC made key progress through the issuance of several planning documents for the personnel vetting reform. These documents include the Federal Personnel Vetting Investigative Standards in May 2022, the Common Principles in Applying Federal Personnel Vetting Adjudicative Standards in July 2022, and the Federal Personnel Vetting Performance Management Standards in September 2022. However, the PAC has neither developed nor issued performance measures for all phases of the security clearance process that align with the key attributes of successful performance measures such as including a measureable target. The PAC has also not issued updated adjudicative guidelines for the reform.

Monitoring: partially met. The PAC continues to monitor and report publicly on the progress of the personnel vetting reform through www.performance.gov/trusted-workforce/. The Office of the Director of National Intelligence (ODNI) also collects data from agencies to oversee the security clearance process as the government-wide Security Executive Agent. The principal executive order regarding the personnel vetting processes designates the Director of National Intelligence as the Security Executive Agent with responsibilities, functions, and authorities for various aspects of the personnel security clearance process. This includes directing the oversight of the process.

Based on our analysis and comparison of data from selected executive branch agencies with data submitted by ODNI, we found that ODNI’s clearance timeliness data are not sufficiently reliable to enable us to determine the percentage of executive branch agencies that met timeliness objectives. For example, we analyzed ODNI summary statistics on agencies’ timeliness and case-level data from three agencies. We found that some of ODNI’s summary statistics were inconsistent with the corresponding statistics we calculated using the agencies’ case-level data. We also found that some case-level data contained errors, which would inadvertently affect summary statistics. Additionally, we contacted two agencies that could not provide case-level data.

Demonstrated progress: partially met. As of January 2023, executive branch agencies have enrolled about 4.5 million personnel in continuous vetting programs. Agencies use these processes to regularly review the background of personnel with a security clearance to ensure they continue to meet security clearance requirements. While this and other steps to implement personnel vetting reform is promising, the PAC has not fully implemented all of the recommendations we have made to address (1) challenges regarding the timely processing of clearances, (2) a lack of performance measures to assess quality in all stages of the process, and (3) challenges with IT systems.

What Remains to Be Done

Since we added this area to our High-Risk List in 2018, we have made multiple recommendations to ODNI and the Department of Defense. As of March 2023, we have eight recommendations that remain open, including some that led to the decision to add this area to our High-Risk list, as follows:

  • the Director of the Defense Counterintelligence and Security Agency revise the NBIS system schedule to meet all the characteristics of a reliable schedule as defined in our best practice guides for scheduling and Agile software development,
  • the Director of National Intelligence develop performance measures for assessing the quality of all phases of the personnel security clearance process that align with the key attributes of successful performance measures,
  • the Director of the Defense Counterintelligence and Security Agency issue a strategic workforce plan for the agency’s entire personnel vetting workforce, and
  • the Director of the Office of Personnel Management should improve the timeliness of validating evidence associated with actions taken to address recommendations made by the U.S. Computer Emergency Readiness Team.

Congressional Actions Needed

Congress should consider requiring that the Director of National Intelligence ensure that agencies submit reliable data on the time they take to complete the initiation, investigation, and adjudication phases of the security clearance process to ODNI to assist it in overseeing agencies’ performance in meeting clearance timeliness objectives.

Benefits

Since January 2018, there have been 10 benefits because of progress in this high-risk area. For example, in a memorandum issued in February 2020, ODNI and OPM required agencies to provide information to ODNI on continuous vetting. In addition, OPM issued a Backlog Mitigation Plan in December 2018 that was designed to reduce the investigative backlog.

Contact Information

For additional information about this high-risk area, contact Alissa H. Czyz at (202) 512-3058 or czyza@gao.gov.

National Efforts to Prevent, Respond to, and Recover from Drug Misuse

Federal agencies must effectively coordinate and implement a strategic national response to drug misuse and make progress toward reducing rates of drug misuse, overdose deaths, and the resulting harmful effects to society.

Why Area Is High Risk

Drug misuse—the use of illicit drugs and the misuse of prescription drugs—has been a persistent and long-standing public health issue in the U.S. Drug misuse has resulted in significant loss of life and harm to society and the economy. In recent years, the federal government has spent billions of dollars and enlisted more than a dozen federal agencies to address drug misuse and its effects. In December 2022, the Department of Health and Human Services (HHS) announced the renewal of a 2017 determination that marked the opioid crisis as a public health emergency. This coincides with one of the highest numbers of drug overdose deaths reported in a 12-month period (nearly 107,000).

This high-risk issue is being rated for the first time since it was added to the High-Risk List in 2021. Since then, the President nominated and the Senate confirmed a new Director of the Office of National Drug Control Policy (ONDCP) who helped develop and issue the 2022 National Drug Control Strategy. The following issues currently present challenges for the federal government in fully addressing the five high-risk criteria:

  • The 2022 Strategy meets some but not all statutory requirements. Federal agencies need to ensure their programs support related goals from the Strategy.
  • The availability of substance use treatment has not kept up with demand and declined because of the COVID-19 pandemic.
  • The rates of drug misuse and number of drug overdoses continue to rise.

Leadership commitment: partially met. ONDCP leaders have expressed their commitment to addressing drug misuse. In addition, federal agencies have established interagency working groups to help address drug misuse issues. For example, ONDCP and the Department of Veterans Affairs created an Interagency Drug Misuse High Risk Subcommittee for federal agencies to help coordinate a government-wide response to this high-risk issue.

In addition, HHS established a Behavioral Health Coordinating Council in 2021. It includes an overdose prevention subcommittee involving the National Institutes of Health and Food and Drug Administration. However, it is important for the federal government to coordinate across additional levels of government and private sector. The 2022 Strategy highlights the need to strengthen such coordination.

Capacity: not met. While the federal drug control budget for fiscal year 2022 was $39 billion, the 2022 Strategy highlights the need for the federal government to expand resources for the prevention, treatment, and recovery from drug misuse. However, our review of the Strategy, Budget Summary, and accompanying documents found that not all relevant federal agencies listed the resources necessary to implement a plan to expand treatment for substance use disorders, as required by law.[23]

The availability of treatment for substance use disorders remains a long-standing challenge, particularly for low-income individuals and in rural areas. The COVID-19 pandemic has exacerbated concerns about access to treatment and workers affected by opioid misuse.

According to the 2022 Strategy, government estimates suggest the substance use disorder workforce will continue to experience staffing shortages. The estimates also highlight the need for additional substance use disorder treatment workforce and infrastructure.

Action plan: partially met. In June 2021, ONDCP developed a plan to help it meet all statutory requirements related to the development and promulgation of the National Drug Control Strategy. This Strategy is to set forth a comprehensive plan to address drug misuse.

While the 2022 Strategy, and its accompanying documents, fully addressed some of the statutory requirements, it partially or did not meet others. For example, it did not include a systematic plan for increasing data collection.[24]

Monitoring: partially met. Federal agencies have taken some actions to improve their monitoring and data collection efforts. For example, the Department of Justice, Drug Enforcement Administration (DEA), and Organized Crime Drug Enforcement Task Force addressed our recommendations to include outcome- or results-oriented measures in their strategies to combat illicit opioids.

However, while the Substance Abuse and Mental Health Services Administration (SAMHSA) assesses the State Opioid Response grant program annually, its assessments do not address potential limitations or fully leverage available information for a more in-depth assessment.

Further, while the 2022 Strategy includes comprehensive, long-range, quantifiable goals and specific targets to accomplish goals, it did not include a performance evaluation plan, as statutorily required.[25]

Demonstrated progress: not met. The effects of the COVID-19 pandemic have intensified concerns about the number of people in the U.S. affected by substance use disorders. Based on provisional data, the Centers for Disease Control and Prevention reported nearly 107,000 drug overdose deaths during the 12-month period ending in September 2022—one of the highest number of deaths ever reported in a 12-month period (see fig. 25).

While the 2022 Strategy highlights the need for federal agencies’ actions to address drug misuse, ONDCP has yet to issue its evaluation of agencies’ progress toward meeting the Strategy’s goals. This was statutorily required to be submitted by February 6, 2023.[26] As of February 24, 2023, ONDCP has not issued the evaluation.

Figure 25: Number of Drug Overdoses in the United States, April 2015 through September 2022

Note: Provisional death counts are for “12-month ending periods,” defined as the number of deaths occurring in the 12-month period ending in the month indicated. Deaths are classified by the reporting jurisdiction in which the death occurred. Provisional drug overdose death counts are based on death records received and processed by the National Center for Health Statistics as of a specified cutoff date. Data in this figure are predicted provisional counts, which represent estimates of the number of deaths adjusted for incomplete reporting. Data for 2015 to 2021 may differ from published reports using final data. Data for 2022 are underreported due to incomplete data.

What Remains to Be Done

Over the past several years, we have made numerous recommendations to federal entities focused on this high-risk area. Forty of these recommendations remain open as of February 2023 including:

  • ONDCP should ensure future iterations of the National Drug Control Strategy include all statutorily required elements.
  • HHS, Department of Education, and ONDCP should clarify how grants that support drug prevention education programs contribute to the goals of the National Drug Control Strategy.
  • SAMHSA should further analyze existing State Opioid Response grant program information, such as by disaggregating data by client groups, to provide a more comprehensive, in-depth assessment of program performance. It should then use this information to identify opportunities for program improvement.

Benefits

There were nine benefits to the federal government due to progress in this high-risk area since it was added to the list in 2021. For example:

  • Our work found that the federal government identified expanding access to Medication Assisted Treatment as important for reducing opioid use disorders and overdoses. However, some state and federal policies can restrict Medicaid beneficiaries' access to Medication Assisted Treatment medications. In response, the Centers for Medicare and Medicaid Services issued guidance in December 2020 to state health officials about the existing requirement that states cover all forms of drugs approved for Medication Assisted Treatment. In March 2021, all states had begun to take actions to address this issue.
  • Our work found certain limitations in DEA’s tool that can be used by registrants—such as manufacturers and distributors of controlled substances—to better support their efforts to identify and report suspicious opioid orders. In May 2021, DEA took actions to address these limitations. This helped ensure that registrants had the most useful information to assist in identifying and reporting suspicious orders.
  • In December 2021, we reported that we could not verify ONDCP's actions to assess for duplication, overlap, and fragmentation among drug control grants because ONDCP has not documented its process. In response, ONDCP developed guidance for its assessment of duplication, overlap, and fragmentation for federally funded drug control grants in May 2022. This helped it ensure it maintained organizational knowledge of its process and demonstrated its effectiveness.

Contact Information

For additional information about this high-risk area, contact Triana McNeil at (202) 512-8777 or mcneilt@gao.gov, Alyssa M. Hundrup at (202) 512-7114 or hundrupa@gao.gov, or Thomas Costa at (202) 512-4769 or costat@gao.gov.

Department of Health and Human Services’ Leadership and Coordination of Public Health Emergencies

The Department of Health and Human Services (HHS) must improve its leadership and coordination of public health emergencies to save lives, mitigate severe economic impacts, and prepare the nation to respond to multiple simultaneous threats.

Why Area Is High Risk

As we reported in January 2022, for more than a decade, our body of work has found persistent deficiencies in HHS’s ability to perform its role of leading the nation’s preparedness for, and response to, public health emergencies.

These deficiencies have hindered the nation’s response to the current COVID-19 pandemic and to a variety of past emergencies, such as hurricanes. Addressing the deficiencies and related concerns we have raised, including improving the department’s ability to respond to multiple concurrent events, is paramount as the nation faces new threats while continuing to respond to the COVID-19 pandemic.

Maintaining sustained attention and taking action to address the systemic deficiencies we have raised will take time. In consideration of this area being recently added to our High-Risk List in January 2022, we will not rate HHS’s progress on this area until we issue our next High-Risk List in 2025.

Leadership commitment: Sustained leadership is the critical element for initiating and sustaining progress and making the types of management and operational improvements required for narrowing or removing high-risk areas. Our work has identified the need for the Secretary of Health and Human Services and the leaders of HHS agencies—including the Administration for Strategic Preparedness and Response (ASPR), Centers for Disease Control and Prevention (CDC), Food and Drug Administration (FDA), and National Institutes of Health (NIH), among others—to take action to better position the department to fulfill its lead role in preparing the nation for, and responding to, public health emergencies. This includes demonstrating commitment to addressing the deficiencies we have identified. HHS’s efforts have fallen short in five key areas of an effective national response, as depicted in figure 26.

Figure 26: Five Key Areas of an Effective National Response

Top HHS leadership of key public health emergency preparedness and response agencies has been in flux. For example, NIH has been without a confirmed director since December 2021. In addition, the Director of its National Institute of Allergy and Infectious Diseases, a key leader in the response to the pandemic and other emergencies, retired in December 2022. Further, FDA has had high turnover in top leadership for more than a decade (10 commissioners in 10 years, five of whom were acting without Senate confirmation, including during the second year of the COVID-19 pandemic).

HHS and CDC leadership recently announced agency reform efforts. In July 2022, HHS announced that it had elevated ASPR to a stand-alone agency alongside other HHS agencies, such as CDC, FDA, and NIH. According to an HHS statement, this change will take time but ultimately allow ASPR to mobilize a coordinated national emergency response more effectively and efficiently. In August 2022, CDC announced programmatic, scientific, and operational improvements to better support the agency’s public health response during emergencies and in normal operations.

We have identified key agency reform practices from June 2018. These practices indicate that agencies can successfully change if they have clear goals, follow a process to develop proposed reforms, allocate implementation resources, and consider workforce needs during and after the reform.

Capacity: In January 2022, we reiterated concerns about HHS’s capacity to lead and coordinate public health emergencies. For example, we noted that ASPR could only support a response to two simultaneous events occurring in different areas in the continental U.S. for 30 days. ASPR relies on other response partners but does not have a complete understanding of their capabilities and limitations.

Additionally, in January 2022, we found that FDA did not have an agency-wide strategic workforce plan to coordinate human capital efforts across the agency. Further, in April 2022, we reported that ASPR had not undertaken key workforce planning steps to support the mission and goals of the new office it created to address medical product supply vulnerabilities highlighted during the pandemic. Workforce planning will be important as ASPR reorganizes. This is especially true since ASPR cited improved hiring and contracting capacities as an outcome of this effort. HHS needs to meet the key principles of strategic human capital planning. These include determining the critical skills and competencies needed to achieve an agency’s current and future programmatic results, and developing strategies to address gaps in the number of staff and their skills and competencies to meet those results.

Action plan: The administration has released broad plans and strategies related to the public health supply chain, COVID-19 guidelines, and pandemic preparedness. For example, in October 2022, the administration released an updated National Biodefense Strategy and Implementation Plan. However, HHS needs to develop specific action plans that define root causes, solutions, interim milestones, necessary resources, and steps for implementing corrective measures to address the persistent deficiencies we have identified. In April 2022, we observed HHS’s intention for such action plans in its National Strategy for a Resilient Public Health Supply Chain. However, it was too early to know if they would be implemented as intended.

Monitoring: An action plan, including steps required to implement corrective measures, is needed before HHS can monitor corrective actions. Our work has shown that, as agencies develop their monitoring strategies, they should ensure they can collect, analyze, and communicate accurate, useful, and timely information, and track actions to implement our recommendations to indicate progress, among other things.

Demonstrated progress: HHS has not had much time to demonstrate progress since this area was recently added to our High-Risk List in January 2022. While HHS addressed some of our recommendations, other concerns have arisen. This includes findings from our April 2022 report that CDC has not defined action steps to achieve its data modernization efforts. We will continue to evaluate HHS’s response to threats as they emerge, such as extreme weather events, and agency reform efforts to determine whether progress has been made to address the systemic deficiencies we identified.

What Remains to Be Done

As of February 2023, 92 of the 155 recommendations we have made in this area since fiscal year 2007 remain open.[27] These recommendations highlight steps HHS can take to address areas of concern that have arisen in preparing for and responding to public health emergencies, including the following:

  • HHS should take steps to standardize ongoing data collection and reporting standards across federal agencies to help respond to the COVID-19 pandemic and prepare for future pandemics.
  • HHS should prioritize the development of an interoperable network of systems for near real-time public health situational awareness—to include designating a lead office for implementing it and clearly defining roles and responsibilities.
  • ASPR should develop a transparent and deliberative process for the body of experts who make recommendations related to purchasing vaccines and other public health and medical supplies for the Strategic National Stockpile to aid emergency response.

Potential Benefits

Improving HHS’s leadership and coordination of public health emergencies will better prepare the nation for future emergencies and help mitigate devastating public health and economic effects. During the COVID-19 pandemic alone, more than 1.1 million U.S. deaths were reported as of February 2023. About $4.6 trillion have been appropriated in relief funds for response and recovery efforts.

Contact Information

For additional information about this high-risk area, contact Mary Denigan-Macauley at (202) 512-7114 or deniganmacauleym@gao.gov.

Acquisition and Program Management for DOE’s National Nuclear Security Administration and Office of Environmental Management

The National Nuclear Security Administration (NNSA) and the Office of Environmental Management (EM) need to improve oversight of their acquisition processes and better manage their portfolios, programs, and projects.

Why Area Is High Risk

The Department of Energy (DOE) oversees a broad range of programs related to nuclear security and waste cleanup, among other areas. DOE relies primarily on contractors to carry out its portfolios, programs, and projects. It spends about 90 percent of its annual budget on contracts. In fiscal year 2022, DOE’s budget was about $44.9 billion.

We designated this area as high risk in 1990 because DOE’s record of inadequate management and oversight of contractors left the department vulnerable to fraud, waste, abuse, and mismanagement.

This year, we updated the title of this high-risk area from Contract and Project Management to Acquisition and Program Management for DOE’s NNSA and EM. The title now more accurately represents the full range of challenges we have reported in this high-risk area since 1990. These challenges include issues such as the full acquisition process, program management, and financial management.

Since our 2021 High-Risk Report, the rating for one criterion—leadership commitment—increased from partially met to met. The other four criteria remain unchanged. The following sections present more detailed information on NNSA and EM.

Acquisition and Program Management for the National Nuclear Security Administration (NNSA)

Leadership commitment: met. NNSA has continued to show leadership commitment to improving acquisition and program management. However, in July 2022, it reorganized its former Acquisition and Project Management office to separate management functions for acquisitions and projects into dedicated offices. Leadership from this office had played a central role in NNSA’s recent improvements in acquisition and project management. As we found in January 2023, the reorganization was initiated without first identifying a mission need for such a change. This reorganization may have implications for acquisition or project management as it is implemented.

Capacity: partially met. Senior NNSA officials have raised concerns that they do not have enough staff with the right skills in their acquisition workforce to oversee contracts. NNSA needs to perform a complete and thorough evaluation of gaps in skills and competencies across its acquisition workforce, as we recommended in November 2021. Implementing this recommendation is particularly important in light of NNSA’s July 2022 reorganization of its former Acquisition and Project Management office. Additionally, the recently enacted congressional amendment of the statutory cap on NNSA’s federal staffing levels, which the agency had requested, could help address these concerns.[28]

Action plan: partially met. NNSA has taken some steps to identify the root causes of some of its long-standing acquisition and management challenges. For example, NNSA recompeted a contract for the management and operation of one of its sites due to safety concerns, as we found in June 2022. The new contractor took positive steps to increase safety at the site, such as improving policies and practices related to reporting safety issues. However, NNSA’s July 2022 reorganization of its Office of Acquisition and Project Management was a broad change rather than an action to solve a specific problem. NNSA should establish specific outcome-oriented goals for this change, as we recommended in January 2023.

Monitoring: partially met. NNSA continues to improve its efforts to monitor project performance and identify construction projects that are not meeting cost or schedule baselines and contractors whose performance needs improvement. However, the number of construction projects not meeting cost and schedule baselines has increased since 2020, including for nonmajor projects. We had previously removed this category from this high-risk area. According to NNSA officials, some of these issues are because of the pandemic and supply chain challenges. We plan to continue to evaluate this issue.

Additionally, the contractors that manage and operate NNSA’s sites have monitored subcontractor cybersecurity measures inconsistently because some contractors do not believe they are required to do so, as we found in September 2022. NNSA’s annual contractor performance assessments do not emphasize the importance of such oversight. NNSA plans to enhance contractor and subcontractor cybersecurity by including a requirement in the next version of its governing cybersecurity directive that contractors implement a standardized cybersecurity framework for unclassified systems. However, it is unclear when NNSA will do so because it has delayed issuing the directive for more than 2 years. NNSA attributed the delay to its lengthy internal process for major revisions and recent administrative changes to key stakeholders.

Demonstrated progress: partially met. NNSA continues to improve its collection of financial information. This has led to improvements in program management. However, NNSA has not communicated expectations for using the data or developed a process to report total costs for a program, as we recommended in February 2022. Taking such measures would allow NNSA to collect information useful to each office.

In addition, NNSA’s development and use of important program management tools has been uneven. For example, NNSA is re-establishing its plutonium pit production capability—likely to become its most expensive weapons production infrastructure program to date (see fig. 27). However, NNSA has developed neither a comprehensive schedule nor cost estimate for the integrated activities needed to achieve the desired capability, as we reported in January 2023. Such estimates could improve NNSA and congressional decision-making. It could also support NNSA’s efforts to achieve a production rate of 80 pits per year.

Figure 27: Sealed Glovebox for Plutonium Operations

Acquisition and Program Management for the Office of Environmental Management (EM)

Leadership commitment: increased to met. In recent years, EM’s leadership has demonstrated its commitment to improving oversight of its acquisitions and better managing its portfolios, programs, and projects. For example, since 2021, EM has committed to implementing and refining its new End State Contracting Model. This model is designed to improve EM’s contracting for environmental cleanup projects. Additionally, EM recently developed several key programmatic initiatives and guiding documents that demonstrate strong commitment to addressing this high-risk area. Notably, EM’s current leader is the longest-serving leader in its history.

We have continued to highlight areas where sustained leadership commitment is needed. For example, in May 2022, we found that past frequent turnover in EM leadership created challenges to achieving DOE’s complex and long-term cleanup mission. These challenges include inconsistent and incomplete initiatives and a focus on short-term actions over long-term priorities. Departmental leadership, and possibly congressional action, is also needed to pursue risk-informed alternatives that could save tens of billions of dollars or more. This includes different tank waste treatment approaches at DOE’s Hanford Site.

Finally, we note that DOE acquisition and program management issues have been on our High-Risk List since its inception in 1990. DOE has recently shown strong leadership commitment at the highest levels of the department. The agency needs to sustain this commitment for it to address the other high-risk criteria adequately. These criteria include having the right number of staff to oversee contractors, corrective action programs that prevent problems from recurring, and complete and reliable information to hold contractors accountable for cleanup progress.

Capacity: partially met. EM has taken some steps to implement leading practices for effective strategic workforce planning and assess its acquisition workforce. However, it continues to face staffing shortages and related problems. EM needs to fully identify skill and competency gaps—including the types and numbers of positions required to close these gaps—for its acquisition workforce, as we found in November 2021. In addition, EM’s limited staff capacity contributed to issues for three capital asset projects—two of which are expected to overrun their cost and schedule baselines—as we found in May 2022.

Action plan: partially met. EM has taken some action to develop corrective action plans that address root causes. For example, in August 2022, EM took steps to ensure that certain projects develop corrective action plans and that DOE assesses and validates the extent to which such corrective actions resolve root causes.

EM’s efforts to address the root causes of its long-standing acquisition and program management challenges continue to contain gaps. For example, as we found in January 2021, EM does not have an action plan—a leading practice—for its efforts to retrieve nuclear waste from underground tanks at the Hanford Site. This may impede EM’s ability to prepare for technical challenges.

In September 2022, EM issued a program plan that describes strategies for completing its cleanup mission. It is too early to determine the extent to which the strategies outlined in the plan and EM’s actions to implement them will effectively address its long-standing acquisition and management challenges.

Figure 28: The Department of Energy’s Ongoing Construction Project at the Waste Isolation Pilot Plant in New Mexico

Monitoring: partially met. EM has taken action to monitor its environmental cleanup mission better. For example, of EM’s 13 largest capital asset projects with established cost and schedule baselines, nine are expected to be completed within those baselines, as we found in May 2022.

However, EM continues to face challenges with monitoring the effectiveness of its actions to address acquisition and management challenges. In September 2022, we found weaknesses with DOE’s implementation of its new End State Contracting Model. This model is intended to improve EM’s contracting approach and move cleanup sites closer to completion. Specifically, EM had not developed a formal, structured process to assess the model’s effectiveness. Given the model’s scope and scale and EM’s preference for using it for future large-dollar environmental cleanup contracts, it is critical that EM assess the model’s effectiveness.

Demonstrated progress: partially met. EM has taken steps to address our recommendations to improve its activities and has made progress in its environmental cleanup activities at some sites. For example, EM revised its environmental cleanup policy to follow program and project management leading practices, as we recommended in February 2019.

However, EM continues to face problems associated with its oversight of its acquisitions and management of its cleanup mission. For example, unless EM addresses a number of significant risks at its Hanford Site, a key program to treat a portion of the site’s radioactive liquid waste faces delays and increased costs, as we found in June 2022. EM has prior experience with constructing facilities to treat liquid waste at the Idaho National Laboratory. It should use this as a model for its management of the Hanford Site. We will monitor whether EM implements the corrective measures we recommended. In addition, EM has yet to take all the actions necessary to implement our September 2019 recommendations that it incorporate essential elements of risk-informed decision-making in its acquisition and management of major projects and operations activities. EM needs to complete all these actions to make meaningful progress in addressing high-risk issues.

What Remains to Be Done

As of February 2023, 114 of our recommendations related to this high-risk area remain open, 55 of which we made since our last high-risk report in March 2021. These recommendations include:

  • developing an approach to ensure all NNSA program elements are included in total program costs;
  • taking steps to ensure EM’s cost and schedule estimates are developed and updated in accordance with our best practices; and
  • systematically assessing EM’s End State Contracting Model to ensure future contracts under this model are effectively implemented.

Congressional Actions Needed

As of February 2023, several of our matters for congressional consideration remain open, all of which we made since our last high-risk report in March 2021. These matters include a request that Congress consider:

  • clarifying—in a manner that does not impair the regulatory authorities of the Environmental Protection Agency and any state—DOE's authority to determine, in consultation with the U.S. Nuclear Regulatory Commission, whether portions of Hanford’s tank waste can be managed as a waste type other than high-level radioactive waste, and can be disposed of outside the state of Washington.

Benefits

More than $10 billion in financial benefits and more than 100 other benefits have been realized over the past 17 years. For example:

  • NNSA issued a revised directive on responsibilities for conducting independent cost estimates to include requirements to document and justify key decisions;
  • DOE issued a policy memorandum to help improve the collection and dissemination of project management lessons learned; and
  • EM revised its environmental cleanup policy to follow program and project management leading practices.

Contact Information

For additional information about this high-risk area, contact Allison Bawden at (202) 512-3841 or bawdena@gao.gov and Nathan Anderson at (202) 512-3841 or andersonn@gao.gov.

NASA Acquisition Management

The National Aeronautics and Space Administration (NASA) needs to continue implementing its Action Plan with a focus on reducing acquisition risk and improving project cost and schedule performance for its most expensive and complex projects.

Why Area Is High Risk

NASA plans to invest billions of dollars in the coming years to explore space and conduct aeronautics research, among other things. We designated NASA’s acquisition management as high risk in 1990 in view of its history of persistent cost growth and schedule delays in the majority of its major projects. NASA’s major projects have an estimated life-cycle cost higher than $250 million. NASA has continued to face challenges particularly with cost and schedule performance on its most expensive projects, whose individual costs exceed $2 billion.

The rating for capacity increased from partially met to met. The other four criteria remain unchanged since 2021. NASA has increased its capacity by completing initiatives in its action plan intended to strengthen its cost and schedule estimating workforce. The agency, however, continues to face challenges in its ability to manage and oversee its most expensive and complex projects. Specifically, NASA has had difficulty controlling cost growth and schedule delays for projects that exceed $2 billion in life-cycle costs. These include projects needed for NASA to conduct Artemis missions. These missions will return astronauts to the moon, build a sustainable lunar presence, and ultimately bring humans to Mars.

Leadership commitment: met. NASA leadership continued to demonstrate its commitment to improving acquisition management by elevating or creating acquisition positions. It also implemented efforts to improve oversight and transparency of its major project cost and schedules, including into the long-term costs of human space exploration programs. For example, NASA

  • Elevated its Chief Acquisition Officer position to the NASA Deputy Administrator. This change elevates acquisition planning and oversight to the attention of one of the agency’s most senior officials. It is intended to help ensure appropriate levels of consideration are applied to major acquisitions. NASA also established a Chief Program Management Officer, intended to improve project management across the agency and strengthen program management policies, among other things.
  • Committed to establishing cost and schedule baselines for additional lunar program capabilities, such as the Space Launch System and Exploration Ground Systems; and
  • Committed to creating a cost estimate for its mission to return U.S. astronauts to the moon, known as Artemis III.

Capacity: increased to met. In the past 2 years, NASA demonstrated it has improved its capacity to reduce acquisition risk by completing relevant corrective action plan initiatives. Since updating the plan in 2018, NASA has completed nine of these initiatives. In addition, it is actively implementing six additional initiatives aimed at improving the capacity of its workforce and tools. For example, NASA completed initiatives to improve training for its cost and schedule estimating workforce and develop a schedule repository to improve access to historical and analogous project schedules for planning purposes.

Further, NASA senior leaders committed to implementing or have implemented several of our recommendations related to how the agency oversees and manages missions that could further build capacity. For example, based on our May 2021 recommendation, NASA documented the program and technical management practices and tools that it will apply to its lunar missions. This will help reduce the risk that NASA will discover gaps late in development.

NASA also plans to improve schedule management and workforce planning guidance for Artemis missions, which are planned through the 2030s, based on our September 2022 recommendations. Schedule management guidance for these multiprogram missions will help ensure that senior NASA leaders have quality, risk-informed schedule information for decision-making. Additionally, developing guidance that identifies a regular and recurring process for long-term Artemis workforce scenario planning to address future uncertainties will help NASA better address longer-term workforce challenges that could affect Artemis mission success.

Action plan: met. NASA continues to update its corrective action plan and implement plan initiatives. As of February 2023, the agency completed five of six initiatives from its 2020 plan. In August 2022, NASA updated its action plan and began six new initiatives. Two of these initiatives build on prior initiatives to improve scheduling and increase transparency into the long-term costs and affordability of human spaceflight programs.

Monitoring: met. NASA continues to monitor progress against its corrective action plan. This process includes tracking and briefing senior leaders on the progress made on action plan initiatives. It also calls for reporting progress against its action plan and other cost and schedule performance metrics to us and NASA senior leadership semiannually.

In addition, NASA took two additional steps to increase monitoring of major projects since our 2021 high-risk update by (1) creating the new Chief Program Management Officer, who is responsible for strengthening enterprise-wide oversight and management of projects; and (2) establishing an earned value management data surveillance requirement, which will help NASA to improve the reliability and utility of its earned value management data. These data help management monitor project performance by measuring the value of work accomplished in a given period and comparing it to the planned value of work scheduled for that period and the actual cost of work accomplished.

Demonstrated progress: partially met. NASA’s progress across its portfolio of major projects continues to be mixed since our 2021 high-risk update.

Since March 2021, NASA has launched or completed nine projects. Two of these projects launched within both their cost and schedule baselines. One launched within its schedule baseline, but not its cost baseline. Six projects exceeded both their cost and schedule baselines. Most notably during this period, NASA successfully launched the James Webb Space Telescope, one of the agency’s most complex science missions. It also launched the Orion crew capsule and NASA’s newest rocket, the Space Launch System, as part of efforts to return to the moon.

The overall cost and schedule performance of NASA’s portfolio of major projects continues to decline. We reported in June 2022 that the cost growth had deteriorated for the sixth consecutive year while the average schedule delay increased for the second consecutive year. NASA’s most expensive and complex projects, known as category 1 projects, drove the cumulative development cost overruns and schedule delays. Each category 1 project has a life-cycle cost estimate of more than $2 billion, uses significant radioactive material, or is intended for human spaceflight. Nearly all of the $12 billion in cumulative development cost overruns we reported in June 2022 are attributed to cost overruns on the nine category 1 projects out of a total of 21 projects in the portfolio.

Figure 29: Cumulative Development Cost and Schedule Overruns for the National Aeronautics and Space Administration’s Portfolio of Major Projects Since 2013

Note: The years in the figure are the year we issued our annual assessment of major National Aeronautic and Space Administration (NASA) projects. Data are primarily as-of January 2022 except for the Space Launch System, Exploration Ground Systems, and Europa Clipper projects, which are as of March 2022. NASA currently has 22 major projects in the implementation phase. However, we excluded the Commercial Crew Program from this analysis to be consistent with prior years because it has a tailored project life cycle and project management requirements and did not establish a baseline.

To demonstrate sustained improvement in cost and schedule performance for its portfolio of major projects, NASA will need to control the extent to which the most expensive and complex category 1 projects have cost overruns and schedule delays. Over the next few years, these projects will include complex human spaceflight projects needed for future Artemis missions. NASA will need to control cost growth and schedule delays on these projects as they move from development into the final design and fabrication phase and progress into integration and testing. This phase of the acquisition process often reveals unforeseen challenges leading to cost growth and schedule delays.

NASA senior leaders said that recent efforts that may help control project cost and schedule growth include having projects: document when they deviate from the agency’s policy for establishing cost and schedule baselines, and develop plans to remove work if cost growth or schedule delays occur. These officials said they plan to explore additional ways to control project cost and schedule, specifically for category 1 projects.

What Remains to Be Done

Since we added this area to our High-Risk List in 1990, we have made numerous recommendations to NASA focused on this high-risk area. Sixteen of these recommendations remain open as of March 2023. To continue reducing acquisition risk and demonstrating progress, NASA should implement our recommendations to improve

Further, NASA will need to identify ways to improve management of the most expensive and complex major projects, such as category 1 projects, to demonstrate sustained improvement in cost and schedule performance.

Benefits

Financial benefits over the past 17 years totaled more than $10 billion. There were also more than 60 other benefits. For example:

  • In response to two recommendations from December 2019, NASA agreed to develop a solid business case for its mission to return U.S. astronauts to the moon, and produce a full cost estimate for the mission.
  • In 2020, NASA evaluated its Technology Readiness Assessment (TRA) process after we issued a best practices guide. Using our TRA guide, NASA identified gaps in its internal TRA process and potential improvements to it. This action increases the likelihood of NASA producing high-quality, evidence-based TRAs that provide managers and decision makers with the information needed to make technical and resource allocation decisions about whether a technology is sufficiently mature for use.

Contact Information

For additional information about this high-risk area, contact William Russell at (202) 512-4841 or russellw@gao.gov.

DOD Contract Management

The Department of Defense (DOD) can improve its management of contracts for service acquisitions by ensuring requirements are validated, budget needs are forecasted, and category management is used to gain efficiencies, and for operational contract support by issuing department-wide guidance.

Why Area Is High Risk

DOD spends hundreds of billions of dollars annually on contracts for goods and services. If these contracts are not well-managed, the department could lack the information needed to make informed and cost-effective decisions and reduce its vulnerability to various risks. For these reasons, we added DOD’s contract management to our High-Risk List in 1992. Since then, DOD has made progress addressing various challenges, such as increasing the size and know-how of its acquisition workforce responsible for contract management.

DOD has experienced challenges with service acquisitions—information technology, management support, and other tasks performed by contractors—that include validating requirements and forecasting budget needs. This type of information can help DOD make decisions for service acquisitions that leverage efficiencies and are informed by anticipated spending. DOD has also faced difficulties with Operational Contract Support (OCS) for military activities around the world, including identifying capability gaps, developing guidance, and integrating this support into planning and training.

Overall ratings for all five criteria remain unchanged since 2021. However, the capacity rating increased to met for OCS. The following sections present more detailed information.

Service Acquisitions

Leadership commitment: met. DOD maintained leadership commitment by revising its service acquisition policy in January 2020, including changes incorporated in June 2021. Revisions include a clarification of the responsibilities, purpose, timing, and data for review boards that validate service requirements. DOD’s incorporated changes also better align this policy with the Adaptive Acquisition Framework—tailorable pathways to meet warfighter needs.

Capacity: partially met. DOD has or intends to revise responsibilities for some key service acquisition positions. However, it is too early to tell whether these personnel will have the necessary capacity to perform their responsibilities. For example, in October 2022, DOD designated the responsibility for category management—an Office of Management and Budget (OMB)-led initiative intended to help agencies buy more strategically and achieve efficiencies—to the Principal Director of Defense Pricing and Contracting. DOD plans to issue additional guidance on how the department can use category management to better manage service acquisitions by the end of fiscal year 2023. DOD also recently transferred oversight responsibility for service requirements review boards from the Chief Management Officer—whose office was dissolved in October 2021—to the Under Secretary of Defense for Acquisition and Sustainment. However, DOD has neither demonstrated that its category management leaders have the capacity to implement the planned guidance nor that the Under Secretary of Defense for Acquisition and Sustainment has the personnel necessary to establish annual services requirements review processes to oversee service requirements. As of February 2023, we have ongoing work to assess whether some of these changes will address previously identified capacity shortfalls related to key leadership positions having multiple responsibilities and minimal effect on how DOD manages service acquisitions.

Action plan: partially met. While DOD has recognized challenges in the acquisition of services, it has yet to develop a corrective action plan to fully address these challenges. DOD has identified two needed areas where it has taken or plans to take actions to address issues. First, DOD plans to better identify roles and responsibilities and issue guidance to clarify how category management will be used to more efficiently manage service acquisition spending. Second, DOD plans to implement guidance to collect and report on budget needs for service acquisitions beyond the current budget year. However, DOD’s guidance does not identify how the budget needs collected during service requirements review boards will be communicated or used to inform forecasts required for fiscal year budget submissions.

Monitoring: partially met. DOD continued its efforts to collect data and monitor service acquisitions. For example, DOD’s January 2020 revision to its service acquisition policy requires that the results from service requirements review boards be tracked. It also advises the use of metrics to measure service acquisition performance. DOD is also planning to restart an annual assessment of service requirements review processes. In addition, it is developing a dashboard to track its spending trends for service acquisitions. However, DOD has yet to demonstrate how the information from these efforts will be aggregated and used given the recent transfer of oversight responsibility to the Under Secretary of Defense for Acquisition and Sustainment.

Demonstrated progress: partially met. DOD demonstrated progress by clarifying responsibilities for category management in October 2022. It also exceeded OMB’s fiscal year 2022 category management goals for obligations considered to be strategically managed after falling short the preceding 2 fiscal years. DOD also issued guidance in June 2022 to begin forecasting budget needs for service acquisitions in its fiscal year 2024 budget submission. The guidance requires all DOD components to forecast budget needs for service acquisitions over a 5-year period. As of February 2023, DOD’s effort to collect the data to forecast budget needs is underway. We are assessing its progress as part of our ongoing work.

Operational Contract Support

Leadership commitment: met. DOD sustained its leadership commitment and support to address OCS issues. For example, in 2017 and again in 2020 and 2022, DOD updated guidance on roles and responsibilities for OCS planning and execution throughout the department. These updates included identifying responsibilities of the Deputy Assistant Secretary of Defense (Logistics) related to both OCS and vendor threat mitigation (previously known as vendor vetting). Also, in March 2020, DOD expanded the role of the Functional Capabilities Integration Board—senior leaders’ primary forum for OCS issues.

Capacity: increased to met. DOD’s capacity rating improved from partially met to met because it addressed OCS capability shortfalls that previously created risks to operational effectiveness, timelines, and resource expenditures. For example, DOD completed all 15 actions outlined in the August 2018 Joint Requirements Oversight Council memorandum aimed at improving policy, education, personnel, and force structure analysis. DOD also created a functional competency model with nine OCS-specific skills against which to assess DOD civilians. According to DOD officials, this model is being used to inform education, training, hiring practices, and other manpower decisions, such as the development of a first-ever OCS manpower study.

However, going forward, it will continue to be important for DOD to demonstrate that capacity at the combatant commands will not diminish with the September 2020 dissolution of the Joint Contingency Acquisitions Support Office. Planners from this office were previously embedded with combatant commands to help develop the OCS annexes to operational plans. To ensure this OCS capability is not lost, DOD officials said they are developing training for OCS planners at the combatant commands.

Action plan: met. In July 2021 and March 2022, DOD issued its eighth and ninth OCS Action Plans. The plans provide goals and objectives which are DOD’s key mechanisms to measure its progress addressing OCS capability shortfalls. These action plans are organized to address five areas of OCS capability shortfalls—(1) training, (2) education, (3) lessons learned, (4) policy changes, and (5) emerging requirements.

Monitoring: met. DOD maintains several formal and informal groups to monitor OCS progress, such as the Functional Capabilities Integration Board and its Council of Colonels, the Vendor Threat Mitigation Working Group, and the OCS Data and Information Group. These groups meet regularly and are co-chaired by senior officials in the Office of the Secretary of Defense and Joint Staff. Specifically, these groups track how well DOD has addressed the OCS capability shortfalls identified in the annual OCS Action Plans.

Demonstrated progress: partially met. DOD continues to make progress addressing our priority recommendations for OCS. For example, in July 2022 DOD addressed a December 2018 recommendation by issuing a directive to provide department-wide guidance on vendor threat mitigation. This directive formalized DOD policy and responsibilities related to assessing and responding to risks posed by vendors who oppose U.S. interests. At the same time, DOD extended the use of its related interim guidance until December 2023. Also, two combatant commands—Africa and Indo-Pacific—issued command-specific vendor threat mitigation guidance. However, after several years, DOD has yet to revise its instruction on how OCS should be integrated throughout the department, including into operational plans and training. DOD officials said they expect to issue the revised instruction by the end of March 2023.

What Remains to Be Done

As of February 2023, there are four open recommendations related to this high-risk area. For example, to enhance its ability to forecast budget needs for service acquisitions and manage OCS for current and future operations, DOD needs to:

  • establish a mechanism, such as a working group of key stakeholders, to coordinate efforts to develop budget forecasts for service acquisitions using consistent data. Completing a plan—which was due by June 1, 2022—to implement a statutory requirement to forecast budget needs for services could help the department implement this recommendation by assigning responsibilities, identifying needed changes to budget guidance, and establishing milestones to track progress.[29]
  • issue military department guidance on how to collect and report forecasted budget needs for service acquisitions across a 5-year time span in each budget submission.
  • issue department-wide guidance for OCS detailing how OCS should be integrated throughout the department, including into operational plans and training.

Benefits

Improvements in DOD’s contract management over the past 17 years have resulted in more than $35 billion in financial benefits and more than 300 other benefits. For example:

  • DOD’s and other federal agencies’ increased use of category management has resulted in more than $35 billion in cost savings. In 2016, we recommended that OMB set and report on goals for using category management, which DOD exceeded for fiscal year 2022.
  • DOD increased the size and skills of its acquisition workforce and implemented solutions to improve and institutionalize operational contract support capabilities.
  • From 2011 to 2022, DOD implemented solutions to institutionalize and improve OCS capabilities, including the development of nine annual action plans to track progress toward key goals to address capability shortfalls in training, education, lessons learned, policy changes, and emerging requirements.

Contact Information

For additional information about this high-risk area, contact William Russell at (202) 512-4841 or russellw@gao.gov.

VA Acquisition Management

The Department of Veterans Affairs (VA) has developed a plan for improving its acquisition function, but several long-standing issues remain. Addressing these issues—for instance, by completing a supply chain modernization strategy—would increase VA’s efficiency and effectiveness.

Why Area Is High Risk

VA has among the highest obligations and number of contract actions in the federal government. Over the past 10 years, VA’s total contract obligations increased substantially, rising 147 percent. In fiscal year 2022, VA obligated about $56 billion for goods and services.

Our work continues to identify VA acquisition management challenges including: (1) developing adequate strategies and policies, (2) managing its supply chain, (3) managing its acquisition workforce, (4) improving its information technology and data systems, and (5) providing consistent leadership and execution of management priorities. VA made some progress addressing these issues. However, a number of substantial challenges remain. Given VA’s significant contract obligations and the acquisitions-related challenges it faces, we added VA acquisition management to our High-Risk List in 2019.

The following sections present more detailed information on the overall rating.

Leadership commitment: partially met. VA’s acquisition leaders, including the Chief Acquisition Officer, continue to demonstrate commitment to addressing the challenges they face. As part of its action plan, VA created the Acquisition Leadership Team in February 2022 to collaborate on an overall strategy to address its acquisition management challenges.

However, VA will need sustained leadership commitment to ensure it has clearly-established authorities, roles, and responsibilities for implementing the action plan. The plan requires ongoing efforts by a number of different individuals and organizations across the agency. In addition, clear accountability mechanisms will be needed to ensure consistent execution. Further, as we reported in August 2022, VA’s effort to implement its new acquisition framework—a key part of its action plan—faces challenges that will require leadership engagement. This includes ensuring framework compliance and identifying which programs will be subject to the new oversight framework.

Capacity: partially met. VA continues to make progress in building capacity to address its acquisition management challenges. For example, in July 2021, VA implemented training and developed comprehensive guidance for contracting staff in its Federal Supply Schedule program, in response to our recommendations. VA uses the Federal Supply Schedule to purchase billions of dollars in medical supplies each year. In May 2020, VA also developed an acquisition knowledge portal that provides standardized acquisition guidance and tools for the entire acquisition community.

However, we reported in August 2022 that VA identified acquisition workforce gaps that affected VA programs’ ability to manage major acquisitions. In September 2022, we reported that VA lacks comprehensive data to track the totality and characteristics of its acquisition workforce. Addressing these issues would help enable VA to implement its planned acquisition framework, and make data-driven human capital decisions. We recommended that VA conduct an enterprise-wide workforce assessment to identify any gaps, and take steps to ensure it keeps up-to-date and accurate acquisition workforce records.

VA also needs to develop additional capacity to manage its supply chain. In March 2021, we reported that VA was pursuing multiple major initiatives to modernize its supply chain. However, VA still faces challenges in implementing these efforts to ensure they will result in a modern and efficient supply chain for VA. VA has yet to fully address our recommendation to develop a comprehensive supply chain strategy. This, in turn, has hindered VA’s efficient acquisition management and its mission to meet veterans’ needs.

Action plan: increased to met. VA improved in this criterion since our last high-risk update. In March 2021, VA issued its initial action plan to address acquisition management challenges. These challenges include managing contracting officer workload and lack of reliable contracting and financial data systems, and supply chain modernization. For example, VA identified root causes of these issues, corrective actions, and metrics intended to track progress. It has continued to update that plan, most recently in September 2022.

Monitoring: increased to partially met. VA improved in this criterion because it identified corrective actions, goals, and performance metrics that it will use to measure progress in improving acquisition management. However, VA has yet to fully develop a monitoring program to validate the effectiveness and sustainability of corrective actions. This is because some of the metrics in its action plan measure interim steps, rather than VA’s desired outcomes.

Our recent work highlighted specific areas where VA could improve its monitoring. For example:

  • In July 2021, we reported that VA’s senior procurement leader relies on process-oriented metrics—such as competition rates and small business utilization—to manage the department’s procurement organizations. We recommended VA use a balanced set of performance metrics to manage the department’s procurement organizations. VA concurred with this recommendation.
  • In August 2022, we recommended that the Chief Acquisition Officer (1) establish key measures for performance of its planned framework for managing major acquisitions, (2) collect and analyze data related to these measures, and (3) report results. Developing performance measures would better position VA to evaluate its progress and make changes as needed. VA is currently preparing to implement the new framework.

Demonstrated progress: increased to partially met. VA demonstrated some progress by implementing 15 recommendations related to acquisition management. For example:

  • In September 2018, we reported that VA had few mechanisms for monitoring subcontracting limitations and the potential for fraud in implementing its Veterans First Program. This program implements VA’s statutory preferences for veteran-owned small businesses when awarding contracts. We recommended that VA conduct a fraud risk assessment for the program. VA completed its fraud risk assessment in April 2022.
  • In September 2016, we found that VA’s procurement policy framework was outdated and fragmented. We recommended that VA identify measures to expedite the revision of the Veterans Affairs Acquisition Regulation (VAAR), which had been ongoing for many years. As of March 2022, VA has published the final or draft rules for all 41 VAAR parts that it is updating.

However, VA still needs to address some recommendations that will take more time and effort to implement. This includes developing a comprehensive supply chain strategy and taking steps to ensure the success of its planned framework for managing its major acquisitions. Additionally, VA continues to develop desired outcomes and performance measures for its high-risk plan. It will need time to monitor and demonstrate sustained progress.

What Remains to Be Done

As of February 2023, there are 22 open recommendations related to VA acquisition management. These include:

VA also needs sustained leadership attention to drive change across the department and address acquisition management challenges.

Benefits

There were more than 10 benefits related to the VA acquisition management high-risk area, since the 2021 high-risk update. For example, VA:

  • Developed a mechanism to consistently obtain and analyze user feedback on the Federal Supply Schedule program. This feedback will provide information on users’ experience. This, in turn, will help program officials ensure the program is meeting VA’s needs for goods and services to support veterans’ health care.
  • Conducted a contracting fraud risk assessment and developed a plan that will help VA assess subcontracting risk for its Veterans First Program moving forward.
  • Developed and implemented training for its Federal Supply Schedule program. This helps ensures that contracting staff are prepared to award contracts efficiently and effectively.

Contact Information

For additional information about this high-risk area, contact Shelby S. Oakley at (202) 512-4841 or oakleys@gao.gov.

Enforcement of Tax Laws

The Internal Revenue Service (IRS) needs to increase its capacity to implement new initiatives, improve ongoing enforcement and taxpayer service programs, and combat identity theft (IDT) refund fraud.

Why Area Is High Risk

This high-risk area comprises two segments representing pressing challenges for IRS—addressing the tax gap and combatting IDT refund fraud. In 2022, IRS estimated that the average annual net tax gap—the difference between taxes owed and taxes paid on time—was $428 billion, on average, for tax years 2014–2016.

IDT refund fraud occurs when an identity thief files a fraudulent tax return using a legitimate taxpayer’s identifying information and claims a refund. For 2021, while IRS estimated that it prevented the theft of about $10 billion in individual IDT refunds, it also estimated that it paid between $50 million and $250 million to fraudsters.

Overall ratings for all five criteria remain unchanged since 2021. The monitoring criterion for Refund Fraud Related to Identity Theft increased to a met rating. The following sections present more detailed information on the two segments summarized in the overall rating.

Addressing the Tax Gap

Leadership commitment: met. IRS demonstrates strong leadership commitment to estimating and addressing the tax gap. It also adopted a more strategic approach to identifying and selecting budget program priorities, among other steps. For instance, IRS’s Fiscal Year 2022–2026 Strategic Plan includes a goal to enforce the tax law fairly and efficiently to increase voluntary compliance and narrow the tax gap.

Capacity: not met. IRS continues to face challenges with skills gaps and an aging technology infrastructure. It has not fully implemented strategic workforce planning initiatives, such as conducting workforce analysis. IRS has also further delayed implementing its workforce plan until March 2024.

In May 2022, IRS officials attributed reduced staffing due to decreased funding as the primary reason for declining audit rates shown in figure 30. Enacted in August 2022, the statute commonly known as the Inflation Reduction Act of 2022 provides IRS with about $80 billion in additional funding over the next decade.[30] In August 2022, the Secretary of the Treasury directed IRS to deliver a plan for the funds within 6 months of its request. In April 2023, IRS delivered its plan. In refining and carrying out the plan, IRS should work towards implementing our open recommendations for improving tax enforcement, particularly those that it previously said the agency lacked resources to implement.

Figure 30: Audit Rates for Individual Tax Returns Declined from Tax Years 2010 to 2019 (latest available)

Action plan: partially met. IRS is developing a strategy to improve the services it provides to make voluntary compliance easier for taxpayers and ensure taxes owed are paid. IRS’s Fiscal Year 2022–2026 Strategic Plan includes two goals for providing taxpayers a better service experience. However, IRS still needs to clearly state agency-wide and division performance goals for improvements in the taxpayer experience and specify its related measures with targets.

Monitoring: partially met. IRS continues to use tax gap data to study compliance behaviors and update formulas designed to identify tax returns with a high likelihood of noncompliance. However, IRS could strengthen third-party information reporting for sole proprietors, the largest portion of the underreporting tax gap.

Demonstrated progress: partially met. IRS implemented some corrective measures to improve compliance and reduce the tax gap, including its use of the Return Review Program to screen individual returns claiming refunds. However, IRS lacks specific quantitative goals to reduce the tax gap or improve voluntary compliance. This makes it more difficult to determine the success of its strategies.

Refund Fraud Related to Identity Theft

Leadership commitment: met. IRS has recognized the evolving challenge of IDT refund fraud in its strategic plans, expanded fraud detection activities, and implemented agency-wide antifraud efforts. Such efforts include bringing officials together from across the organization to discuss potential fraud risks.

Capacity: partially met. IRS has developed a prerefund system that can detect IDT fraud. However, to fully expand IDT refund fraud prevention, it needs to digitize information from paper returns at intake. This would allow IRS to reduce processing time, use the prerefund system’s fraud filters on all paper and electronic forms, and allow more prerefund compliance checks or investigations, among other benefits.

Additionally, in January 2020, we found that IRS does not resolve all business IDT cases within its guidelines. We also found that the agency lacked customer service-oriented performance goals for resolving cases. In November 2021, IRS set a new 120-day average time frame standard for processing individual and business IDT cases.[31] However, its latest guidance acknowledges its case resolution time averages 360 days due to challenges created by the COVID-19 pandemic and an increase in its identity theft inventories. In October 2022, IRS stated that it would be unable to achieve the 120-day time frame until 2024.

Action plan: met. IRS’s Fiscal Year 2022–2026 Strategic Plan acknowledges its responsibility to safeguard taxpayer and IRS data. It also states that technological and security investments help ensure that IRS delivers a high-quality taxpayer experience while safeguarding taxpayer data. IRS exceeded the Department of the Treasury’s priority goal for reducing IDT refund fraud in 2019 and 2020.

Monitoring: increased to met. IRS has improved its ability to monitor IDT fraud. For example, it improved its ability to track outcomes of taxpayer authentication conducted by phone or in person, such as rates and reasons why taxpayers may have difficulty authenticating their identity. IRS also established a policy and schedule to assess risks to phone, in-person, and correspondence authentication channels. This may help identify emerging risks to the tax environment. Additionally, IRS updated its monitoring reports and annual estimates of dollars protected and lost to fraud to include business IDT fraud.

Demonstrated progress: partially met. IRS has demonstrated some progress by

  • developing tools and programs to further detect and prevent IDT refund fraud, such as the Return Review Program;
  • implementing its foundational authentication initiatives and monitoring required resources to complete them; and
  • working to implement new federal online authentication standards.

However, IRS lacks the governance structure to coordinate all aspects of its efforts to protect taxpayer information held by third-party providers. It also lacks a dedicated entity—with defined responsibilities and the necessary authority to perform its role—to oversee business IDT efforts.

What Remains to Be Done

As of February 2023, 178 recommendations related to the tax gap and IDT refund fraud remain open or partially implemented. IRS should fully implement all of our recommendations addressing this high-risk area, such as

Congressional Actions Needed

There are 30 open matters for congressional consideration. For example, to help IRS address this high-risk area, Congress should consider

  • expanding third-party information reporting for certain payments that rental real estate owners make to service providers, such as contractors who perform repairs on their rental properties;
  • providing IRS with authority—with appropriate safeguards—to correct math errors and discrepancies between information from taxpayers and government databases;
  • establishing requirements for paid tax return preparers to help improve the accuracy of the tax returns they prepare;
  • requiring that returns prepared electronically but filed on paper include a scannable code printed on the return to better leverage the Return Review Program’s capabilities; and
  • providing IRS with explicit authority to establish security requirements for the information systems of paid preparers and Authorized e-file Providers.

Benefits

Progress in this high-risk area has led to nearly $40 billion in financial benefits and more than 300 other benefits. These benefits include improved research, systems, and delivery of benefits for qualified taxpayers. For example:

  • Congress addressed our recommendation to require more third-party reporting for payments made to online platform workers.[32] The increased reporting will improve tax compliance by providing IRS with better information about platform workers’ incomes, and making it easier for certain taxpayers to complete tax returns.
  • Our recommendation that IRS assess the costs and benefits of accelerating W-2 deadlines and provide the information to Congress led to substantial financial benefits. Congress took action to advance the deadline for employers to file W-2s to January 31.[33] By improving its ability to conduct compliance checks before issuing refunds, IRS prevented more than $5 billion in invalid refunds in the first 4 years since it implemented the new W-2 filing deadline.

Contact Information

For additional information about this high-risk area, contact James R. McTigue, Jr., or Jessica Lucas-Judy at (202) 512-6806 or mctiguej@gao.gov or lucasjudyj@gao.gov.

Medicare Program & Improper Payments

The Centers for Medicare & Medicaid Services (CMS) has taken some action to reduce improper payments but needs to do more to address Medicare’s financial and oversight challenges.

Why Area Is High Risk

We designated Medicare as a high-risk program due to its size, complexity, effect on the federal budget and health care sector, and susceptibility to mismanagement and improper payments.

In 2022, the Medicare program spent an estimated $940.4 billion—about 15 percent of federal spending—to provide health care services for approximately 65 million elderly and disabled beneficiaries. The Medicare program is complex, with more than 1.4 million providers and more than 20 different payment systems. Spending is expected to increase significantly over the next decade as the U.S. population ages and more individuals begin receiving Medicare benefits. Further, the Medicare Hospital Insurance Trust Fund is projected to be depleted in 2028. At that point, the Medicare program’s revenue would be sufficient to pay about 90 percent of scheduled benefits. The Medicare Hospital Insurance Trust Fund primarily relies on payroll taxes to finance inpatient hospital services and other related care.

Medicare also faces a significant risk for improper payments, which reached an estimated $46.8 billion in fiscal year 2022. Improper payments refer to those made either in an incorrect amount or that should not have been made at all. CMS—which administers and oversees the Medicare program—should continue to take actions to prevent and reduce improper payments in the program.

Overall ratings for all five criteria remain unchanged since 2021. The following sections present more detailed information about Medicare improper payments plus three additional broad segments—(1) payments, provider incentives, and program management under Medicare fee-for-service (FFS); (2) Medicare Advantage (MA) and other Medicare health plans; and (3) design and oversight of the Medicare program and the effects on beneficiaries.

We continue not to rate CMS’s progress for the three segments, which cover the entirety of the Medicare program, for the following two reasons:

  • There are many vital financial and regulatory factors outside of the agency’s control due to frequent legislative updates to Medicare provider payments and other policies; and
  • the Medicare program is in a profound state of transition:
    • from a payment system that rewards providers based on the volume and complexity of health care services they deliver to one that ties payments to the quality and efficiency of care; and
    • from a program where beneficiaries were primarily enrolled in the FFS program to one where, as of 2022, nearly half of beneficiaries are enrolled in MA.

Medicare Program & Improper Payments

Leadership commitment: met. CMS has continued to demonstrate the leadership commitment needed to ensure the integrity of the Medicare program in response to our continued reporting and focus on improper payment rates. For example, one of the six pillars of CMS’s 2022 strategic plan, called “protect programs,” includes program integrity activities intended to address Medicare improper payments. Elements of the strategy include working with law enforcement agencies to identify and take action against providers who defraud the program; improving infrastructure to prevent fraud, waste, and abuse before claims are paid; and monitoring new and emerging areas of risk.

Capacity: met. The Center for Program Integrity (CPI) is CMS’s centralized entity for Medicare and Medicaid program integrity issues. CPI has experienced an increase in its resources. CMS has established work groups and interagency collaborations to extend its capacity. For example, it allocated additional staff to CPI after Congress provided additional funding. CPI’s full-time equivalent positions increased from 177 in fiscal year 2011 to about 491 in fiscal year 2023.

Action plan: partially met. CMS continues to identify and report progress on corrective actions related to Medicare improper payments. However, work remains to be done to fully meet this criterion. CMS reported this progress in the Department of Health and Human Services’ (HHS) annual Agency Financial Report. CMS officials said the report reflected the agency’s record on its action plan. However, while the fiscal year 2022 report includes targets for reducing Medicare improper payments and highlights corrective actions taken to address root causes of payment errors, it does not identify clear metrics to assess progress, resources needed to implement corrective actions, or time frames for completing those actions to meet its goals.

Monitoring: partially met. CMS continues to make progress in monitoring some areas. However, it needs to improve efforts to monitor provider enrollment screening processes, documentation requirements, and improper payments to MA plans. MA plans are private plans under contract with CMS to provide health care coverage to Medicare beneficiaries. CMS should take steps to routinely assess how variations in the documentation requirements between Medicare and Medicaid may affect estimates of improper payment rates. We also have made a number of recommendations to prompt CMS action to improve MA monitoring and oversight. This includes recommendations related to audits to identify and recover improper payments to MA organizations.

Demonstrated progress: partially met. Estimated improper payment rates for Medicare FFS increased by slightly more than 1 percentage point from fiscal year 2021 to 2022 to 7.5 percent—and decreased by about one-tenth of a percentage point to 1.5 percent for Medicare Part D (see fig. 31). For fiscal year 2022, CMS reported an MA improper payment rate of 5.4 percent. According to CMS, the agency refined its MA improper payment rate methodology for fiscal year 2022. As a result, the rate should not be compared with prior years’ rates. In total, Medicare improper payments were estimated to be about $46.8 billion in fiscal year 2022. Reducing improper payments in Medicare is critical to safeguarding federal funds.

Figure 31: Medicare Fee-for-Service, Medicare Advantage, and Medicare Part D Improper Payment Rates, Fiscal Years 2012–2022

aAccording to CMS, the agency refined its Medicare Advantage improper payment rate methodology for fiscal year 2022 and, as a result, it should not be compared with prior years.

Payments, Provider Incentives, and Program Management under Medicare FFS

As CMS moves toward full implementation of its value-based payment systems in its Medicare FFS program, it will be important for the agency to use reliable quality and efficiency measures and methodological approaches, as highlighted in these two areas.

Merit-Based Incentive Payment System. Under Medicare’s Merit-based Incentive Payment System, doctors and other providers may receive increases or decreases to their Medicare FFS payments based on factors like the cost and quality of care they provide. In October 2021, we found that, from 2017 to 2019, more than 90 percent of providers earned a small increase (less than 2 percent) to their Medicare payments. Providers we interviewed noted some strengths and challenges of the incentive payment system. For example, some said certain design aspects of the system helped smaller practices participate. Others said they were unsure if it helped improve the quality of care.

Hospital Value-Based Purchasing Program. In June 2017, we reported that under CMS’s Hospital Value-Based Purchasing Program, some hospitals with high efficiency scores received bonuses despite having relatively low quality scores. The CMS Hospital Value-Based Purchasing Program is intended to reward acute-care hospitals providing high-quality care at a lower cost. We have two open recommendations to help ensure the program accomplishes its goals.

Medicare Advantage and Other Medicare Health Plans

The continued enrollment increases in MA underscore the need to ensure that CMS has the data necessary to oversee the program and that MA plans are paid accurately, as highlighted by the following two areas.

Encounter data. In June 2022, we reported that CMS was using encounter data—claims-like data collected from the sponsors of MA plans—in its methodology for risk adjusting payments to MA plans. Yet, it had neither addressed our recommendation from July 2014 nor implemented all the steps necessary to validate encounter data for completeness and accuracy.

MA plan payment adjustments. We reported in January 2012 that the inaccuracy of CMS’s adjustments to MA plan payment rates—which account for differences between FFS and MA providers’ coding of medical diagnoses—resulted in billions of excess payments to MA plans. We have an open recommendation to improve the accuracy of these adjustments.

Design and Oversight of the Medicare Program and the Effects on Beneficiaries

Medicare FFS’s benefit design and CMS’s oversight of it affect both beneficiaries’ out-of-pocket costs and the quality and safety of care they receive. Medicare FFS’s benefit design does not include a cap on the maximum cost-sharing amount a beneficiary can be responsible for during a given year for covered services. As we reported in January 2018, this could leave beneficiaries vulnerable to catastrophic costs, especially if they lack supplemental insurance.

Although Medicare FFS beneficiary premiums for calendar year 2023 were reduced, this is likely to be a temporary reprieve for Medicare beneficiaries. Medicare premiums are expected to continue increasing in the long term. Medicare premiums are based, in part, on changes to federal Medicare spending. In 2022, the Medicare Trustees have estimated that federal Medicare spending will grow at a faster rate than workers’ earnings and the economy overall in the long term. This could significantly burden Medicare beneficiaries facing these higher premiums.

In addition to its responsibility for oversight of the Medicare program, CMS must also ensure the quality of care beneficiaries receive. As noted below, CMS has made progress in certain areas, but we identified gaps in oversight of other areas.

Skilled nursing facilities. In July 2021, we recommended that CMS report on its Care Compare website weekend decreases in nurse staffing levels along with minimum staffing thresholds needed to ensure quality of care. As of May 2022, information on weekend nurse staffing has been incorporated into the Care Compare website. As a result, beneficiaries have an improved ability to make informed choices among skilled nursing facilities when choosing a facility for their care.

Hospice provider oversight. In October 2019, we reported that additional opportunities exist to strengthen CMS’s oversight of hospice providers. CMS collects data on the quality of hospice care but does not instruct hospice surveyors—those who conduct the program inspections—to use those data to inform their inspections. We have one open recommendation to improve CMS’s identification of quality of care issues in hospice programs. In addition, in December 2022, we reported on gaps in requirements for reporting allegations of abuse or neglect for individuals in hospice care. We have one open recommendation to address these gaps.

What Remains to Be Done

As of February 2023, 82 recommendations related to the Medicare program remain open. These recommendations include those related to improper payments. For example, we recommended that the Administrator of CMS seek legislative authority to permit payment for recovery auditors to conduct prepayment claims reviews. Reviewing Medicare claims before payments are processed can prevent improper payments. We also recommended that CMS develop policies and procedures for future emergencies, such as postponing rather than waiving fingerprint-based criminal background checks during future emergencies. In addition, we have recommended several actions to CMS to strengthen other aspects of the Medicare program, including that the Administrator of CMS should:

  • account for Medicaid payments made when making Medicare uncompensated care payments to individual hospitals.
  • improve its ability to identify self-referral of advanced imaging services.
  • take steps to improve the accuracy of MA plan payment adjustments to reflect coding differences between FFS and MA providers’ coding of medical diagnoses by, for example, accounting for additional beneficiary characteristics such as sex and health status.
  • complete all of the steps necessary to validate MA encounter data, including performing statistical analyses, reviewing medical records, and providing MA organizations with summary reports on findings.
  • require that states survey agencies, which oversee nursing homes, submit abuse and perpetrator type information to CMS and that CMS systematically assess trends in these data.

Congressional Actions Needed

There are eight open recommendations for congressional consideration that we made over the last 17 years, including that Congress should consider:

  • directing the Secretary of HHS to implement additional reductions in payments to skilled nursing facilities that generate Medicare spending on potentially preventable critical incidents. Under current law, CMS is directed to make reductions of up to 2 percent to certain skilled nursing facilities’ payments to incentivize them to improve care. However, additional reductions are not authorized.
  • equalizing payment rates that are higher for certain types of services provided in hospital outpatient departments rather than physicians’ offices. As of September 2022, Congress has yet to fully address this matter.

Benefits

Financial benefits to the federal government due to CMS’s progress in implementing our recommendations and Congress’s actions have resulted in more than $70 billion in financial benefits and more than 200 other benefits over the past 17 years, including the following:

  • We have reported that CMS’s Fraud Prevention System has helped speed up certain investigation processes. The Fraud Prevention System analyzes claims to identify health care providers with suspect billing patterns. Further, the Healthcare Fraud Prevention Partnership has helped improve information sharing among payers inside and outside of the government. As of August 2022, the partnership has grown to include 259 federal partners, law enforcement, private payers, and other partners.
  • Beginning on January 1, 2022, Medicare prescription drug plan sponsors are required to report actions related to inappropriate opioid prescribing to CMS, in response to our October 2017 recommendation. As a result, CMS can now gather more complete information on inappropriate opioid prescribing. This, in turn, can help inform progress made in achieving the agency's goals to reduce this risk.
  • In June 2021, we recommended that the Administrator of CMS review disenrollments by MA beneficiaries in the last year of life because we found that they disenrolled to join Medicare FFS at higher rates than other MA beneficiaries. Stakeholders also told us that, among other reasons, these beneficiaries may disenroll because of limitations accessing specialized care under MA. CMS has since analyzed these disenrollments and plans to continue doing so annually. This will allow CMS to better identify and address potential concerns regarding the care provided to MA beneficiaries in the last year of life.
  • In December 2015, we suggested that Congress consider equalizing payment rates that are higher for certain types of services provided in hospital outpatient departments rather than physicians’ offices. Congress passed and the President signed multiple laws that partially addressed our concerns in 2015 and 2016. This includes legislation that created site-neutral payment rates for some off-campus hospital outpatient departments. In turn, an estimated cost savings of $4.4 billion in fiscal years 2017 through 2021 occurred.[34] Additionally, in November 2018 and in 2019, CMS issued final rules capping rates for certain Medicare services furnished by off-campus hospital outpatient departments; the agency estimated cost savings of about $1.5 billion in fiscal years 2019 through 2021.

Contact Information

For additional information about this high-risk area, contact Leslie V. Gordon at (202) 512-7114 or gordonlv@gao.gov.

Strengthening Medicaid Program Integrity

The Centers for Medicare & Medicaid Services (CMS) needs to strengthen its oversight of Medicaid expenditures to reduce improper payments and ensure the appropriate use of program dollars.

Why Area Is High Risk

In fiscal year 2022, Medicaid served about 82 million low-income and medically needy individuals at an estimated cost of $516 billion. This area is on our list due to (1) Medicaid improper payments, which were nearly $81 billion in fiscal year 2022; (2) states’ uses of state-directed and supplemental payments that could increase Medicaid spending without appropriate oversight; and (3) limitations in CMS’s oversight of states’ Medicaid expenditures and utilization data.

Additionally, between February 2020 and September 2022—during the COVID-19 public health emergency—Medicaid enrollment increased about 31 percent (19.9 million individuals). CMS focused on responding to COVID-19 and supporting state efforts. As a result, its plans to strengthen Medicaid program integrity were, at times, scaled back or postponed. Our ratings account for the competing demands posed by the public health emergency.

Overall ratings for all five criteria remain unchanged since 2021 and are all partially met. The following sections present more-detailed information on the three segments that comprise the overall high-risk area: reducing improper payments, ensuring the appropriate use of program dollars, and improving program data.

Improper Payments

Leadership commitment: met. CMS continues to demonstrate leadership commitment to oversight of improper payments. It has taken additional steps to assess program risk and target its oversight accordingly. In March 2022, CMS outlined plans to use our fraud risk framework to help inform its approach to managing fraud risk across Medicaid. CMS prioritized risk assessments for program areas such as nonemergency medical transportation. Continued actions to identify program risks can help CMS develop strategies to mitigate these risks.

Capacity: partially met. CMS has issued guidance to help increase states’ capacity to identify improper payments. Nearly one quarter of Medicaid improper payments in 2020 related to nonenrolled providers and states’ noncompliance with provider screening and enrollment requirements. CMS issued guidance in June 2021 outlining information states were to submit to demonstrate compliance with these requirements. However, it allowed states to waive these requirements during the public health emergency. All states opted to do so.

Action plan: partially met. CMS has taken additional actions aimed at reducing improper payments in Medicaid. For example, it issued a proposed rule in September 2022 aimed at streamlining eligibility. CMS also released guidance to support state efforts to resume normal Medicaid eligibility and enrollment operations suspended during the COVID-19 public health emergency.[35] However, given known weaknesses in states’ eligibility processes, these efforts need to be balanced with those to prevent improper payments to beneficiaries who are ineligible for the program. CMS also outlined new requirements for nonemergency medical transportation providers designed to help prevent fraud and abuse.

Monitoring: partially met. While CMS has monitored some efforts to address improper payments in Medicaid, other important aspects of oversight are not being monitored. For example, CMS reviewed all states’ Medicaid plans for noncompliance with third-party liability requirements. These requirements help assure that Medicaid remains the payer of last resort for services. CMS directed noncompliant states to update their plans. However, in February 2021, we reported concerns with Puerto Rico’s Medicaid procurement processes, noting CMS’s lack of oversight of Medicaid procurements in states and territories. Because procurements constitute at least 50 percent of Medicaid program spending, such monitoring is critical to improving program oversight. In September 2021, we reported that CMS guidance for the certified community behavioral health clinics demonstration lacked clear and consistent information on aligning payment rates with costs and preventing duplicate payments.

Demonstrated progress: partially met. CMS’s overall estimated Medicaid improper payment rate increased slightly from 21.4 percent in fiscal year 2020 to 21.7 percent in fiscal year 2021. This rate decreased to 15.6 percent in fiscal year 2022. The Department of Health and Human Services (HHS) stated that the 2021 and 2022 rates reflect certain flexibilities afforded to states during COVID-19. These flexibilities include postponed eligibility determinations and reduced provider enrollment requirements. HHS also stated that fiscal year 2021 marked the first time CMS had a complete national estimate of improper payments due to eligibility errors in 7 years. However, the managed care component of the error rate continues to not account for all program risks.

Appropriate Use of Medicaid Dollars

Leadership commitment: partially met. CMS continues to demonstrate leadership commitment by implementing its 2016 policy to better ensure that Medicaid demonstrations are budget neutral (i.e., that the demonstrations do not increase federal costs). In 2021, CMS implemented another portion of its 2016 budget neutrality policy. This portion focuses on renewals of demonstrations. However, its effect has been delayed to some extent because several states sought temporary extensions of demonstrations during the public health emergency.

The Consolidated Appropriations Act, 2021, required additional state reporting on supplemental payments made to eligible providers. CMS issued guidance indicating that it would begin collecting these data quarterly. In January 2022, it anticipated publicly reporting these data annually. This additional reporting, however, does not include information on the sources of funds used to finance the nonfederal share. In December 2020, we recommended CMS include this information because, without it, CMS cannot adequately determine whether payments are (1) consistent with statutory requirements for economy and efficiency, and (2) financed with permissible sources of funds.

Capacity: partially met. CMS has taken some actions toward building oversight capacity but needs stronger processes to ensure the appropriate use of state-directed payments to providers under managed care. CMS revised its review process for approving these payments. It now requires states’ proposals to include additional information, such as the estimated amount of the payments and plans to finance the nonfederal share of those payments. However, we reported in June 2022 that CMS does not require states to report the actual amounts of these payments. This leaves a gap in information needed for oversight. Oversight of state-directed payments will be increasingly important, given widespread approval of these proposals nationwide since 2017 (see fig. 32).

Figure 32: Centers for Medicare & Medicaid Services Approvals of State-Directed Payments

Action plan: partially met. CMS continues to implement scheduled policy changes to ensure budget neutrality of demonstrations. The most recent significant change began in 2021. The timing for other planned actions is unknown. While CMS indicated it needed to modify its financial reporting systems to capture new supplemental payment information, it did not provide a time frame for completion. Additionally, in August 2018, we recommended that CMS conduct a national assessment of resources needed to review state expenditure reporting. However, the agency’s plan to conduct the assessment has been suspended since 2019.

Monitoring: partially met. CMS has taken steps to improve its ability to monitor federal demonstration spending. In May 2021, CMS reported that states continued using a standardized budget neutrality monitoring tool. The agency is developing standard operating procedures to document its process for overseeing budget neutrality. For supplemental payments, however, CMS continues to lack a strategy for systematically identifying questionable provider payments—for example, payments exceeding a facility’s total costs, as identified in our prior work.

Demonstrated progress: partially met. CMS’s actions reduced total demonstration spending limits by an estimated $210 billion for 2016 through 2020, of which the federal share was more than $124 billion. An additional policy that took effect on January 1, 2021, should further reduce federal liabilities. CMS also issued a policy for its review and clearance of evaluations of demonstrations for public release. It has posted more than 30 related reports on its website as of February 2023, consistent with our January 2018 recommendation.

It is too early to determine the extent to which CMS’s new requirements for state reporting on supplemental payments will better ensure the appropriate use of Medicaid dollars. We continue to examine the widespread approval of state-directed payments.

Medicaid Data

Leadership commitment: met. CMS continues to demonstrate leadership commitment through its efforts to improve the quality and availability of Medicaid data. This includes its ongoing efforts to implement the Transformed Medicaid Statistical Information System (T-MSIS). These efforts include ensuring that all 50 states, the District of Columbia, and two U.S. territories submit monthly T-MSIS eligibility and claims data. Of these submissions, 37 states and territories met targets for submitting critical and high-priority data, as well as expenditure data, as of January 2023. In addition, CMS issued a proposed rule to implement a requirement for states to report annually on certain health care quality measures for the Medicaid population.[36] In July 2022, CMS released its first quality measure set to promote consistent quality measurement across states’ Medicaid home and community-based services programs.

Capacity: partially met. CMS took steps to increase states’ capacity to report Medicaid data. In June 2021, CMS announced it would release reporting templates and technical assistance toolkits. It also developed a web-based portal for states to submit required annual managed care reports. These steps provide more consistent and comprehensive information to hold states and managed-care organizations accountable for meeting program goals. In addition, CMS revised the process states use to report children’s receipt of screening, diagnostic, and treatment services. The revision allows states to have CMS use T-MSIS data to document these services on their behalf beginning in 2021. Nineteen states opted to do so. However, CMS has yet to define the required scope and methodology for independent audits of managed care data, as we recommended in October 2018.

Action plan: partially met. CMS has not developed a plan with time frames for using T-MSIS data for broad program oversight, as we recommended in December 2017. However, we reported in January 2021 that CMS has used T-MSIS data to oversee aspects of the Medicaid program, such as the number of beneficiaries receiving substance use disorder services. Additionally, during the public health emergency, CMS allowed all states to make temporary changes to their home and community-based services programs to maintain access to services and help prevent disease spread. However, in September 2021, we reported that CMS had no plan for evaluating these changes nor their effects after the public health emergency ends. Such a plan could help CMS better prepare for future emergencies.

Monitoring: partially met. CMS has taken some steps to improve its use of data to monitor Medicaid utilization and quality of care. However, more work remains. In June 2021, CMS began requiring states to submit annual managed care data assessments. It provided states with a series of tools to improve the monitoring and oversight of managed care programs. In addition, CMS has used T-MSIS data to monitor the effects of the COVID-19 public health emergency on enrollment and utilization.

However, in March 2022, we reported that despite a sizable increase in the use of telehealth services since the pandemic began, CMS neither assesses nor reports information on how telehealth affects the quality of care beneficiaries receive. Collecting and analyzing such data would be consistent with how CMS has encouraged states to use data on quality of care to identify disparities in health care and target opportunities to advance health equity. In May 2021, we also reported that data limitations complicated HHS’s efforts to assess the effectiveness of Certified Community Behavioral Health Clinics in providing behavioral health care services to beneficiaries.

Demonstrated progress: partially met. CMS continues to assess and improve T-MSIS data quality and expedite their use for program oversight. However, its assessments of T-MSIS data highlight areas where limitations persist and where states do not meet agency standards. Additionally, our March 2022 review of selected states’ T-MSIS data identified incomplete race and ethnicity data in all but one of the selected states. In addition, in one state, the data could not properly link beneficiaries with the services they received. CMS has also made T-MSIS research-ready analytic files publicly available. It introduced a means by which states and researchers can explore data quality by topic, such as enrollment, expenditures, and utilization.

What Remains to Be Done

As of February 2023, 70 recommendations related to the Medicaid program remained open. To strengthen Medicaid program integrity, CMS needs to

  • expand its review of states' implementation of provider screening and enrollment requirements and, for states not fully compliant with the requirements, annually monitor their implementation progress;
  • improve oversight of Medicaid procurements;
  • collect sufficient provider-specific information from states on Medicaid payments to providers, including supplemental payments, and the sources of funds states use to finance their share of the payments, and specify what criteria should be used to ensure that Medicaid payments at the provider level are economical and efficient;
  • complete an assessment and take steps to assure that resources to oversee state-reported expenditures are adequate and allocated according to risk; and
  • continue efforts to assess and improve T-MSIS data and articulate specific plans and associated time frames for using these data for broad program oversight.

Congressional Actions Needed

Congressional action could improve oversight of Medicaid expenditures. In January 2008, we recommended Congress consider establishing statutory requirements for HHS to improve the demonstration review process to more clearly outline the methods used to demonstrate budget neutrality.

Benefits

Financial benefits due to the progress made strengthening Medicaid program integrity over the past 17 years totaled more than $140 billion and resulted in more than 100 other benefits to the federal government. For example:

  • In multiple reports since the 1990s, we reported that HHS allowed states to use questionable methods that resulted in inflated demonstration spending limits and increased the federal government’s fiscal liability. In response, HHS issued a new policy in 2017 to better ensure that these demonstration projects are budget neutral. HHS estimated that this policy reduced the federal government’s fiscal liability in 10 states by $29.5 billion for 2020.
  • In 2021 and 2022, CMS provided us with documentation of Risk Assessment Frameworks for Medicaid. These frameworks outline CMS’s approach for conducting fraud risk assessments using a standard format to document vulnerabilities, risk levels, residual risks, and mitigation strategies, among other topics. These actions met the intent of our 2017 recommendation and are consistent with leading practices identified in our fraud risk framework.
  • To improve oversight of states' payment structures for Medicaid managed care, we recommended that CMS require all states to collect and report on progress toward achieving managed care program goals. CMS issued guidance in June 2021 that triggered a requirement for states to submit annual reports on their Medicaid managed care programs. This, in turn, gives CMS more consistent and comprehensive information on states’ performance in meeting managed care program goals.

Contact Information

For additional information about this high-risk area, contact Catina Latham at (202) 512-7114 or lathamc@gao.gov and Michelle Rosenberg at (202) 512-7114 or rosenbergm@gao.gov.

Improving and Modernizing Federal Disability Programs

Sustained attention and efforts are needed to ensure that federal disability programs provide benefits in a timely manner, reflect current research about disability, and achieve positive employment outcomes.

Why Area Is High Risk

Three of the largest federal disability programs—managed by the Social Security Administration (SSA) and the Department of Veterans Affairs (VA)—paid about $300 billion in cash benefits through the programs in fiscal year 2021 to 20 million individuals. However, both agencies struggle to manage their workloads and make timely decisions on benefit claims.

In addition, both agencies rely on outdated criteria to decide whether individuals qualify for benefits. They also experienced delays in their efforts to update criteria. Beyond these benefit programs, we reported in June 2012 that the government has a patchwork of more than 40 employment support programs, which lack a unified vision, strategy, or set of goals to guide their outcomes.

Overall ratings for all five criteria remain unchanged since 2021. However, ratings for the segments that comprise this high-risk area show mixed progress. Two criteria increased for Managing Disability Claims Workloads (VA) and one criterion increased for Updating Disability Eligibility Criteria (VA). However, one criterion decreased for both Managing Disability Claims Workloads (SSA) and Updating Disability Benefit Eligibility Criteria (SSA).

The following sections present more detailed information on the five segments summarized in the overall rating.

Managing Disability Claims Workloads (SSA)

Leadership commitment: met. SSA included eliminating and preventing backlogs of initial disability claims and appeals as a strategy for building a customer-focused organization in its fiscal year 2023 annual performance plan.

Capacity: partially met. SSA made efforts to increase the number of staff to process initial claims and decide appeals, but it still lacks the desired number of staff. SSA has experienced significant challenges hiring and retaining staff since the beginning of the COVID-19 pandemic. SSA’s hiring efforts increased its total number of staff for processing initial claims from fiscal years 2020 to 2021. However, due to unusually high attrition, the number of staff decreased by about 650 during fiscal year 2022, dropping below the 2020 level. Additionally, SSA experienced a decrease of about 500 staff for processing appeals from fiscal years 2020 to 2022, primarily due to attrition among legal assistants.

SSA officials stated that competition in the labor market and the complexity of job responsibilities contribute to the agency’s staffing challenges. To address these issues, SSA is working with local offices on the potential to increase pay for claims processors and other staff. It has also established initiatives—such as a national mentoring program—to improve job satisfaction, recruitment, and retention.

Action plan: partially met. SSA has identified root causes related to workload challenges and initiated corrective actions to address them. However, it lacks a detailed plan that includes timelines and explains how SSA will measure the success of planned corrective actions.

Although SSA has continued to reduce its appeals backlog, it has neither updated its plan for managing it since 2019 nor produced a similar plan for addressing a backlog of initial disability claims that grew during the COVID-19 pandemic. Such plans are especially important now, given expected workload increases as a result of the pandemic and ongoing service delivery changes. We reported in November 2022 that SSA lacks a plan for managing a possible future increase in claims due to COVID-19-related illnesses and other factors. We also reported that SSA’s transition to more remote services has presented new challenges for vulnerable populations.

Monitoring: decreased to partially met. This rating decreased from met to partially met. SSA continues to monitor and report on its progress toward achieving goals for timely processing of initial disability claims and appeals. However, the agency cannot fully monitor progress on its new initiatives to address capacity challenges without a detailed plan, which—as discussed above—SSA lacks.

Demonstrated progress: partially met. SSA has demonstrated mixed progress managing initial disability claims and appeals. During most of the pandemic, SSA completed fewer claims than it received (see fig. 33). At the end of fiscal year 2022, SSA’s cumulative inventory of pending initial claims was about 64 percent higher than its prepandemic average. According to SSA’s annual performance report, pandemic-related disruptions and staff attrition contributed to this increase. In contrast, SSA’s inventory of pending appeals decreased by 40 percent from the end of fiscal year 2019 to the end of fiscal year 2022.

Figure 33: Social Security Administration (SSA) Initial Disability Claims Processing, March 2018–September 2022

Note: “Prepandemic average” refers to the monthly average for the 2 years prior to the pandemic, March 2018 through February 2020.

Managing Disability Claims Workloads (VA)

Leadership commitment: met. VA leaders continued focusing on initiatives to improve processing of veterans claims for disability compensation and reduce the department’s backlog of initial claims and appeals of claims decisions. For example, VA has a designated team to coordinate its efforts to address this high-risk area. Continued and coordinated leadership from top VA officials will be important as they monitor efforts to plan, implement, and complete these initiatives.

Capacity: partially met. VA has improved its capacity to address initial claims and appeals workloads by enhancing its ability to predict workloads, improving information technology, and hiring thousands of staff. However, several planned actions have yet to be completed. Specifically, VA has yet to (1) fully implement activities intended to mitigate surges in workloads; (2) complete the planned hiring of veteran law judges; and (3) fully assess risks against timeliness, accuracy, and other goals, as called for in our March 2018 report.

Action plan: increased to met. This rating increased from partially met to met. Since 2021, VA has enhanced its action plan to manage its workload and refined metrics and milestones needed to track progress. For example, VA’s August 2022 action plan more clearly described how VA analyzes workload demand and staffing needs. It will remain important for the department to continue maintaining and refining its action plan, such as by further detailing the Board of Veterans’ Appeals’ (Board) plans to manage workload risks associated with fluctuations in demand.

Monitoring: increased to met. This rating increased from partially met to met. Since 2021, VA has improved its monitoring of and reporting on the timeliness of initial claims and appeals, among other performance metrics. For example, VA established processes to monitor progress toward implementing its corrective actions. Moreover, in December 2022, the Board set a goal to measure the quality of decisions in the new appeals process, as called for in our March 2018 report.

Demonstrated progress: partially met. While VA has reduced its backlog and inventory for initial disability claims and appeals under the old process, it has faced continuing challenges managing workloads. For example, VA reported a decline in its backlog of initial claims from a high of about 611,000 in March 2013 to about 151,000 in November 2022. However, VA workloads have fluctuated during this time period, particularly when legislative changes have been made to the disability compensation program. VA expects another workload surge related to veterans exposed to toxins in Iraq and elsewhere due to a new 2022 law.[37] In addition, the appeals inventory continues to grow, particularly for hearings. When claims and appeals inventories have spiked in the past, VA has taken years to resolve its workloads.

Updating Disability Benefit Eligibility Criteria (SSA)

Leadership commitment: met. SSA has maintained leadership focus on updating the medical and occupational criteria that define eligibility for disability benefits. For example, SSA continued to include developing a new occupational information system as a key initiative in its most recent annual performance plan issued in April 2022.

Capacity: met. SSA has maintained a consistent number of staff to continually update its medical criteria that help determine whether a person qualifies for disability benefits. SSA also continues to receive data under an interagency agreement with the Bureau of Labor Statistics (BLS). It will use these data to update occupational criteria that are also used for disability decisions.

Action plan: partially met. SSA has goals for reviewing its medical criteria for each body system (diseases and disorders in each part of the body) on a 3-to-5-year cycle and for refreshing data underlying the occupational criteria on a 5-year cycle.

Additionally, SSA identified a need for updated agency policies and regulations that are consistent with the BLS occupational data, as well as a new interface to incorporate this data. However, SSA has yet to develop timelines for these rulemaking efforts or the subsequent data implementation.

Monitoring: decreased to partially met. This rating decreased from met to partially met. SSA continues to track overall progress on modernizing its medical and occupational criteria, for example, through monthly progress reports on data collection that BLS submits to SSA. As mentioned above, since our last update, SSA identified the need for new rulemaking and policy changes to update its occupational criteria. While SSA has yet to provide a timeline for this effort, it has identified a project manager to develop and maintain a master plan. SSA will need to complete this plan and develop overall project timelines to fully monitor progress on these rulemaking and policy changes.

Demonstrated progress: partially met. According to SSA officials, the agency has produced comprehensive updates of its medical criteria since 2011 for 11 of the 14 body systems and rulemaking efforts are underway for the remaining systems. Additionally, SSA has made progress in its partnership with BLS to survey employers about occupational requirements and develop new occupational criteria, including receiving a first round of data from BLS. However, SSA is awaiting additional rounds of data. It is also working to revise its policies to be consistent with the new data before it can use the data in evaluating disability claims.

Updating Disability Benefit Eligibility Criteria (VA)

Leadership commitment: met. VA maintained leadership focus on updating medical and earnings loss information in its eligibility criteria for disability compensation. The criteria, referred to as the VA Schedule for Rating Disabilities (VASRD), are used to assign a degree of disability and a compensation level for veterans with service-connected injuries or conditions. VA senior leadership closely participates in updating the VASRD.

Capacity: partially met. As of March 2023, VA reported filling 70 percent of staff positions within the program office tasked with updating the VASRD. VA is also establishing data agreements with SSA and the Census Bureau to improve how VA studies loss of job earnings associated with specific disabilities. However, VA has yet to articulate the level of resources needed to incorporate information from the earnings loss studies into future VASRD updates. This effort is still in the early stages.

Action plan: increased to met. This rating increased from partially met to met. In August 2022, VA provided us with an updated action plan that better defined corrective actions for updating the VASRD, including metrics and milestones to track and achieve its stated outcomes. For example, VA’s action plan more clearly describes the department’s progress to establish and maintain sufficient staffing to update the VASRD medical criteria continually. The plan also establishes a pilot program to test how VA will use data from its earnings loss studies. It will remain important for the department to continue its efforts in maintaining and refining its plan.

Monitoring: partially met. VA continues to use a project management system to monitor and evaluate its progress toward updating the medical information in the VASRD. Further, VA’s August 2022 action plan includes metrics and milestones for monitoring progress toward implementing its corrective actions. While VA is tracking progress on its studies of earnings loss, it is too early for VA to evaluate the effectiveness and sustainability of its efforts to incorporate earnings loss information into future VASRD updates.

Demonstrated progress: partially met. VA’s August 2022 action plan states that the department has updated the medical information covering 10 of the 15 body systems in the VASRD. However, VA continues to experience delays and has extended the timeline to complete all body systems updates by early fiscal year 2024, more than 8 years beyond VA’s initial goal. VA also continues to study earnings loss. Its action plan stated that VA has estimates associated with about 250 of more than 700 diagnostic codes in the VASRD. However, VA is still assessing the usability of the resulting data and how it will update the VASRD with the results.

Programs with Unified Strategies and Goals (Office of Management and Budget)

Leadership commitment: partially met. The Office of Management and Budget (OMB) reported in March 2022 that it does not plan to establish government-wide goals for the employment of people with disabilities. OMB cited the difficulty of setting goals for more than 40 programs with different designs and target populations. Instead, to enhance federal coordination, OMB staff noted that the Department of Labor’s (DOL) Office of Disability Employment Policy leads an interagency subcommittee on employment of people with disabilities. DOL officials said the subcommittee was established in early 2021 under the leadership of the former director of disability policy within the Domestic Policy Council.

The subcommittee has taken some actions to encourage collaboration across federal agencies and programs. For example, in August 2022, nine entities that participate in the subcommittee issued a letter to states and local governments. This letter promoted strategies for leveraging and coordinating resources across systems (known as blending, braiding, and sequencing) to maximize their value and increase the labor force participation of people with disabilities in competitive integrated employment.

However, while DOL officials said the subcommittee continues its work on these issues, as of February 2023, the subcommittee has not identified specific objectives for the next phase of its work. These officials also said the subcommittee lacks the authority to set government-wide goals. They also noted that setting such goals would require White House support and continuity in leadership. Nevertheless, setting goals for employment of people with disabilities is important to focus government-wide efforts and improve coordination among disparate federal programs. Past OMB efforts, including a cross-agency priority goal for science, technology, engineering, and math education, may serve as a model for setting government-wide goals for many different programs.

Capacity: partially met. OMB staff reported that OMB would continue working with federal agencies on various demonstration projects related to employment for people with disabilities and supporting interagency working groups. Additionally, DOL officials told us that the subcommittee on disability employment has convened stakeholders from five of the nine agencies we identified in our prior work that administer relevant programs: DOL, SSA, the U.S. AbilityOne Commission, and the Departments of Education and Health and Human Services. DOL officials also highlighted the importance of sustaining the subcommittee’s momentum and pursuing opportunities for stronger coordination, with the support of the White House.

Action plan: not met. OMB staff reported that the subcommittee is addressing various issues related to employment for people with disabilities. However, the group lacks established long-term priorities and plans to set goals for the employment of people with disabilities outside of the federal sector.

Monitoring: partially met. OMB staff reported that DOL oversees progress toward the federal government’s existing goal for individuals with disabilities to comprise 7 percent of the workforce for federal contractors and subcontractors. DOL reported in October 2022 that 15 percent of contractors that provided data by job group as part of a compliance review in fiscal year 2022 met the 7 percent goal. While DOL continues to monitor progress toward this goal, neither OMB nor the subcommittee reported setting or monitoring progress toward a goal for employment for people with disabilities in the economy as a whole.

Demonstrated progress: partially met. In June 2020 we reported that the federal government exceeded a prior government-wide goal for hiring people with disabilities. Further, the Office of Personnel Management recently implemented our recommendation from that report to routinely track and report retention data for employees with disabilities. However, neither OMB nor the subcommittee have goals for or track progress toward increasing the employment of people with disabilities outside of the federal sector.

What Remains to Be Done

Since this area was added to our High-Risk List in 2003, we have made numerous recommendations. As of February 2023, 24 of these recommendations remain open. SSA, VA, and OMB should implement our recommendations related to improving the process of claiming benefits and coordinating between programs that support employment for people with disabilities. For example:

  • SSA should develop an agency-wide plan for managing anticipated increases in its disability workloads.
  • VA should improve its management of its workloads by assessing the performance of the new appeals process and address its associated risks.
  • OMB should establish a set of measurable, government-wide goals for employment of people with disabilities, an action we identified in a 2012 report on opportunities to reduce overlap and duplication in the federal government.

Benefits

More than $10 billion in financial benefits, and more than 100 benefits due to progress in modernizing and improving disability programs over the past 16 years, including:

  • VA improved its project planning for implementing its new appeals process. Our work identified that VA’s implementation plan did not include all key activities and was not supported by detailed planning. Implementing our recommendation helped ensure the agency was well positioned to implement the new appeals process.
  • SSA implemented our recommendation to mitigate risks and assess costs for implementing and maintaining its occupational information system. This helped SSA ensure that it could devote sufficient resources to maintaining its system going forward.

Contact Information

For additional information about this high-risk area, contact Elizabeth H. Curda at (202) 512-7215 or curdae@gao.gov.

National Flood Insurance Program

Congress should consider comprehensive reform of the National Flood Insurance Program (NFIP) to improve the program’s solvency and the nation’s flood resilience. The Federal Emergency Management Agency (FEMA) should continue to monitor its new rate-setting methodology and implement our recommendations that remain unaddressed.

Why Area Is High Risk

NFIP has experienced significant challenges because FEMA is tasked with two competing goals—keeping flood insurance affordable and keeping the program fiscally solvent. Emphasizing affordability has led to premium rates that do not reflect the full risk of loss. These rates also produce insufficient premiums to pay for claims. In turn, this has transferred some of the financial burden of flood risk from individual property owners to taxpayers. Specifically, NFIP has had to borrow from the Department of the Treasury to pay claims from major natural disasters.

As of September 2022, FEMA’s debt was $20.5 billion despite Congress having canceled $16 billion in debt in October 2017. Without reforms, NFIP’s financial condition will likely continue to worsen.

The criteria ratings for capacity, action plan, and monitoring increased from partially met to met. The remaining two criteria remain unchanged from 2021. While FEMA has implemented a revised rate-setting methodology that adapts to evolving flood risks and developed a legislative proposal to improve the program’s financial resilience, the following issues still challenge the program’s financial solvency:

  • Congress has yet to enact comprehensive program reforms related to the six areas we identified in 2017, including premium rates, affordability, and debt, which is shown in figure 34.

Figure 34: National Flood Insurance Program Annual Year-End Outstanding Debt to the Department of the Treasury, Fiscal Years 1995–2022

Leadership commitment: partially met. FEMA leadership continues to show a commitment to addressing our recommendations by, for example, implementing an updated rate-setting methodology and a new data system. In addition, FEMA has proposed legislative changes to improve NFIP’s financial resilience. However, Congress has yet to enact comprehensive program reforms that would help address the challenges confronting NFIP.

Capacity: increased to met. FEMA’s implementation of the revised rate-setting methodology and data system have demonstrated a capacity for addressing challenges and completing major projects. FEMA will need to continue to assess its ability to address challenges given that responding to multiple natural disasters can strain its capacity.

Action plan: increased to met. Since our 2021 High-Risk update, FEMA has completed two planning efforts that address the fiscal exposure created by NFIP. First, FEMA completed its Sound Financial Framework. This framework identifies actions to improve NFIP’s financial resilience, among other things. Second, FEMA completed a comprehensive legislative proposal that identifies actions Congress can take to address financial resilience as well as other actions we have suggested. Our suggestions included providing means-based assistance to homeowners with difficulty affording premium rates.

Monitoring: increased to met. FEMA’s updated rate-setting methodology, which allows FEMA to establish premium rates that more fully reflect the risk of losses due to flooding, addresses the fiscal exposure that has kept NFIP on the high-risk list. FEMA has contracted with actuaries to assist NFIP in evaluating actuarial techniques and risk models to ensure NFIP premium rates still fully reflect the risk of loss. In addition, FEMA officials have discussed the extent to which its new rate-setting methodology accurately reflects the current flood risk environment and incorporated feedback as needed. In addition, as part of FEMA’s updated rate-setting methodology, the agency continually evaluates the accuracy of the risk models produced by contractors. This is key to monitoring NFIP’s fiscal exposure.

Demonstrated progress: partially met. Since our prior report, FEMA has implemented an October 2008 recommendation to revise its rate-setting methodology to better reflect a property’s expected losses from a flood. It has also continued to take actions to address other outstanding recommendations. Congress has passed multiple short-term reauthorizations of the program, most recently when it passed an authorization set to expire on September 30, 2023. However, Congress has yet to enact comprehensive reforms related to the six areas we identified in April 2017 (program debt, full-risk-rates, affordability, consumer participation, private-sector involvement, and flood resilience).

What Remains to Be Done

Over the years since we added this area to our High-Risk List, we have made numerous recommendations related to this issue. While FEMA has taken action to close a number of recommendations, as of February 2023, six remain open. While NFIP has improved in a number of areas, to continue to demonstrate progress, FEMA should do the following:

  • Annually analyze the amounts of actual expenses and profit in relation to the estimated amounts used in setting Write-Your-Own insurers’ payment rates.
  • Assess different approaches, in addition to community assistance visits, for using existing resources to ensure communities’ compliance with NFIP requirements.
  • Determine what information is available related to the mandatory purchase requirement. Then, in turn, use that information to develop strategies for increasing consumer participation in the flood insurance market.

Congressional Actions Needed

We have three open matters for Congress to consider:

  • enacting comprehensive reform, which could include actions in six areas: (1) addressing the current debt; (2) removing existing legislative barriers to FEMA’s ability to revise premium rates to reflect the full risk of loss; (3) addressing affordability; (4) increasing consumer participation; (5) removing barriers to private-sector involvement; and (6) protecting NFIP flood resilience efforts.
  • requiring FEMA to evaluate how comprehensive and up-to-date flood risk information could be used to determine which properties should be subject to the mandatory purchase requirement.
  • providing FEMA direction or authority to implement one or more options identified to address property acquisition challenges, such as preapproval of properties for acquisition or streamlining the acquisition process, among others.

Benefits:

Progress in the NFIP high-risk area over the past 17 years resulted in more than $3 billion saved and 30 other benefits to the federal government. For example, we found that

  • the annual amount that NFIP collects in premiums is generally insufficient to cover high losses, especially in years of catastrophic flooding. In response, in April 2021, FEMA adjusted its rate-setting methodology. This improved the accuracy of the premiums charged and reduced financial risk to the taxpayers and federal government.
  • FEMA’s legacy data system had significant weaknesses. These weaknesses included a lengthy data submission and validation process, limited reporting capabilities, and erroneous and unreliable data. In response, in October 2019, FEMA launched a modernized data system to help administer NFIP effectively.

Contact Information

For additional information about this high-risk area, contact Alicia Puente Cackley at (202) 512-8678 or cackleya@gao.gov.

Managing Risks and Improving VA Health Care

The Department of Veterans Affairs (VA) should continue to make progress in all high-risk areas of concern to address veterans’ critical health care needs.

Why Area Is High Risk

VA operates one of the largest health care systems in the nation. It provides services to more than 9 million veterans who generally have greater health care needs than the broader population. Due to challenges we identified with VA’s ability to provide timely, cost-effective, and quality care, we added VA health care to the High-Risk List in 2015 with five areas of concern: (1) ambiguous policies and inconsistent processes; (2) inadequate oversight and accountability; (3) IT challenges; (4) inadequate training for VA staff; and (5) unclear resource needs and allocation priorities.

VA has continued to face system-wide challenges since our 2021 High-Risk Report. These challenges include overseeing patient safety and access to care, addressing critical staffing, and meeting future infrastructure needs. Additionally, VA has a number of major modernization initiatives that are still in the early stages of implementation, including those related to financial management and electronic health records.

Since our 2021 high-risk report, the ratings for monitoring and demonstrated progress improved from not met to partially met. The ratings for the other three criteria remain unchanged.

In addition, there has been substantial progress in the five areas of concern that are summarized in the overall rating. For example, in the Inadequate Oversight and Accountability area, ratings increased to partially met for all of the criteria. The following sections present details on the five areas of concern summarized in the overall rating.

Ambiguous Policies and Inconsistent Processes

Leadership commitment: increased to met. VA has improved from a partially met rating as it integrated previously established Veterans Health Administration (VHA) policy management initiatives into an updated VHA policy management directive in March 2022. For example, VA now has finalized processes to ensure local policy is consistent with national policy by standardizing and requiring continual monitoring of local policy documents. Further, VA has now addressed all recommendations from our September 2017 report on VHA policy management.

Capacity: partially met. VA has maintained policy procedures it previously established, such as using a process to address funding needs for new national policies. To help accomplish its policy management initiatives, VA officials stated it uses contracts—an estimated $10 million in fiscal year 2022—to support its capacity needs, including the use of professional policy writers to assist program offices. VA notes that its ability to meet some of its projected timelines for these efforts depends on continued contract support.

Action plan: increased to met. VA has improved from a partially met rating. VA’s updated August 2022 action plan presents a clear road map for addressing the root causes of ambiguous policies and inconsistent processes, including elements that will demonstrate progress on its goals. For example, VA uses a metric to show if it is achieving its goal to review national policies before they reach their 5-year expiration dates.

Monitoring: increased to partially met. VA has improved from a not met rating as it identified some activities for tracking progress in this area, such as surveying users on its policy development processes. VA also established overall monitoring procedures and tools, such as a metrics dashboard, to address all high-risk efforts.

Demonstrated progress: increased to partially met. VA has improved from a not met rating as it implemented 20 policy-related recommendations since our last high-risk update in 2021. Also, VA has begun to use some data to show actions taken to implement its action plan. For example, VA successfully reduced the number of expired policies by 32 percent between March 2021 and August 2022. This helped to address issues with untimely policy management. It will be important for VA to further refine its metrics to demonstrate that root causes are being addressed and progress is sustained over time.

VA should also continue to implement our other recommendations. Since March 2021, we have made 14 new recommendations, four of which have been implemented. For example, we recommended that VA establish a national policy to document complaints about community living center care so they can be tracked and resolved.

Inadequate Oversight and Accountability

Leadership commitment: increased to partially met. VA has improved from a not met rating as it had a Senate-confirmed Under Secretary for Health for the first time in 5 years in July 2022. VA has also demonstrated stability since 2021 with senior executives leading high-risk oversight and accountability initiatives that are still early in implementation, such as refining VHA’s governance structures. As of September 2022, the Under Secretary for Health also designated senior executives in VHA’s Office of Integrity and Compliance with leading VA’s entire high-risk effort.

Capacity: increased to partially met. VA has improved from a not met rating as it established additional workgroups and contracts to help meet its compliance, internal audit, and risk management activities. However, several efforts VA identified that address fragmented administrative functions are pending leadership acceptance and funding.

Action plan: increased to partially met. VA has improved from a not met rating as it made progress addressing the root causes of inadequate oversight and accountability in its updated action plan and established key outcomes and interim steps and milestones for achieving them. However, VA does not yet have the performance measures with which to assess progress for all outcomes in this area.

Monitoring: increased to partially met. VA has improved from a not met rating as it has included a few monitoring activities in its action plan, such as reviewing corrective actions, in addition to the metrics dashboard noted in the first area. However, this area does not yet have performance measures in place with which to use these tools as intended or track the progress of all its activities.

Demonstrated progress: increased to partially met. VA has improved from a not met rating as it has implemented 42 oversight-related recommendations since March 2021. It has begun to use some data to show actions taken to implement its action plan. For example, VA deployed a platform for staff to input and categorize risks. In turn, it has begun reporting these data to help address fragmented oversight. VA must continue to expand its use of data to demonstrate that root causes are being addressed and progress is sustained over time. It also must continue implementing our recommendations. For example, since March 2021, we have made 35 recommendations to address continued oversight and accountability issues. This includes five recommendations related to counseling services VHA provides through 300 Vet Centers to help eligible veterans, service members, and their families readjust to civilian life or to continued military service.

Information Technology Challenges

Leadership commitment: increased to met. VA has improved from a partially met rating due to having leadership stability for the last 4 years in the Chief Information Officer position responsible for prioritizing and meeting VHA’s IT needs. The most recent of which was confirmed in December 2021. VA also established and implemented governance structures for major IT efforts, including electronic health record (EHR) and financial management modernization.

Capacity: partially met. VA has maintained its rating due to the significant funding and staff resources provided to EHR modernization. Initial deployment of the system has taken place in five locations since late October 2020 at a cost of about $6 billion. This effort remains in the early stages.

Action plan: partially met. Since 2021, VA underwent an effort to reassess the root causes of IT challenges. It also updated its action plan to better respond to our 2015 High-Risk Report concerns related to the outdated, inefficient nature of certain systems, and incorporate VA’s current IT strategic initiatives. While VA’s updated action plan includes some actions, milestones, and measures that will show progress toward reaching its goals, it lacks certain details. For example, VA has not included any corrective actions, milestones, or performance measures related to deploying its EHR system. Figure 35 depicts how VA’s EHR modernization will enable sharing of veteran health data with the Department of Defense through the shared EHR system. This key effort has faced continued delays since our 2021 High-Risk Report, affecting the implementation of this $16.1 billion initiative.

Figure 35: Military Service and Veteran Health Data in the VA/DOD Shared Electronic Health Record System

Monitoring: increased to partially met. VA has improved from a not met rating as it described monitoring activities in its action plan. This includes responsibilities for the boards and committees that review data for identified performance measures and the metrics dashboard noted in the first area. In addition, VA routinely reviews its actions and metrics to monitor progress through an IT leadership workgroup.

Demonstrated progress: increased to partially met. VA has improved from a not met rating as it has implemented 11 IT-related recommendations since March 2021. It has begun to produce some data related to its metrics. However, VA needs to further develop its metrics to show how it is implementing its action plan and that the actions taken are addressing root causes. VA also should continue to implement our recommendations. Since March 2021, we have made eight recommendations to address IT issues. This includes two recommendations in February 2022 related to data management challenges VA needs to address for its EHR system. One called for VA to establish and use performance measures and goals to ensure the quality of migrated data. VA concurred with our recommendations, both of which remain open.

Inadequate Training for VA Staff

Leadership commitment: partially met. VA maintained its rating due to filling the Chief Learning Officer position in early 2022 after it was vacated the prior fiscal year. VA has also maintained the governance structures it previously established, such as learning councils made up of program office training staff. VA is continuing to establish training processes to develop an enterprise-wide annual training plan by fiscal year 2025.

Capacity: partially met. VA maintained its rating by establishing working groups and assigning staff specific responsibilities for its training initiatives. These initiatives are highly reliant on organization-wide collaboration, such as from contracting, finance, and policy offices. VA also relies on contracts—an estimated $1.25 million in fiscal year 2022—and staff to support these initiatives. As of August 2022, VA has established seven of the 16 integrated project teams working on specific training initiatives.

Action plan: increased to met. VA improved from a partially met rating as it has an updated action plan representing a clear road map for addressing the root causes of inadequate training. This includes key action plan elements that will allow the department to show progress toward reaching its goals. Specifically, VA has identified 16 integrated project teams responsible for developing different training components, such as skill-set standards, that will follow a standardized process with interim steps and milestones. VA has begun to measure its quarterly progress toward completing each training component. It plans to use information from its established processes to develop outcome measures.

Monitoring: increased to partially met. VA has improved from a not met rating as it identified some activities for tracking progress in this area, such as the tool it uses to assign and monitor training completion rates, in addition to the metrics dashboard noted in the first area. However, VA cannot sufficiently monitor progress in this area until it develops outcome measures that will assess the progress of its action plan activities.

Demonstrated progress: increased to partially met. VA has improved from a not met rating as it has implemented three training-related recommendations since March 2021. It has begun to produce some data related to its metrics. However, VA needs to further develop its metrics to show how the actions taken are addressing root causes and progress is sustained over time, and continue implementing recommendations.

Since March 2021, we have made three recommendations to address training issues. For example, in January 2022, we found that VA cannot readily track all memorandums of agreement it uses to partner with nongovernmental entities focused on mental health and suicide prevention efforts. We recommended that VA require training and provide a more comprehensive user guide to officials using the application it designed to document agreement information. VA concurred with our recommendation, which remains open. One of the three training recommendations has been implemented by VA.

Unclear Resource Needs and Allocation Priorities

Leadership commitment: partially met. VA has maintained its rating due to stability in the Chief Financial Officer position and because it has continued to refine its workforce policies. While VA has described future steps to implement its financial management modernization effort, it has only included limited steps to address other critical resource allocation needs, such as projecting needs for community care or implementing human resources modernization efforts.

Capacity: partially met. VA has maintained its capacity rating as it has identified governance structures, staffing, and contract needs for resource allocation. For example, VA established a team in fiscal year 2021 to implement a standard process for documenting and communicating VA medical center staffing level approvals. VA also relies on contracts—an estimated $2 million in fiscal year 2022—to support initiatives such as its financial management modernization effort. VA’s ability to implement this major initiative may be affected by its ability to secure needed contract support through the full implementation date in fiscal year 2028.

Action plan: partially met. VA’s updated action plan does not identify all key elements to address unclear resource needs and allocation priorities, such as including measures for all goals and objectives in this area. For example, VA has a goal of delivering timely and transparent resource decisions by prioritizing use of incentives and awards and connecting health professional trainees to critical vacancies. However, it did not include any performance measures to assess its progress in meeting these objectives.

Monitoring: increased to partially met. VA has improved from a not met rating as it has described monitoring activities in its action plan, such as using a system for supporting its review and approval of position recruitment, in addition to the metrics dashboard mentioned in the first area. However, this area does not yet have a clear road map where it can measure progress in all outcomes.

Demonstrated progress: increased to partially met. VA has improved from a not met rating as it has implemented 11 resource-related recommendations and begun to produce baseline data related to some of its metrics. However, VA needs to further develop its metrics to show how the actions taken are addressing root causes and progress is sustained over time, and continue implementing recommendations.

Since March 2021, we have made nine recommendations to address resource allocation issues. This includes two recommendations in February 2022 related to data limitations for determining supply and demand for community care in 96 health care markets nationwide. We recommended VA review the data to identify any gaps and take steps to address data completeness. VA concurred with our recommendations, both of which remain open.

What Remains to Be Done

We have made 508 recommendations related to this high-risk area since 2010. As of February 2023, 104 recommendations remained open. For example:

  • We recommended in June 2018 that VHA establish a metric for its Veterans Community Care Program to monitor whether veterans are receiving community care within time frames comparable to those at VA facilities. The Consolidated Appropriations Act, 2023, requires VHA to apply designated access standards as an overall performance measure for community care. This will allow VHA to monitor timeliness under the Veterans Community Care Program.[38] We plan to review VHA’s implementation of this requirement.
  • We recommended in February 2019 that VHA develop policies and guidance for employing providers who had registrations for prescribing controlled substances revoked or surrendered for cause.
  • In September 2019, we found that some of VHA’s 18 regional networks of medical centers and clinics increased funding allocations to facilities experiencing declining or flat workloads. We recommended VA revise its guidance requiring regional networks to submit approaches to improve these facilities’ efficiencies, such as adjusting the level of services offered.

Benefits

There have been more than 150 benefits related to the VA health care high-risk area such as:

  • VHA implemented new tools for tracking and overseeing VA medical center reporting of providers with clinical care concerns. This will better ensure VHA is sharing information about serious quality and safety concerns, and its providers are competent to provide safe, high-quality care to veterans.
  • VA collected data on community care appointment scheduling challenges. This included documenting if no providers were available or no providers were available within VA's timeliness standards. This will help it monitor data and ensure veterans receive timely community care.
  • In addition, VHA clearly defined roles for resolving pending enrollment applications and timely processing of applications and accurate enrollment determinations. These actions will help prevent veterans from experiencing unnecessary delays when enrolling for health care benefits. They will also ensure that deficiencies are being addressed appropriately.

Contact Information

For additional information about this high-risk area, contact Sharon Silas at (202) 512-7114 or silass@gao.gov.

Unemployment Insurance System

The Department of Labor (DOL) needs to develop and execute a transformation plan for the Unemployment Insurance system that outlines actions to improve service and mitigate financial risk.

Why Area Is High Risk

In June 2022, we designated the Unemployment Insurance (UI) system—a joint federal-state program—as high risk. We found that UI’s administrative and program integrity challenges pose significant risks to service delivery and expose the system to significant financial losses. Long-standing challenges with UI administration and outdated IT systems have affected states’ ability to meet the needs of unemployed workers, especially during economic downturns. Such challenges have also contributed to impaired service, declining access, and disparities in benefit distribution. DOL recently estimated UI improper payments decreased from $78.1 billion in fiscal year 2021 to $18.9 billion in fiscal year 2022. However, the estimated improper payment rate increased during the same period from 18.9 percent to 22.2 percent respectively. Some of these estimated improper payments were reportedly due to fraud.

In June 2022, we reported that DOL has some activities planned and underway that may address the risks we identified in the UI system. However, additional action is needed. DOL’s UI modernization plan and its efforts to work with states to address fraud, advance equity, and modernize IT systems are steps in the right direction. However, further efforts and sustained action to address recurring UI issues would help stabilize the system and prevent future disruptions to UI administration during economic downturns. Therefore, we designated the UI system as high risk in June 2022. Since this is a recently designated area, we will not rate DOL’s progress until our next High-Risk Report in 2025.

Leadership commitment: We and the DOL Office of Inspector General (OIG) have found that DOL needs to improve its leadership and coordination of actions addressing risks to UI service delivery and program integrity. DOL leadership has acknowledged the need for significant reform of the UI system. In August 2021, DOL established the Office of Unemployment Insurance Modernization within the Office of the Secretary to provide strategic leadership as the department implements its UI modernization plan.

While this action is promising, the office is temporary, consists of a small leadership team, and lacks long-term timelines for planned activities. A long-term strategic plan and sustained leadership are critical to fulfilling the vision outlined in DOL’s UI modernization plan.

Capacity: Limitations in state and federal capacity have been recurring findings in our UI reports and those of the DOL OIG, especially related to ensuring the UI system responds effectively to economic downturns. Between 2009 and 2017, to help states modernize their IT infrastructure, DOL provided funding for consortiums (i.e., multiple states that develop a single common system), among other efforts. However, we previously reported that states faced challenges using this approach, such as managing differences in state laws and business processes. According to the National Association of State Workforce Agencies, when the pandemic began in 2020, many states were still relying on outdated IT systems. Our June 2022 report identified staffing limitations, outdated IT infrastructure, and the limited effectiveness of benefit triggers during economic downturns as some of the capacity challenges faced by the UI system.

DOL has used funding from the American Rescue Plan Act of 2021 to support states in modernizing their IT systems, including the early development of modular technology solutions that can be integrated with state IT systems and a blueprint for the UI customer experience. However, lasting and system-wide solutions are important to meet the vision for infrastructure improvements outlined in DOL’s UI modernization plan.

Action plan: DOL outlined several principles for UI system reform in its fiscal year 2022 and 2023 congressional budget justifications. In addition, in April 2022, DOL released an Equity Action Plan. The plan outlined existing barriers to equitable outcomes in the UI system and summarized DOL’s ongoing and planned actions to advance equity. However, we reported in June 2022 that DOL has yet to conduct comprehensive analyses of the extent of or potential causes for system-wide disparities in benefit receipt or options for supporting nontraditional workers and reflecting a modern economy.

In addition, we found that DOL has not comprehensively assessed UI fraud risks in alignment with leading practices as provided in our Fraud Risk Framework. Clear plans to identify root causes and potential solutions to the challenges underlying DOL’s reform principles are necessary for long-term progress. Action plans can also support DOL’s monitoring efforts and help ensure progress.

Monitoring: DOL collects data from states on UI claims, compensation, payment timeliness, and overpayments, among other information. However, we have identified some limitations in the completeness and accuracy of these data and made related recommendations for improvement. DOL will need high-quality and potentially new data to monitor the effectiveness of UI modernization activities.

Demonstrated progress: DOL needs to make progress reducing the improper payment rate; better managing fraud risk; advancing equity, including across racial and ethnic groups and states; better reaching current worker populations and reflecting the modern economy; restoring prepandemic payment timeliness levels; and improving its response to economic downturns. DOL can demonstrate progress in these areas by implementing our UI-related recommendations and those of the DOL OIG, which align with DOL’s principles and vision for UI reform and are critical for resolving significant risks. Moving forward, it also will be important that DOL’s approach is coordinated—involving state and federal stakeholders, as appropriate—to ensure significant progress in improving the UI system’s performance and integrity.

What Remains to Be Done

As of March 2023, there are 19 open recommendations to DOL for improving the UI system. We consider five of these recommendations to be priority recommendations. Our open recommendations include that DOL should:

  • develop and execute a transformation plan that meets our high-risk criteria. The plan should outline coordinated and sustained actions to address known issues related to providing effective service and mitigating financial risk, including ways to demonstrate improvements; and
  • designate a dedicated entity and document its responsibilities for managing the process of assessing fraud risks to the UI program, consistent with leading practices as provided in our Fraud Risk Framework.

Potential Benefits

Strengthening the UI system can improve service to unemployed workers and reduce exposure of the system to financial risks. By addressing audit recommendations, including developing and executing a plan that meets our high-risk criteria for transformation, DOL has the potential to achieve quantifiable results in reducing improper payment rates, including those related to fraud; improving efficiency in claims processing and restoring pre-pandemic payment timeliness levels; better reaching current worker populations; and enhancing equity in benefit distributions.

Contact Information

For additional information about this high-risk area, contact Thomas Costa at (202) 512-4769 or costat@gao.gov.

Appendix III: GAO’s 2023 High-Risk List

Table 9: GAO’s 2023 High-Risk List

High-Risk Area

Strengthening the Foundation for Efficiency and Effectiveness

  • Strategic Human Capital Management
  • Managing Federal Real Property
  • Funding the Nation’s Surface Transportation Systema
  • Modernizing the U.S. Financial Regulatory Systema
  • Resolving the Federal Role in Housing Financea
  • USPS Financial Viabilitya
  • Management of Federal Oil and Gas Resources
  • Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risksa
  • Improving the Management of IT Acquisitions and Operations
  • Improving Federal Management of Programs that Serve Tribes and Their Members
  • U.S. Government’s Environmental Liabilitya
  • Emergency Loans for Small Businesses
  • Strengthening Management of the Federal Prison System (new)

Transforming DOD Program Management

  • DOD Weapon Systems Acquisition
  • DOD Financial Management
  • DOD Business Systems Modernization
  • DOD Approach to Business Transformation

Ensuring Public Safety and Security

  • Ensuring the Cybersecurity of the Nationa
  • Strengthening Department of Homeland Security IT and Financial Management Functions
  • Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests
  • Improving Federal Oversight of Food Safetya
  • Protecting Public Health through Enhanced Oversight of Medical Products
  • Transforming EPA’s Process for Assessing and Controlling Toxic Chemicals
  • Government-wide Personnel Security Clearance Process
  • National Efforts to Prevent, Respond to, and Recover from Drug Misuse
  • HHS Leadership and Coordination of Public Health Emergencies (new in 2022)

Managing Federal Contracting More Effectively

  • Acquisition and Program Management for DOE’s National Nuclear Security Administration and Office of Environmental Management
  • NASA Acquisition Management
  • DOD Contract Management
  • VA Acquisition Management

Assessing the Efficiency and Effectiveness of Tax Law Administration

  • Enforcement of Tax Lawsa

Modernizing and Safeguarding Insurance and Benefit Programs

  • Medicare Program and Improper Payments
  • Strengthening Medicaid Program Integritya
  • Improving and Modernizing Federal Disability Programs
  • National Flood Insurance Programa
  • Managing Risks and Improving VA Health Care
  • Unemployment Insurance System (new in 2022)
Source: GAO. | GAO-23-106203

aLegislation is likely to be necessary to effectively address this high-risk area.

Appendix IV: Image and Figure Sources

GAO produced all dashboards depicting changes in high-risk areas, as seen in the following example:

Related GAO Products 


The following GAO reports reflect our High-Risk Series reports issued since 2000. For additional GAO products specific to each of the 37 high-risk areas on our updated list, see our High-Risk List website, http://www.gao.gov/highrisk/.

High-Risk Series: Key Practices to Successfully Address High-Risk Areas and Remove Them from the List, GAO-22-105184. Washington, D.C.: Mar. 3, 2022.

High-Risk Series: Dedicated Leadership Needed to Address Limited Progress in Most High-Risk Areas, GAO-21-119SP. Washington, D.C.: Mar. 2, 2021.

High-Risk Series: Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas. GAO-19-157SP. Washington, D.C.: Mar. 6, 2019.

High-Risk Series: Progress on Many High-Risk Areas, While Substantial Efforts Needed on Others. GAO-17-317. Washington, D.C.: Feb. 15, 2017.

High-Risk Series: Key Actions to Make Progress Addressing High-Risk Issues. GAO-16-480R. Washington, D.C.: Apr. 25, 2016.

High-Risk Series: An Update. GAO-15-290. Washington, D.C.: Feb. 11, 2015.

High-Risk Series: An Update. GAO-13-283. Washington, D.C.: Feb. 14, 2013.

High-Risk Series: An Update. GAO-11-278. Washington, D.C.: Feb. 16, 2011.

High-Risk Series: An Update. GAO-09-271. Washington, D.C.: Jan. 22, 2009.

High-Risk Series: An Update. GAO-07-310. Washington, D.C.: Jan. 31, 2007.

High-Risk Series: An Update. GAO-05-207. Washington, D.C.: Jan. 1, 2005.

High-Risk Series: An Update. GAO-03-119. Washington, D.C.: Jan. 1, 2003.

High-Risk Series: An Update. GAO-01-263. Washington, D.C.: Jan. 1, 2001.

Determining Performance and Accountability Challenges and High Risks. GAO-01-159SP. Washington, D.C.: Nov. 1, 2000.

References

Figures

  1. Changes to the High-Risk List Since 2021
  2. Figure 1: Progress in High-Risk Areas from 1990 to 2023
  3. Figure 2: High-Risk Criteria Essential to Addressing High-Risk Areas
  4. Figure 3: Illustrative Example of High-Risk Progress Criteria Ratings
  5. Figure 4: Number of 2023 High-Risk Areas Receiving Met, Partially Met, and Not Met Ratings for Each Criterion
  6. Figure 5: 2023 High-Risk Area Changes by High-Risk Criteria
  7. Figure 6: Key Practices to Demonstrate Leadership Commitment and Sustain High-Risk Efforts
  8. Figure 7: Provisional 2030 Census Life-Cycle Time Frame
  9. Figure 8: Pension Benefit Guaranty Corporation’s (PBGC) Net Financial Position of the Multiemployer Program, Fiscal Years 2000 through 2022
  10. Figure 9: Pension Benefit Guaranty Corporation’s (PBGC) Net Financial Position of the Single Employer Program, Fiscal Years 2000 through 2022
  11. Figure 10: Federal Assets Incorrectly Identified by General Services Administration’s Validation and Verification Process as of February 2020
  12. Figure 11: Projected Cumulative Highway Trust Fund Balance, Fiscal Years 2023 through 2032
  13. Figure 12: Total U.S. Postal Service’s Unfunded Liabilities and Debt, Fiscal Years 2007-2022
  14. Figure 13: Turnover in the Bureau of Indian Education Director Position from 2007 to February 2023
  15. Figure 14: Examples of Small Business Administration Leadership Commitment
  16. Figure 15: The Department of Defense Has Yet to Address Open Questions Related to Its Proposed Reporting Approach
  17. Figure 16: DOD Actions to Address Deficiencies with Suspense Account Transactions
  18. Figure 17: Officials for DOD’s 25 Major IT Business Programs Reported Performance Data to the Federal IT Dashboard, as of June 2022
  19. Figure 18: Ten Critical Actions Needed to Address Four Major Cybersecurity Challenges
  20. Figure 19: Percentage of Management Outcomes That Have Been Fully Addressed by the Department of Homeland Security as of February 2023
  21. Figure 20: Overview of DOD’s Process to Identify and Protect Programs and Technologies Supporting Critical Military Capability
  22. Figure 21: Key Food Safety Working Group Activities and Related Actions
  23. Figure 22: Number of Vacancies for Food and Drug Administration (FDA) Foreign Drug Inspection Specialists
  24. Figure 23: Budget Request Information for the Environmental Protection Agency’s (EPA) “Toxic Substances: Chemical Risk Review and Reduction” Program Project, Fiscal Years 2016–2023
  25. Figure 24: Trusted Workforce 2.0 One-Three-Five Framework
  26. Figure 25: Number of Drug Overdoses in the United States, April 2015 through September 2022
  27. Figure 26: Five Key Areas of an Effective National Response
  28. Figure 27: Sealed Glovebox for Plutonium Operations
  29. Figure 28: The Department of Energy’s Ongoing Construction Project at the Waste Isolation Pilot Plant in New Mexico
  30. Figure 29: Cumulative Development Cost and Schedule Overruns for the National Aeronautics and Space Administration’s Portfolio of Major Projects Since 2013
  31. Figure 30: Audit Rates for Individual Tax Returns Declined from Tax Years 2010 to 2019 (latest available)
  32. Figure 31: Medicare Fee-for-Service, Medicare Advantage, and Medicare Part D Improper Payment Rates, Fiscal Years 2012–2022
  33. Figure 32: Centers for Medicare & Medicaid Services Approvals of State-Directed Payments
  34. Figure 33: Social Security Administration (SSA) Initial Disability Claims Processing, March 2018–September 2022
  35. Figure 34: National Flood Insurance Program Annual Year-End Outstanding Debt to the Department of the Treasury, Fiscal Years 1995–2022
  36. Figure 35: Military Service and Veteran Health Data in the VA/DOD Shared Electronic Health Record System
  37.  

End Notes

Contacts

Michelle Sager

Managing Director, Strategic Issues, sagerm@gao.gov, (202) 512-6806

Congressional Relations

A. Nicole Clowers, Managing Director, clowersa@gao.gov, (202) 512-4400
U.S. Government Accountability Office
441 G Street NW, Room 7125, Washington, DC 20548

Public Affairs

Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
U.S. Government Accountability Office
441 G Street NW, Room 7149, Washington, DC 20548

Strategic Planning and External Liaison

Stephen J. Sanford, Managing Director, spel@gao.gov, (202) 512-4707
U.S. Government Accountability Office
441 G Street NW, Room 7814, Washington, DC 20548

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.

Order by Phone

The price of each GAO publication reflects GAO’s cost of production and distribution. Pricing and ordering information is posted on our website.

To Report Fraud, Waste, and Abuse in Federal Programs

Website: https://www.gao.gov/about/what-gao-does/fraud
Automated answering system: (800) 424-5454 or (202) 512-7470

Connect with GAO

Connect with GAO on Facebook, Flickr, LinkedIn, Twitter, and YouTube. Subscribe to our RSS Feeds or E-mail updates. Listen to our Podcasts. Visit GAO on our website and read the Watchblog.

GAO’s Mission

The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.

Copyright

This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.