Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

    As of May 22, 2018, GAO has issued 1,568 products with 4,848 open recommendations.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Critical infrastructure vulnerabilities"

    10 publications with a total of 51 open recommendations including 11 priority recommendations
    Director: Marie A. Mak
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: The Director of the Defense Security Service should determine how it will collaborate with stakeholders as it pilots a new approach to overseeing contractors with cleared facilities (DSS in Transition), including identifying roles and responsibilities and the related resources needed. (Recommendation 1)

    Agency: Department of Defense: Defense Security Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    3 open recommendations
    including 2 priority recommendations
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM partially concurred with the recommendation. The agency asserts it is working on making improvements to its automated system to further support its remedial action management processes, including timely closure. OPM has established metrics for timeliness, and expects to create a baseline for measuring performance before the end of fiscal year 2018.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM concurred with the recommendation. The agency plans to implement role-based training for staff who use Continuous Diagnostics and Mitigation tools, with an expected completion date before the end of fiscal year 2018.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should provide detailed guidance on the quality assurance process that includes evaluating security control assessments.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of developing additional standards for evaluating security controls testing and asserts it will use these standards for evaluating security control assessments.
    Director: Kirschbaum, Joseph W
    Phone: (202) 512-9971

    2 open recommendations
    Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

    Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
    Status: Open

    Comments: DOD concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

    Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
    Status: Open

    Comments: DOD concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    10 open recommendations
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement the audit plans for the 12 systems and applications that we reviewed in the production computing environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that system administrators and security operations analysts are alerted in the event of audit processing failures.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should update information contingency plan test procedures to include updating contingency plans to reflect changes to the current operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that approved risk-based decisions pertaining to database configurations are based on suitable justification.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop, document, and implement the use of detailed procedures to facilitate the periodic review and analysis of audit records for its financial systems.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop an enterprise-wide system owner procedural document to control critical mainframe operating system commands.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should regularly update configuration standards and guidelines for network devices to incorporate recommendations from industry leaders, security agencies, and key practices from IRS partners to address known vulnerabilities applicable to IRS's environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement a compliance verification application, or other appropriate process, to ensure configuration policies are comprehensively tested on the mainframe.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that all known significant audit findings and recommendations related to financial reporting, which includes those in GAO's public and limited official use only reports, that directly relate to the objective of A-123 internal control tests are reviewed and monitored.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should identify and review service organizations' listing of user controls that are deemed relevant and test those controls to appropriately draw conclusions about the operating effectiveness of controls.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Director: Nick Marinos
    Phone: (202) 512-9342

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer to update the procedure for granting access to the key financial application, to include responsibilities and steps for ensuring that the access privileges granted have been approved by the users' supervisor.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: In its response to our draft report, FDIC concurred with the recommendation. However, FDIC has not yet provided sufficient evidence that it has implemented the recommendation. When evidence is available, we will update this recommendation.
    Director: Shelby S. Oakley
    Phone: (202) 512-3841

    4 open recommendations
    Recommendation: The Secretary of Energy, working with the Administrator of the National Nuclear Security Administration, should include more complete information on the assessments--that is, security plans, vulnerability assessments, independent assessments, and other assessments--used in the annual reports to support the agencies' assessments that DOE and NNSA sites are secure.

    Agency: Department of Energy
    Status: Open

    Comments: When we confirm what actions the agency has taken, we will update.
    Recommendation: The Secretary of Energy, working with the Administrator of the National Nuclear Security Administration, should better align the internal review process and mandated report publication deadlines.

    Agency: Department of Energy
    Status: Open

    Comments: When we confirm what actions the agency has taken, we will update.
    Recommendation: Additionally, the Secretary of Energy should develop a plan for addressing the physical security infrastructure needs at DOE sites. Similar to a report under development by NNSA, this plan could identify cost and time frames and enable DOE and the Congress to prioritize these projects.

    Agency: Department of Energy
    Status: Open

    Comments: When we confirm what actions the agency has taken, we will update.
    Recommendation: Additionally, the Secretary of Energy should, in future annual security certification reports, inform Congress of the reasons for the delayed implementation of the June 2011 DOE material control and accountability order at some sites, as well as the steps DOE and its sites are taking to implement it. DOE should also provide Congress with information on any vulnerabilities or deficiencies in the security at sites that may potentially exist while the sites complete implementation of the order as well as information on any concomitant adjustment to their security posture that is required.

    Agency: Department of Energy
    Status: Open

    Comments: When we confirm what actions the agency has taken, we will update.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    7 open recommendations
    including 2 priority recommendations
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: In January 2018, DHS stated that they are in the process of updating NCCIC Strategic Objectives. In doing so, DHS will determine the applicability of key performance indicators (KPI) and performance targets enabling NCCIC to assess its effectiveness in achieving its mission. The target date for completion of these activities is September 2018.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: In January 2018, DHS stated that it is in the process of updating NCCIC Strategic Objectives. DHS reported that it will align and verify each of its programs goals and reestablish performance reviews to ensure mission effectiveness. The target date for completion of these activities is September 2018.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should integrate information related to security incidents to provide management with more complete information about NCCIC operations.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, DHS stated that it was taking steps to enable the successful implementation of the new National Cyber Incident Scoring Schema (NCISS), which is intended to aid NCCIC Watch Operations in helping facilitate the timely, actionable, and relevant dissemination of information to leadership. In September 2017, DHS provided evidence indicating that the NCISS guidelines were incorporated into the incident reporting systems. Based on the information provided, we plan to validate the extent of implementation through additional observation.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In January 2018, NCCIC reported collaborating with the Network System Deployment (NSD) on the development and deployment of a Unified Workflow Information System. DHS reported that this system is intended to serve as NCCIC's central data system for stakeholder ticket creation and tracking. We will review the output of Unified Workflow Information System's development process once the system is implemented.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop and implement procedures to perform regular reviews of customer information to ensure that it is current and reliable.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In January 2018, DHS reported that it has authored and finalized the NCCIC Homeland Security Information Network (HSIN)Community of Interest User Maintenance Standard Operating Procedures (SOP). The SOP indicates that user audits will be conducted on a periodic basis, to determine user activity and whether customer information is valid. DHS also reported that the NCCIC continues to gather requirements and to develop its customer relationship management (CRM) tool that will support regular reviews and updates to customer information. The CRM tool implementation is to be determined.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should take steps to ensure the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In January 2018, DHS reported that the Office of Cybersecurity and Communications (CS&C) has developed a Catalog of CS&C Services as a resource to critical infrastructure partners. This guide is intended to promote NCCIC operational offerings and information sharing programs, as well as incorporate other CS&C programs and services to critical infrastructure owners and operators. However, it is unclear how the services catalog will ensure full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In September 2017, DHS reported that CS&C had created a draft road map, which included information on DHS enterprise alignment among its components. Related to this enterprise alignment, DHS reported that it continues to develop resource requirements and a proposed schedule for network consolidation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    17 open recommendations
    including 7 priority recommendations
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update security assessment plans for selected systems to ensure they include the test procedures to be performed.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with the recommendation. The agency has implemented a system to support updates of security assessment plans that include the test procedures to be performed. NASA needs to provide evidence of these results for the security assessment plans of two selected high-impact systems.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should re-evaluate security control assessments for selected systems to ensure that they comprehensively test technical controls.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with the recommendation. The agency needs to complete a re-evaluation of the security control assessments it has performed for the selected systems and take steps to ensure that such assessments include a comprehensive test of technical controls.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update remedial action plans for selected systems, to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with the recommendation. The agency has implemented a system that generates plans of actions and milestones, but has not yet provided sufficient examples of remedial action plans for the selected systems. NASA needs to provide for these systems examples of plans of actions and milestones that include responsible organizations, estimated funding, source of funding, and updated milestones and completion dates.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update the continuous monitoring strategy to include metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with the recommendation. NASA has issued an updated continuous monitoring strategy, but this strategy does not clearly identify specific metrics to be used. NASA needs to specify metrics it will use as part of its continuous monitoring efforts.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. NRC supplied documents regarding its cybersecurity assessment process, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update remedial action plans for selected systems, to include responsible organization, estimated funding, funding source, and scheduled completion dates.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency provided evidence that it is including the responsible organization and scheduled completion dates in its plans of action and milestones (POA&Ms). While the estimated funding and source of funding do not appear in the POA&Ms, the agency has indicated that this data is available elsewhere. We are following up with NRC to verify this information.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update the standard that addresses continuous monitoring to include metrics and ongoing status monitoring.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency expects to publish a revised computer security standard in 2018.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented, and where other plans are cross-referenced, ensure that the other system's plan appropriately addresses the control.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM concurred with our recommendation. The agency intends to migrate security plans to an automated system in order to improve management of security controls. OPM expects to complete this action in fiscal year 2018.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM partially concurred with our recommendation. OPM is in the process of reviewing its procedures for identifying employees and contractors who directly access its information systems and reviewing the training requirements for those individuals, as well as specialized training requirements, and how compliance is tracked.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM did not concur with our recommendation. OPM is developing additional standards for evaluating technical-controls testing and will incorporate these standards into its oversight of security assessments, once the standards are complete. Subsequent to OPM informing us that it has re-evaluated tests of technical controls, we plan to verify the agency's actions.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update remedial action plans for selected systems, to include source of funding and updated completion dates.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with our recommendation. OPM is in the process of migrating POA&Ms to a new automated system that will allow the source of funding to be included in plans of action and milestones.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA stated that all high-impact security controls have been addressed, and the agency expects to include all controls in one plan. Subsequent to the agency informing us that it has implemented the recommendation, we plan to verify its actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is tracking specialized training for staff who have significant security responsibilities. GAO plans to request further documentation and verify the completeness of VA's actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA has assessed technical controls, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls are comprehensively tested.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update remedial action plans for selected systems, to include estimated funding and funding source.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is including more information in its remedial action plans for selected systems, but did not demonstrate that it is including estimated funding and funding sources in these plans.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should develop a continuous monitoring strategy that addresses organization-defined metrics, frequency of monitoring metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA is developing a new framework to address the people, processes, technology, and performance monitoring mechanisms identified in the Information Security Continuous Monitoring (ISCM) Maturity Model. This framework and supporting program plan are linked to the Department of Homeland Security Continuous Diagnostics and Mitigation (CDM) phase 1 deployment. VA's ISCM program plan and framework have been delayed to accommodate these changes.
    Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. Further information is needed to validate implementation of the recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    4 open recommendations
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal partners to ensure that the maritime risk assessment includes cyber-related threats, vulnerabilities, and potential consequences.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that the National Maritime Strategic Risk Assessment (NMSRA) was still being finalized. The agency stated that they expected this to be completed by July 2017. Once completed, we will analyze the results of the NMSRA in order to validate the extent to which its contents implement our recommendation.
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to use the results of the risk assessment to inform how guidance for area maritime security plans, facility security plans, and other securityrelated planning should address cyber-related risk for the maritime sector.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that it had developed a draft Navigation and Vessel Inspection Circular (NVIC) to provide guidance on assessment methods that assist vessel and facility owners and operators identify and address cybersecurity vulnerabilities. USCG stated that the draft NVIC would be published in the Federal Register for 60 days, to enable maritime stakeholders to review and provide comment. Once USCG provides us a final copy of the NVIC, we will analyze it to determine if it provides guidance for addressing cyber-related risk in the maritime sector.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to develop procedures for officials at the field review level (i.e., captains of the port) and national review level (i.e., the National Review Panel and FEMA) to consult cybersecurity subject matter experts from the Coast Guard and other relevant DHS components, if applicable, during the review of cybersecurity grant proposals for funding.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information we receive and update status of implementation efforts.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to use any information on cyberrelated threats, vulnerabilities, and consequences identified in the maritime risk assessment to inform future versions of funding guidance for grant applicants and reviews at the field and national levels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information received and update status of implementation efforts.
    Director: Brian J. Lepore
    Phone: (202) 512-4523

    2 open recommendations
    Recommendation: In order to facilitate the efforts of installation planners to efficiently implement the requirements of the Unified Facilities Criteria and DOD Instruction 4715.03, the Secretary of Defense--in conjunction with the Secretaries of the military departments--should provide further direction and information that clarifies the planning actions that should be taken to account for climate change in installation Master Plans and Integrated Natural Resource Management Plans. At a minimum, further direction could include definitions of key terms, such as the definition of "climate change" recently included in DOD Manual 4715.03; further information about changes in applicable building codes and design standards that account for potential climate change impacts; and further information about potential projected impacts of climate change for individual installations.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with our recommendation to provide further direction and information that clarifies the planning actions that should be taken to account for climate change in installation Master Plans and Integrated Natural Resource Management Plans, including providing further information about potential projected impacts of climate change for individual installations. Although DOD has not fully implemented this recommendation, DOD has started to take actions to address components of the recommendation. For example, the Department issued DOD Directive 4715.21 (January 14, 2016), in which DOD defines climate change. Also, the Strategic Environmental Research and Development Program produced the report entitled Regional Sea Level Scenarios for Coastal Risk Management (April, 2016) and accompanying database, in which DOD provides regionalized sea level and extreme water level scenarios for three future time horizons (2035, 2065, and 2100) for 1,774 DOD sites worldwide. DOD intends the report and database to be used by planners to adapt to sea level rise, one impact of climate change. However, during July 2017 follow-up work, we learned that the department has not yet provided these planners with projections for the full set of expected impacts of weather effects associated with climate change.
    Recommendation: In order to improve the military services' ability to make facility investment decisions in accordance with DOD's strategic direction to include climate change adaptation considerations and additionally, to demonstrate an emphasis on proposing projects with an adaption component to installation planners, the Secretary of Defense should direct the Secretaries of the military departments to clarify instructions associated with the processes used to compare potential military construction projects for approval and funding so that, at a minimum, climate change adaptation is considered as a project component that may be needed to address potential climate change impacts on infrastructure.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with our recommendation to clarify instructions associated with the processes used to compare potential military construction projects for approval and funding so that, at a minimum, climate change adaptation is considered as a project component that may be needed to address potential climate change impacts on infrastructure. DOD stated that climate change may be one of many factors that can affect facilities and impact mission and readiness, and that the department will review processes and criteria, such as the Unified Facilities Criteria, to strengthen consideration of climate change adaptation. DOD concurred with our recommendation to provide further direction and information that clarifies the planning actions that should be taken to account for climate change in installation Master Plans and Integrated Natural Resource Management Plans, including providing further information about potential projected impacts of climate change for individual installations. Although DOD has not fully implemented this recommendation, during September 2016 follow-up work, we learned that the Army has started to take actions to address components of the recommendation. Specifically, in briefing slides presented to congressional staff in 2016, the Army noted that two military construction projects were sited in a manner specifically designed to mitigate the impacts of climate change. These projects were a powertrain facility at Corpus Christi Army Depot and a waste water treatment plant at West Point. However, as of July 2017, DOD had not provided us with evidence that the department's components have clarified instructions associated with the processes used to compare potential military construction projects for approval and funding.