GAO’s recommendations database contains report recommendations that still need to be addressed. GAO’s priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. Below you can search only priority recommendations, or search all recommendations.

Our recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Moreover, when implemented, some of our priority recommendations can save large amounts of money, help Congress make decisions on major issues, and substantially improve or transform major government programs or agencies, among other benefits.

As of April 18, 2018, there are 5,184 open recommendations, of which 465 are priority recommendations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented.

Browse or Search Open Recommendations

Search



Have a Question about a Recommendation?

  • For questions about a specific recommendation, contact the person or office listed with the recommendation.
  • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
« Back to Results List Sort by   

Results:

Subject Term: "Critical infrastructure vulnerabilities"

3 publications with a total of 9 priority recommendations
Director: Gregory C. Wilshusen
Phone: (202) 512-6244

2 open priority recommendations
Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM partially concurred with the recommendation. The agency asserts it is working on making improvements to its automated system to further support its remedial action management processes, including timely closure. OPM has established metrics for timeliness, and expects to create a baseline for measuring performance before the end of fiscal year 2018. As of August 2018, OPM had not yet provided evidence that it has implemented the recommendation.
Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with the recommendation. The agency plans to implement role-based training for staff who use Continuous Diagnostics and Mitigation tools, with an expected completion date before the end of fiscal year 2018. As of August 2018, OPM had not yet provided evidence that it has implemented the recommendation.
Director: Gregory C. Wilshusen
Phone: (202) 512-6244

2 open priority recommendations
Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: In January 2018, DHS stated that they are in the process of updating NCCIC Strategic Objectives. In doing so, DHS will determine the applicability of key performance indicators (KPI) and performance targets enabling NCCIC to assess its effectiveness in achieving its mission. The target date for completion of these activities is September 2018.
Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: In January 2018, DHS stated that it is in the process of updating NCCIC Strategic Objectives. DHS reported that it will align and verify each of its programs goals and reestablish performance reviews to ensure mission effectiveness. The target date for completion of these activities is September 2018.
Director: Gregory C. Wilshusen
Phone: (202) 512-6244

5 open priority recommendations
Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should re-evaluate security control assessments for selected systems to ensure that they comprehensively test technical controls.

Agency: National Aeronautics and Space Administration
Status: Open
Priority recommendation

Comments: NASA concurred with the recommendation. The agency provided plans of action and milestones (POA&Ms) to address specific weaknesses that were overlooked in previous assessments; however, these POA&Ms do not address this recommendation. NASA needs to complete a re-evaluation of the security control assessments it has performed for the selected systems and take steps to ensure that such assessments include a comprehensive test of technical controls.
Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update the continuous monitoring strategy to include metrics, ongoing status monitoring of metrics, and reporting of security status.

Agency: National Aeronautics and Space Administration
Status: Open
Priority recommendation

Comments: NASA concurred with the recommendation. NASA has issued an updated continuous monitoring strategy, but this strategy does not clearly identify specific metrics to be used. NASA needs to specify metrics it will use as part of its continuous monitoring efforts.
Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented, and where other plans are cross-referenced, ensure that the other system's plan appropriately addresses the control.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with our recommendation. The agency intends to migrate security plans to an automated system in order to improve management of security controls. OPM expects to complete this action in fiscal year 2018.
Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with our recommendation. As of July 2018, OPM was in the process of reviewing its procedures for identifying employees and contractors who directly access its information systems and reviewing the training requirements for those individuals, as well as specialized training requirements, and how compliance is tracked.
Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM did not concur with our recommendation. OPM is developing additional standards for evaluating technical-controls testing and will incorporate these standards into its oversight of security assessments, once the standards are complete. Subsequent to OPM informing us that it has re-evaluated tests of technical controls, we plan to verify the agency's actions.