Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Information security"

    40 publications with a total of 223 open recommendations including 10 priority recommendations
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: The Director of the Office of Management and Budget, in consultation with the Secretary of Homeland Security, and the Chief Information Officers Council, should evaluate whether the full implementation of the capability maturity model developed by the Council of the Inspectors General on Integrity and Efficiency ensures that consistent and comparable results are achieved across all federal agencies. (Recommendation 1)

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update the plans of action and milestones to reflect expected completion dates for implementing the recommendations made by US-CERT.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency plans to update the plans of action and milestones with the current status, including expected completion dates.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM partially concurred with the recommendation. The agency is working on making improvements to its automated system to further support its remedial action management processes, including timely closure.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update policy to reflect deployment of Department of Homeland Security threat indicators and the specific 24-hour scanning requirement.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of updating security policies.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of defining role-based training requirements for its continuous monitoring program.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should provide detailed guidance on the quality assurance process that includes evaluating security control assessments.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of developing additional standards for evaluating security controls testing and asserts it will use these standards for evaluating security control assessments.
    Director: Kirschbaum, Joseph W
    Phone: (202) 512-9971

    2 open recommendations
    Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

    Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

    Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: To effectively manage its information security program, the Chairman of the SEC should maintain up-to-date network diagrams and asset inventories in the system security plans for General Support System and a key financial system to accurately and completely reflect the current operating environment.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation. When evidence is available, we will update this recommendation.
    Recommendation: To effectively manage its information security program, the Chairman of the SEC should perform continuous monitoring using automated configuration and vulnerability scanning on the operating systems, databases, and network devices.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation. When evidence is available, we will update this recommendation.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    10 open recommendations
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement the audit plans for the 12 systems and applications that we reviewed in the production computing environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that system administrators and security operations analysts are alerted in the event of audit processing failures.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should update information contingency plan test procedures to include updating contingency plans to reflect changes to the current operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that approved risk-based decisions pertaining to database configurations are based on suitable justification.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop, document, and implement the use of detailed procedures to facilitate the periodic review and analysis of audit records for its financial systems.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop an enterprise-wide system owner procedural document to control critical mainframe operating system commands.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should regularly update configuration standards and guidelines for network devices to incorporate recommendations from industry leaders, security agencies, and key practices from IRS partners to address known vulnerabilities applicable to IRS's environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement a compliance verification application, or other appropriate process, to ensure configuration policies are comprehensively tested on the mainframe.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that all known significant audit findings and recommendations related to financial reporting, which includes those in GAO's public and limited official use only reports, that directly relate to the objective of A-123 internal control tests are reviewed and monitored.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should identify and review service organizations' listing of user controls that are deemed relevant and test those controls to appropriately draw conclusions about the operating effectiveness of controls.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should specify elements that agency plans for reducing the unnecessary collection, use, and display of SSNs should contain and require all agencies to develop and maintain complete plans.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should require agencies to modify their inventories of systems containing personally identifiable information to indicate which systems contain SSNs and use the inventories to monitor their reduction of unnecessary collection and use of SSNs.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should provide criteria to agencies on how to determine unnecessary use of SSNs to facilitate consistent application across the federal government.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should take steps to ensure that agencies provide up-to-date status reports on their progress in eliminating unnecessary SSN collection, use, and display in their annual Federal Information Security Modernization Act of 2014 reports.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should establish performance measures to monitor agency progress in consistently and effectively implementing planned reduction efforts.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Director: Nick Marinos
    Phone: (202) 512-9342

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer to update the procedure for granting access to the key financial application, to include responsibilities and steps for ensuring that the access privileges granted have been approved by the users' supervisor.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: In its response to our draft report, FDIC concurred with the recommendation. However, FDIC has not yet provided sufficient evidence that it has implemented the recommendation. When evidence is available, we will update this recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    9 open recommendations
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the extent to which the statutorily required implementing principles apply to NCCIC's cybersecurity functions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NCCIC is currently conducting an analysis of all mission functions to include the following goals: simplify the descriptions of NCCIC's mission functions, document all NCCIC functional capabilities, document the applicability of implementing principles to NCCIC mission functions, and map as appropriate. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that they were still in the process completing mission functional analysis described in DHS's response to Recommendation 1, which would serve as the basis of developing metrics. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NCCIC is updating existing policies and procedures for program management reviews (PMR) to include the metrics developed in recommendation two. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should integrate information related to security incidents to provide management with more complete information about NCCIC operations.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the NCCIC updated guidelines for incident reporting would be completed in May 2017. In addition, according to DHS, incident management system requirements were updated to support the new guidelines and are scheduled to be implemented in June 2017. DHS stated that these steps will enable the successful implementation of the new National Cyber Incident Scoring Schema (NCISS), which the NCCIC Watch Operations uses to help facilitate the timely, actionable, and relevant dissemination of information to leadership. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. As of August 2017, DHS has not provided evidence that the new guidelines have been implemented. However, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NCCIC had completed initial mapping of information flows, as well as the roles and responsibilities for the incident management function. A plan to integrate or consolidate disparate incident reporting systems is scheduled to be completed in December 2017. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop and implement procedures to perform regular reviews of customer information to ensure that it is current and reliable.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that NPPD is gathering the requirements for a customer relationship management (CRM) tool that will support regular reviews and updates to customer information. Additionally, DHS stated that NCCIC will establish and implement a standing operating procedure for capturing and regularly updating prioritized customer information including contact information in the event of an incident. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should take steps to ensure the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the Office of Cybersecurity and Communications is establishing integrated customer engagement activities that support cyber risk mitigation and incident response planning. In addition, NCCIC will develop standing operating procedures that leverage existing information sharing programs, activities and relationships to tailor engagements that support owners and operators of the most critical cyber-dependent infrastructure assets including designated lifeline sectors. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the Assistant Secretary of Office of Cybersecurity and Communications (CS&C) had consolidated the Enterprise Architecture role within the Office of the Chief Technology Officer (CTO). Working across CS&C, the CTO will establish a technology roadmap, to include consolidation of networks. In addition, NCCIC is working to determine the potential impact of network consolidation on mission functions, including mapping current data sources. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should identify alternative methods to collaborate with international partners, while ensuring the security requirements of high-impact systems.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, DHS stated that the potential reduction in sharing cybersecurity products that may result from migrating the NCCIC Portal to HSIN should be minimal. Contingency information sharing plans will be developed to mitigate potential issues through alternate information sharing practices, particularly involving an actual incident during migration transition. Foreign partnerships will continued to be maintained by exercises, analytic exchanges with our closest partners, and continued participation in multilateral and bilateral engagements. Once completed, we will analyze the output of NCCIC's efforts in this area to determine the extent to which DHS has fulfilled this recommendation. In August 2017, DHS officials stated an update on the status of the recommendations was forthcoming in September 2017. We will review the evidence provided and update the recommendation status as appropriate.
    Director: David Powner
    Phone: (202) 512-9286

    24 open recommendations
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: United States Agency for International Development
    Status: Open

    Comments: We reported that the U.S. Agency for International Development (USAID) had partially met the following two practices for establishing a complete software application inventory, (1) includes these systems from all organizational component, and (2) is regularly updated with quality controls to ensure reliability. In September 2017, USAID provided its updated application inventory, which includes enterprise IT and business systems from all organizational components--with the exception of two small offices that USAID officials stated use IT systems provided by other business units. In addition, we verified that the inventory includes basic application attributes, to include system name, system description, and system owner; however, it does not include the system description and owner for all systems listed. USAID officials reported that they have efforts underway to identify system owners and collect system descriptions from these owners. USAID has also taken steps to ensure the reliability of the inventory, including a data call it conducted to gather information for its updated application inventory, as well as efforts from its Business Enterprise Architecture team to follow up with system owners to obtain complete and accurate system information. We plan to continue to monitor USAID's efforts.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Education
    Status: Open

    Comments: We reported that the Department of Education partially met the following software application inventory practice: regularly updates the inventory with quality controls to ensure reliability. Specifically, we reported that the department had not yet established a policy for updating its inventory. In May 2017, the department issued an updated Lifecycle Management Framework directive, which requires system program managers to update the IT asset management information, including for software applications, in the department's Cyber Security Assessment and Management (CSAM) tool. In addition, in June 2017, the department updated its System Inventory Methodology and Guidance Document to ensure that the inventories within CSAM accurately reflect the system's software and operating system, and that all software utilized on the system is appropriately licensed and approved for use by the department's Enterprise Architecture Review Board. We will follow up with the department to determine whether it is using its updated policies.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Commerce
    Status: Open

    Comments: We reported that the Department of Commerce did not meet the following software application inventory practice: regularly updates the inventory with quality controls to ensure reliability. Specifically, the department did not provide evidence of a process to regularly update its inventory or quality controls to ensure the reliability of the data collected. In October 2017, the department reported that application inventory information will be captured through the Department of Commerce Capital Planning and Investment Control (CPIC) system, as part of its regular updating of investment information. Further, the department stated that it will update its CPIC handbook to provide guidance on quality control to ensure reliability of the data collected. We plan to continue to follow up with Commerce to monitor the status of these planned actions.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Energy
    Status: Open

    Comments: We reported that the Department of Energy partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In May 2017, the department reported that it plans to implement automated monitoring and inventory tools by the end of fiscal year 2018, which it expects will address the key practices. We plan to monitor the department's efforts to implement the tools.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: We reported that the Department of Housing and Urban Development partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In June 2017, the department reported that is working to identify applications in field offices, and plan for this effort to be completed in fiscal year 2018. In addition, the department stated it plans to update the inventory to include business functions for each system by the end of fiscal year 2017. Further, department officials stated that to ensure the accuracy and reliability of the application inventory, the department plans to conduct quarterly portfolio reviews starting in fiscal year 2018. We plan to continue to monitor the department's efforts.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We reported that the Department of Health and Human Services (HHS) partially met the following software application inventory practice: is regularly updated with quality controls to ensure reliability. In June 2017 we followed up with HHS to obtain a status of actions to address our recommendation. As of November 2017, we were still waiting for a response.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Social Security Administration
    Status: Open

    Comments: We reported that the Social Security Administration (SSA) partially met the following two software application inventory practices, (1) includes systems from all organization components, and (2) regularly updates the inventory with quality controls to ensure reliability. In March 2017, SSA officials reported that the agency's Office of Systems and Office of Operations continue to collaborate on integrating application information into the Enterprise Application Inventory. The officials reported that regionally developed applications that have been granted authority to operate have been imported into the enterprise application inventory. In addition, the officials stated that the Office of Operations is in the process of redesigning their repository to accommodate requirements to support the Enterprise Application Inventory, including the ability to update and maintain application information in the enterprise repository. Lastly, SSA officials reported that its Office of Information Security and Office of Systems continue to work to identify additional headquarters applications and develop process and automation to include applications in the inventory. However, the agency did not provide documentation that supports the efforts taken. We are following up with the agency to obtain documentation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of the Interior
    Status: Open

    Comments: We reported that the Department of Interior did not meet the software application inventory practice of regularly updating the inventory with quality controls to ensure reliability, and partially met the practice of including systems from all organization components. In June 2017, the department reported that it plans to review the application inventory for quality and completeness as a part of its annual update. Further, the department reported that it included applications and systems related to infrastructure investments in the IT portfolio as part of the fiscal year 2017 annual update to the department's application inventory. However, the department did not provide supporting documentation. We plan to monitor the department's efforts to ensure the accuracy and completeness of the inventory, as well as its efforts to include all its business systems in the inventory.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Transportation
    Status: Open

    Comments: In June 2017, the department reported that it had updated its application inventory to, among other things, address the key practices it had not fully met. We are following up with the department to obtain supporting documentation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Labor
    Status: Open

    Comments: We reported that the Department of Labor did not meet one software application inventory practice, and partially met three practices. Specifically the department did not include business and enterprise IT systems, and partially met (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In June 2017, department officials stated that they plan to update the inventory in fiscal year 2017 to address the key practices, including ensuring that the inventory identifies business and enterprise IT systems, systems from all organizational components, and basic IT system attributes. In addition, officials stated that they plan to update the inventory on a periodic basis as necessary, including at least annually as part of its IT budgeting process. Further, officials stated that the department's Strategic Business Management program implemented a data quality initiative in fiscal year 2016 to improve the quality of data their agencies are reporting on their IT systems as part of the department's IT Capital Planning and Investment Control process. We are following up with the department to obtain evidence of the data quality initiative. Further, we will continue to monitor the department's efforts to address the practices.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of the Treasury
    Status: Open

    Comments: We reported that the Department of the Treasury had partially met the following two practices for establishing a complete software application inventory, (1) specifies basic application attributes, and (2) is regularly updated with quality controls to ensure reliability. In September 2017, the department provided evidence showing that it had taken steps to address these practices. Specifically, the department provided an export of its inventory, which showed that most of the systems listed contained a system description. According to department officials, some systems do not have a system description because the department's inventory policy allows bureaus to attach documents to the inventory, which include the system description, instead of populating the system description field. Further, the policy does not require a system description for systems in the disposal state. Moreover, the inventory did not include the business segment or function that the system supports. According to Treasury officials, the Bureau and Functional Unit fields within the inventory allow the department to map the systems to the business segments that they support; however, they did not provide documentation showing this mapping. We are following up with the Treasury to obtain supporting documentation, including its inventory policy. Further, we will continue to monitor its efforts to ensure that the inventory is regularly updated with quality controls to ensure its reliability.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: We reported that the Department of Veterans Affairs (VA) had partially met the following practice for establishing a complete software application inventory: is regularly updated with quality controls to ensure reliability. We determined that VA partially met this practice because, while officials stated that their repository of systems was viewed as complete, the information within the repository was still maturing and work was being done to automate data capture and integration with other sources. The department has since taken action to address the practice. Specifically, in July 2017, VA officials reported that the department integrated its inventory with multiple repositories of IT system and application information. According to VA officials, this integration enables VA to more completely and accurately capture system and application related information, using both automated and manual processes to update and maintain the inventory. We will follow up with VA to obtain evidence of its action.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of State
    Status: Open

    Comments: We reported that the Department of State partially met the following software application inventory practices: (1) specifies basic application attributes; and (2) is regularly updated with quality controls to ensure reliability. In June 2017, department officials reported that they are working to align IT assets to the appropriate IT investments through both the capital planning and investment control process and the cloud governance process. The agency intends that these efforts will be the first step in better aligning assets to a defined business function. Department officials also stated that to improve quality control, they are developing additional guidance on the process to review all IT assets throughout their lifecycle, which includes a multi-stakeholder approach to confirm each asset contains accurate, appropriate and relevant information. We plan to continue to monitor the department's efforts.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In April 2017, we followed up with the Environmental Protection Agency to obtain a status of actions to address our recommendation. As of November 2017, we were still waiting for a response from the agency.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: We reported that the National Aeronautics and Space Administration had partially met the following two practices for establishing a complete software application inventory, (1) includes these systems from all organizational components, and (2) is regularly updated with quality controls to ensure reliability. In June 2017, agency officials stated that they plan to improve the application inventory using an investment review process, which they expect to complete in 2019. Specifically, the agency intends that the process will lead to an annual review of the application inventory and an improved process for updating the inventory. According to agency officials, the process will incorporate quality control processes into the overall portfolio management and rationalization approach. We plan to continue to monitor the agency's efforts to implement the new review process.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: National Science Foundation
    Status: Open

    Comments: We reported that the National Science Foundation had partially met the following practice for establishing a complete software application inventory: is regularly updated with quality controls to ensure reliability. In June 2017, agency officials reported that its Chief Information Officer is working with the agency's Division of Information Systems to formalize and provide evidence of the annual validation review that it stated it conducts for quality control purposes. The agency expects improvements to be implemented with the upcoming inventory review cycle for fiscal year 2018.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Small Business Administration
    Status: Open

    Comments: We reported that the Small Business Administration (SBA) did not meet one software application inventory practice, and partially met three practices. Specifically, the SBA did not regularly update the application inventory with quality controls to ensure reliability, and partially met (1) includes enterprise IT and business systems, (2) includes systems from all organizational components, and (3) specifies basic application attributes. In July 2017, SBA reported that its draft Software Asset Policy was being vetted throughout the agency for concurrence. SBA officials stated that the Software Asset Policy will determine the required basic application attributes, and provide adequate controls to ensure reliability of the inventory. Although SBA officials stated they are developing the planned milestones and a roadmap to implement the policy, they did not provide a formal release timeframe. We will continue to monitor the SBA's efforts to develop a complete application inventory.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: We reported that the Nuclear Regulatory Commission partially met the following software application inventory practice: is regularly updated with quality controls to ensure reliability. In July 2017, agency officials stated that they plan to finalize procedures to routinely update the agency's inventory in December 2017. We plan to continue to monitor the department's efforts to address our recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Office of Personnel Management
    Status: Open

    Comments: We reported that the Office of Personnel Management (OPM) partially met the software application inventory practice to regularly update the inventory with quality controls to ensure reliability. In November 2016, OPM officials stated that they were validating the data in the application inventory. In addition, officials stated that they were making progress in using automated scanning tools to update the inventory, including coordinating with the General Services Administration's Software Management Group which is working to standardize the use of automated inventory tools across the government. In June 2017, we followed up with OPM to obtain documentation of these reported actions; however, as of November 2017, the agency had not yet provided supporting documentation. We are continuing to follow up with OPM to obtain documentation of its reported actions.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Defense should direct the responsible official to modify the department's existing processes to collect and review cost, technical, and business information for the enterprise and business IT systems within the Enterprise Information Environment Mission Area applications which are currently not reviewed as part of the department's process for business systems.

    Agency: Department of Defense
    Status: Open

    Comments: In June 2017, department officials reported they did not concur with the recommendation at the time it was made, and that their position had not changed.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Homeland Security should direct the department's CIO to identify one high-cost function it could collect detailed cost, technical, and business information for and modify existing processes to collect and review this information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, the department reported that it had identified e-mail as a high cost function, and that it would begin modifying existing processes to collect and review cost, technical, and business information. The agency expects to complete the effort in 2017. We plan to continue to monitor the department's efforts.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of the Interior should direct the department's CIO to document and implement a plan for establishing policy that would define a standard analytical technique for rationalizing the investment portfolio.

    Agency: Department of the Interior
    Status: Open

    Comments: We recommended that the Department of Interior document and implement a plan for establishing policy that would define a standard analytical technique for rationalizing the investment portfolio. In June 2017, the department reported that it had developed a comprehensive strategy and approach to implement application rationalization and portfolio management practices. However, the department did not provide supporting documentation. In addition, the department reported that its Office of the Chief Information Officer (OCIO) is currently drafting an application rationalization policy and supporting guidance that will establish a standard analytical approach for rationalization bureau office portfolios in a consistent manner across the department, and that its OCIO will collaborate with bureaus and offices to develop an application rationalization analytical framework. However, the department did not provide a timeframe for completing these efforts. We plan to continue to monitor the department'?s efforts to develop a rationalization policy and standard analytical techniques.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Labor should direct the department's CIO to consider a segmented approach to further rationalize and identify a function for which it would modify existing processes to collect and review application-specific cost, technical, and business value information.

    Agency: Department of Labor
    Status: Open

    Comments: In June 2017, department officials stated that they plan to associate applications to specific IT investments, and to use this information to identify potential cost savings and avoidance. Further, officials stated that they plan to develop a segmented approach to rationalizing the portfolio of IT investments, including systems and applications. We plan to follow up with the department to determine the expected time frame for completing these actions.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Director of the National Science Foundation should direct the CIO to consistently document evaluations for all applications and report cost information for them in the roadmap or other documentation.

    Agency: National Science Foundation
    Status: Open

    Comments: In June 2017, agency officials stated that they plan to take steps to ensure cost information is consistently documented for applications by the end of 2017. We will continue to monitor the agency's efforts.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    3 open recommendations
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to update security plans to ensure the plans fully and accurately document the controls selected and intended for protecting each of the six systems.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to implement a process to effectively monitor and track training for personnel with significant security roles and responsibilities.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to ensure that personnel with significant security responsibilities receive role-based training.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the National Institute of Standards and Technology Cybersecurity Framework.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should update technical assistance that is provided to covered entities and business associates to address technical security concerns.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should revise the current enforcement program to include following up on the implementation of corrective actions.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS neither concurred nor nonconcurred with the recommendation but plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish performance measures for the Office of Civil Rights (OCR) audit program.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish and implement policies and procedures for sharing the results of investigations and audits between OCR and Centers for Medicare & Medicaid Services to help ensure that covered entities and business associates are in compliance with the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS neither concurred nor nonconcurred with the recommendation but plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    18 open recommendations
    Recommendation: To assist CISOs in carrying out their responsibilities, the Director of OMB should issue guidance for agencies' implementation of the FISMA 2014 requirements to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) partially concurred with this recommendation, but does not intend to directly issue guidance as recommended. Instead, we are reviewing the relevant OMB memoranda that officials believe address the intent of the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with the FISMA 2014, the Secretary of Commerce should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce concurred with the recommendation, stating that the department's policy documents are expected to be updated by the end of the 4th Quarter in 2017. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the senior information security officer (SISO) is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that information security policies and procedures are developed and maintained.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) did not concur with our recommendation, nor has it provided evidence that it has implemented the recommendations.
    Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) partially concurred with our recommendation, but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) partially concurred with our recommendation, but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that all users receive information security awareness training.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that the department has a process for planning implementing, evaluating, and documenting remedial actions.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy in the periodic authorization of the department's information systems.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain Departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Health and Human Services should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of State should define the CISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

    Agency: Department of State
    Status: Open

    Comments: The Department of State (State) concurred with this recommendation. We are currently reviewing the evidence provided by State to determine whether the role of the CISO has been defined in its policy for ensuring that State has procedures for incident detection, response, and reporting.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2018. However, the department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that security controls are tested periodically.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2018. However, the department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in its policy to ensure recovery and continued operations of the agency's information systems in the event of a disruption.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the National Aeronautics and Space Administration should define the SAISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. We are currently reviewing the evidence provided by NASA to determine whether the role of the SAISO has been defined in agency policy for oversight of security for information systems that are operated by contractors on NASA's behalf.
    Recommendation: To ensure that the role of the CISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Small Business Administration should define the CISO's role in agency policy for ensuring that personnel with significant security responsibilities receive appropriate training.

    Agency: Small Business Administration
    Status: Open

    Comments: The Small Business administration (SBA) concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    8 open recommendations
    Recommendation: To assist VA in sustaining an IT workforce with the necessary knowledge, skills, and abilities to execute its mission and goals, the Secretary of Veterans Affairs should direct the Chief Information Officer to track and review OI&T historical workforce data and projections related to leadership retirements.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that OI&T's Human Capital Management Office (HCM) had completed a succession planning project that encompassed all senior leadership and included data review and risk assessment for each position. VA also stated that OI&T tracks the gains and losses associated with its leadership positions and provided this information for fiscal year 2016. However, the department has not provided documentation that supports the assertion that historical and projected OI&T leadership retirement data was presented and discussed as part of the succession planning project and did not provide data on projected retirements for OI&T's leadership positions. Additionally, the department stated that OI&T HCM has the ability to project retirement eligibility but has not provided documentation to support this assertion. It is important that VA tracks and reviews its OI&T historical workforce data and forecasts its leadership retirements to avoid being unprepared to effectively respond to vacancies in key leadership positions.
    Recommendation: To assist VA in sustaining an IT workforce with the necessary knowledge, skills, and abilities to execute its mission and goals, the Secretary of Veterans Affairs should direct the Chief Information Officer to identify IT skills needed beyond the current fiscal year to assist in identifying future skills gaps.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that Information Technology Workforce Development (ITWD) will produce reports that identify skill gaps and will contain long-term recommendations that show the types of IT skills each organization needs to increase and which proficiency level targets need the most emphasis. As of July 2017, VA stated that ITWD reviewed, and updated where needed, the fiscal year 2017 competencies within each OI&T competency model role in order to align the models to the OI&T Transformation initiative. According to the department, the resulting updates support learning solutions that sustain and accelerate OI&T's transformation. Additionally, VA stated that 85 percent of OI&T staff completed a validated competency self-assessment and provided the OI&T fiscal year 2017 Training Gap Analysis Report which shows the strengths and gaps of OI&T by organization, trends between fiscal years 2016 and 2017, findings, next steps, and recommended actions for the next fiscal year. The department also stated that ITWD held meetings to review skill gap and learning solution reports. VA provided these reports and they present the top gaps and strengths, key findings, and next steps to address the skill gaps. While the department has taken these actions, its OI&T Training Gap Analysis Report does not identify IT skills needed beyond fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to project planning, to include (1) estimating the level of effort that will need to be expended for work products and tasks, and (2) making adjustments to the project plan to reconcile differences between estimated and available resources.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and stated that OI&T is documenting changes to processes related to project planning as it transitions from PMAS to the Veteran-Focused Integration Process (VIP). According to VA, the VIP processes will lead to better requirements elaboration and prioritization, increasing significantly the accuracy of estimates related to level of effort. Additionally, the department stated that by using short Agile sprints, the project team will be able adjust the project plan frequently to reconcile differences between estimated and available resources. As of July 2017, VA stated that all projects have transitioned to the VIP, which ensures they are incorporating the Agile methodology into the project lifecycle. According to the department, the latest version of its VIP Guide incorporates the use of daily scrum and weekly scrum of scrum meetings that can be used to frequently adjust the project plan to reconcile differences between estimated and available resources. VA stated that the project planning processes will continue to evolve beyond July and expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to requirements management, to include identifying changes to be made to plans and work products as a result of requirements baseline changes.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that OI&T is revising its documentation related to requirements management as part of the transition to the Veteran-Focused Integration Process (VIP). According to VA, requirements will be tracked using the IBM Rational Tools Suite, which will be able to provide a snapshot of the original baseline and all captured changes in the form of an audit trail that captures the history of requirement changes. As of July 2017, the department stated that all projects have transitioned to the VIP and requirements baselines and subsequent changes are tracked in the Rational Tools Suite. VA also reported that efforts in fiscal year 2017 to consolidate all mandatory architectural, design, and process methodologies into a single library of requirements were successful, which resulted in combining the full body of requirements. Additionally according to the department, versioning of the requirements will allow the office to trace specific versions of individual requirements and their evolution by time period and project inheritance. VA stated that it expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to risk management, to include (1) determining costs and benefits of implementing the risk mitigation plan for each risk and (2) collecting performance measures on risk handling activities.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that the IBM Rational Tools Suite will be used to manage risks and issues. According to VA, the tools suite will allow requirements to be linked to risks, which will provide traceability; teams will be able to track and report steps taken to mitigate risks; and an audit trail will show the history of changes made to each risk. The department also reported that the Office of Privacy and Risk will establish risk mitigation strategies for OI&T. As of July 2017, VA stated that risks data capture has been developed as a standardized process and that data on project and program risks in the Rational Tools Suite is aggregated and prepared for use to verify aggressive management, and will be included in enterprise reporting. The department stated that work is underway with the Performance Management Office and that OI&T expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to project monitoring and control, to include the 10 best practices that were missing from the guidance.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that implementation of the Veteran-Focused Integration Process (VIP) and Agile processes within OI&T will address eight of the ten best practices related to project monitoring and control that were missing from its guidance. In regard to monitoring the knowledge and skills of project staff, OI&T's IT Workforce Development (ITWD) group collects and analyzes competency assessment data, which is used in requirements gathering meetings with OI&T leaders. According to VA, during these meetings organizational needs and next steps are discussed in detail. Additionally, the department's latest version of its VIP Guide states that the product team should be cross-functional and include all skills needed to deliver a product. Further, the department reported that data management activities, issues, and impacts will be managed using VIP, Agile, and IBM Rational Tools Suite. According to its VIP Guide, OI&T expects that all products follow the Agile product management process and use the Rational Tools Suite to manage scheduled product sprints and backlog, product requirements, risks and issues, and product planning and engineering documentation, among others. Also, VA stated that Agile methodologies will require stakeholders to be involved in the daily scrum meetings, user acceptance testing, and acceptance of deliverables, which will address stakeholders being involved regularly and documenting the results of stakeholder involvement status reviews. According to the VIP Guide, the Agile development methodologies require development teams to meet often with stakeholders to ensure transparency and foster a collaborative work environment. Additionally, the department stated that critical decision events are using Rational based data assessments to report on level of satisfaction of project controls and process compliance requirements. Further, according to the VIP Guide, the Product Owner will have a key role in the decision-making process during the development of the product and will be able to regularly express concerns and/or approvals to best meet user satisfaction. The department stated that critical decision events are being held at the portfolio level, and action items from these events are being tracked. VA provided meeting minutes from critical decision events that were held in October and December 2016. The December 2016 meeting minutes identified action items and the status of those items. Although VA has taken actions to address the majority of best practices related to project monitoring and control, the department's new VIP process does not include two practices that call for (1) tracking expended effort and (2) monitoring the utilization of staff and resources. Until OI&T's documented processes for project monitoring and control fully reflect best practices, the office is at risk that its projects will not achieve expected results.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to process and product quality assurance, to include (1) documenting a description of the quality assurance reporting chain and defining how objectivity will be ensured, and (2) periodically reviewing open noncompliance issues and trends with management that is designated to receive and act on them.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that the implementation of the Veteran-Focused Integration Process (VIP), Agile processes, and the Rational Toolset within OI&T will address process and product quality assurance. According to VA, as a part of VIP, the Product Owner is engaged from intake through project completion, which will ensure that the quality of the product is maintained throughout the life cycle. Additionally the department reported that the process of periodically reviewing open non-compliance issues and trends with management that is designated to receive and act on them will be accomplished through CIOStat meetings held with OI&T senior leadership. VA also reported that the Rational Quality Manager tool is used to automate routine testing activities to identify non-compliance issues and trends. As of July 2017, the department stated that the Product Owner is beginning to have a stronger role on the project team, which enables them to assist in all types of issues, including quality assurance. VA also stated that Release Agents develop and distribute Release Readiness Reports, which provide a status of all release requirements and of traceability among requirements, deliverables, and test results. VA expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to project scheduling, to include the 9 best practices that were missing from the guidance and revise the documented processes where the guidance was contrary to best practices.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that the implementation of VIP and Agile processes within OI&T will address five of the nine best practices related to project scheduling that are missing from its guidance. According to VA, business and compliance requirements will be captured during the planning phase and maintained in the IBM Rational Tools Suite to manage scheduled project/product builds and backlog which will allow the project to more accurately maintain the schedule baseline, capture all schedule changes, and provides an audit trail of all the changes. Additionally, the department reported that the IBM Rational Tools Suite connects requirements, change orders, test cases, and test results in order to have full traceability in a closed loop system. VA also noted that the use of short development builds within Agile increases the probability of successful adherence to the schedule; and Agile provides the flexibility to make schedule changes using the backlog to prioritize requirements. As of July 2017, VA stated that Project Build Planning sessions capture and prioritize all backlog items with high level activities captured in the VIP Dashboard; and that each project task receives an estimated duration. The department also stated that the project team commits to a high level scope for each build and then the scope is solidified and committed to in detail at each Sprint Plan. According to VA, at the end of each sprint the Product Owner accepts or rejects the product of what was committed to at Sprint Planning. The department also stated that there is a high-level commitment at the Critical Decision 1 meeting; that each build gets committed to at a more granular level; and that sprint planning includes establishing a firm commitment for exactly what will be completed during the sprint. The department further stated that part of the Agile process being used by OI&T removes rigid, mandatory constraints as long as project teams follow compliance epics. Additionally, the department reported that because of the use of Agile methodology, if a task is critical today, the project team can reprioritize and address the needs of the project immediately. According to VA, Agile supports both sustainment and development projects, by allowing changes to the project backlog to address high priority functionality. VA also stated that Agile allows flexibility to shift from one build to another based on priorities and to shift backlog items based on VIP Triad priorities. Additionally, according to the department, risks are managed in the Rational Tools Suite and impediments are raised and escalated during daily scrums and scrum of scrum calls. The VIP Guide indicates that product teams are required to make timely updates to the VIP Dashboard regarding schedule and that the Rational Tools Suite will be used to manage and administer source control and baselines; manage risks and issues; and manage scheduled product sprints and backlogs. However, the VIP Guide does not include practices to (1) document that each project task should receive a duration estimate; (2)require that the project schedule be traceable horizontally and vertically; (3) sequence all activities; and (4) confirm that the critical path is valid. Until OI&T's documented processes for developing schedules fully reflect best practices, the office is at risk that schedules created for its projects will not be reliable.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    5 open recommendations
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to update the CEDCAP program office cost estimate to reflect the current status of the program as soon as appropriate information becomes available.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In May 2017, the Census Bureau provided summary documentation that included the fiscal year 2015 through 2021 estimated lifecycle costs for the Census Enterprise Data Collection and Processing (CEDCAP) program; however, this information lacked the level of detail needed to determine whether the cost estimate reflects the current status of the program. In addition, in June 2017, the Bureau developed a draft version of the CEDCAP Cost Analysis Requirements Description (CARD), which included descriptions of technical and programmatic features of the program and is intended to serve as the basis for preparing the Program Office Estimate and the Independent Cost Estimate. However, as of August 2017, the CARD had not yet been finalized. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to define, document, and implement a repeatable process to establish complete alignment between CEDCAP and 2020 Census programs by, for example, maintaining a single dependency schedule.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation, but has not yet taken steps to implement it. In August 2016, we reported that several issues can result from the lack of a single dependency schedule, including the need to manually identify activities, the inability to be dynamically responsive to change, and a limited ability to ensure that both the Census Enterprise Data Collection and Processing (CEDCAP) and 2020 Census program are planning and measuring their activities according to the same agreed upon timeframe. However, as of August 2017, the Bureau had not yet established a single dependency schedule to ensure complete alignment between the CEDCAP and 2020 Census programs. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to establish a comprehensive and integrated list of all interdependent risks facing the CEDCAP and 2020 Census programs, and clearly identify roles and responsibilities for managing this list.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation, but has not yet taken steps to implement it. In August 2016, we reported that several issues can result from the lack of an integrated risk register, including inconsistencies in tracking and managing interdependent risks, redundant efforts to manage risks, and potentially conflicting risk mitigation efforts. As of August 2017, the Census Bureau had not yet developed an integrated risk register for the Census Enterprise Data Collection and Processing (CEDCAP) and 2020 Census programs or documented the roles for managing it. Instead, Bureau officials stated that they flag risks in the risk register that affect both programs. However, as of August 2017, the Bureau had not provided evidence that relevant risks for both programs are flagged in the risk registers. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to identify when the 74 requirements related to redistricting data program and data products and dissemination will be tested.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In June 2017, Census Bureau officials stated that, as part of the 2018 End-to-End Census Test, program-level integration testing of the requirements related to the redistricting program and the data products and dissemination are planned to occur from April 3, 2018, to August 1, 2018. However, as of August 2017, the Bureau had not provided supporting documentation for its plans for program-level integration testing of the requirements related to the redistricting program and data products and dissemination. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to make developing a better understanding of and identifying requirements related to non-ID response validation a high and immediate priority, or consider alternatives to avoid late definition of such requirements.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In April 2017, the Census Bureau documented high-level milestones related to implementing a fraud detection process in an initial effort to better understand non-ID response validation. However, as of August 2017, the Bureau had not finalized the fraud detection process or documented milestones for implementing the non-ID response validation process. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer develop and implement a policy that requires monitoring changes to critical files for the platforms identified during the audit.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: According to officials in FDIC's Division of Information Technology, the corporation plans to implement a new solution in 2017 to enable security personnel to identify users making file system changes. Subsequent to FDIC implementing a new solution, we plan to validate FDIC's actions.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    17 open recommendations
    including 7 priority recommendations
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update security assessment plans for selected systems to ensure they include the test procedures to be performed.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system to support updates of security assessment plans that include the test procedures to be performed. Subsequent to NASA informing us that security assessment plans for selected systems include these test procedures, we plan to verify the agency's actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should re-evaluate security control assessments for selected systems to ensure that they comprehensively test technical controls.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation, and will re-evaluate the selected systems' security control assessments to ensure that technical controls will be comprehensively tested. NASA officials said that they expect to complete this action by January 15, 2018. Subsequent to NASA informing us that it has implemented the recommendation, we plan to verify the agency's actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update remedial action plans for selected systems, to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system that generates plans of actions and milestones (POA&Ms), but has not yet provided sufficient examples of remedial action plans for the selected systems. Subsequent to NASA informing us that it has updated POA&Ms for the selected systems to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates, we plan to verify these actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update the continuous monitoring strategy to include metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has issued an updated continuous monitoring strategy, but this strategy does not clearly identify specific metrics to be used. Subsequent to NASA informing us that the strategy includes metrics, ongoing status monitoring of metrics, and reporting of security status, we plan to verify these actions.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. NRC supplied documents regarding its cybersecurity assessment process, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update remedial action plans for selected systems, to include responsible organization, estimated funding, funding source, and scheduled completion dates.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency provided evidence that it is including the responsible organization and scheduled completion dates in its plans of action and milestones (POA&Ms). While the estimated funding and source of funding do not appear in the POA&Ms, the agency has indicated that this data is available elsewhere. We are following up with NRC to verify this information.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update the standard that addresses continuous monitoring to include metrics and ongoing status monitoring.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency expects to publish a revised computer security standard in 2018.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented, and where other plans are cross-referenced, ensure that the other system's plan appropriately addresses the control.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM concurred with our recommendation. The agency intends to migrate security plans to an automated system in order to improve management of security controls.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM partially concurred with our recommendation. OPM is in the process of reviewing its procedures for identifying employees and contractors who directly access its information systems and reviewing the training requirements for those individuals, as well as specialized training requirements, and how compliance is tracked.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM did not concur with our recommendation. OPM is developing additional standards for evaluating technical-controls testing and will incorporate these standards into its oversight of security assessments, once the standards are complete.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update remedial action plans for selected systems, to include source of funding and updated completion dates.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with our recommendation. OPM is in the process of migrating POA&Ms to a new automated system that will allow the source of funding to be included in plans of action and milestones.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA stated that all high-impact security controls have been addressed, and the agency expects to include all controls in one plan. Subsequent to the agency informing us that it has implemented the recommendation, we plan to verify its actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is tracking specialized training for staff who have significant security responsibilities. GAO plans to request further documentation and verify the completeness of VA's actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA has assessed technical controls, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update remedial action plans for selected systems, to include estimated funding and funding source.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is including more information in its remedial action plans for selected systems, but did not demonstrate that it is including estimated funding and funding sources in these plans.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should develop a continuous monitoring strategy that addresses organization-defined metrics, frequency of monitoring metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA is developing a new framework to address the people, processes, technology, and performance monitoring mechanisms identified in the Information Security Continuous Monitoring (ISCM) Maturity Model. This framework and supporting program plan are linked to the Department of Homeland Security Continuous Diagnostics and Mitigation (CDM) phase 1 deployment that is ongoing and anticipated to be completed by the fourth quarter of 2017. VA's ISCM program plan and framework have been delayed to accommodate these changes.
    Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. In addition OMB provided limited access to a document describing best practices for federal security operation centers. GAO is requesting further access to this document on best practices in order to determine whether OMB has adequately addressed the recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    4 open recommendations
    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to establish a plan to address the limitations in the program's efforts to test security controls, including ensuring that any changes in the system's inventory do not materially affect test results.

    Agency: Department of Commerce
    Status: Open

    Comments: NOAA agreed with our recommendation and has established a plan to address the limitations we identified in the program's efforts to test security controls. NOAA's plan outlines several actions, and the agency plans to complete these actions by Summer 2017. We will continue to evaluate NOAA's progress in implementing its planned actions.
    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to, when establishing plans of action and milestones to address critical and high risk vulnerabilities, schedule the completion dates within 30 days, as required by agency policy.

    Agency: Department of Commerce
    Status: Open

    Comments: NOAA agreed with our recommendation and has established a plan to address it. This plan includes multiple actions that are to be completed by the end of July 2017. We will continue to evaluate NOAA's progress.
    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to ensure that the agency and program are tracking and closing a consistent set of incident response activities.

    Agency: Department of Commerce
    Status: Open

    Comments: NOAA agreed with our recommendation and has made progress in addressing it. Specifically, NOAA developed a pilot of a new incident tracking and reporting system to manage its response activities. NOAA plans to complete additional steps to implement this recommendation. We will continue to evaluate NOAA's progress in addressing this recommendation.
    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to evaluate the costs and benefits of different launch scenarios for the Polar Follow-on program based on updated satellite life expectancies to ensure satellite continuity while minimizing program costs.

    Agency: Department of Commerce
    Status: Open

    Comments: NOAA agreed with this recommendation and provided some documentation on its efforts to evaluate different launch scenarios. However, the agency has not yet provided all of the documentation needed to confirm that this recommendation has been addressed. We continue to work with NOAA to obtain and review the documentation needed to address this recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    4 open recommendations
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to document artifacts that support recommendation closure consistent with SEC policy.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to document a comprehensive physical inventory of the systems and applications in the production environment.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to provide personnel appropriate access to continuous monitoring reports and tools to monitor, evaluate, and remedy identified weaknesses.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to institute a process and assign the necessary personnel to review information produced by the vulnerability scanning tools to monitor, evaluate, and remedy identified weaknesses.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update system and application audit plans based on the current version of referenced policies and guidelines and when significant changes are made to a system or application.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update the security plan for systems that provide network infrastructure services to IRS personnel and information systems to reflect changes to the operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: During our audit of its FY 2017 financial statements, IRS submitted this recommendation for closure, but our testing determined that it should remain open. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: To improve the oversight of privacy and security controls over the state-based marketplaces, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to define procedures for overseeing state-based marketplaces, to include day-to-day activities of the relevant offices and staff.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The agency concurred with the recommendation and stated that it plans to implement it. Subsequent to the agency informing us that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the oversight of privacy and security controls over the state-based marketplaces, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to require continuous monitoring of the privacy and security controls over state-based marketplaces and the environments in which those systems operate to more quickly identify and remediate vulnerabilities.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The agency concurred with the recommendation and stated that it plans to implement it. Subsequent to the agency informing us that it has taken action, we plan to verify whether implementation has occurred.
    Director: Cindy Brown Barnes
    Phone: (202) 512-7215

    1 open recommendations
    Recommendation: The Chairman of the National Mediation Board should develop and implement written policies and processes to reflect the agency's current procurement environment.

    Agency: National Mediation Board
    Status: Open

    Comments: In April 2016, NMB indicated it was reviewing its procurement policies and would develop and implement new policies that reflect the outsourced procurement environment in which the agency is now operating. It anticipated that the drafting of these new policies would be completed in fiscal year 2017. In February 2017, GAO began another review of NMB. The status of this recommendation will be updated at the conclusion of that review, estimated for 2018.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    9 open recommendations
    Recommendation: The Secretary of Homeland Security should direct Network Security Deployment (NSD) to determine the feasibility of enhancing NCPS's current intrusion detection approach to include functionality that would detect deviations from normal network behavior baselines.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 Update: In Feb. 2017, DHS officials stated that they have continued pilot activities that will enable DHS to identify suspicious network activity based on anomalous behavior and reputation and have collected lessons learned that are being tracked by the NCPS Program Management Office. Officials added that DHS had identified a contractor to support the transition of the pilot, including drafting an implementation plan; however, it had yet to award a contract due to lack of resources. As such, the agency did not have an estimated date on the completion of a draft plan for how the transition would be implemented. We requested that DHS provide a copy of the draft implementation plan for our review, when it became available. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct NSD to determine the feasibility of developing enhancements to current intrusion detection capabilities to facilitate the scanning of traffic not currently scanned by NCPS.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the NCPS Program Management Office is working with participating Internet Service Providers (ISP) to develop plans to support IPv6 for Traffic Aggregation, DNS redirection, and SMTP quarantining capabilities. Officials stated that an implementation plan that would include all ISP schedules for all planned intrusion prevention services would be available in the third quarter of fiscal year 2017. Additionally, regarding encrypted traffic, officials stated that it is conducting an analysis of Security on Encrypted Traffic (SonET) to better understand options for addressing the challenges, viability of options, and how the issue is being addressed at a broader industry level. The study is scheduled to continue through the fourth quarter of fiscal year 2017. We asked DHS to provide the ISP implementation plans (when finalized) and any findings from the ongoing SCADA and Encrypted traffic studies. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct United States Computer Emergency Readiness Team (US-CERT) to update the tool it uses to manage and deploy intrusion detection signatures to include the ability to more clearly link signatures to publicly available, open-source data repositories.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS stated that the NCPS PMO is working with participating Internet Service Providers (ISP) to develop plans to support IPv6 for Traffic Aggregation, DNS redirection, and SMTP quarantining capabilities. Officials stated that an implementation plan that would include all ISP schedules for all planned intrusion prevention services would be available in the third quarter of fiscal year 17. Additionally, officials stated that NSD is conducting an analysis on Security on Encrypted Traffic (SonET) to better understand options for addressing the challenges, viability of options, how the issue is being addressed at a broader industry level. The study will continue through the fourth quarter of fiscal year 2017. We asked DHS to provide the ISP implementation plans (when finalized) and any output/results (findings) from the ongoing studies DHS has related to SCADA and Encrypted traffic. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct US-CERT to consider the viability of using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, as an input into the development and management of intrusion detection signatures.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that enhancements were made so that Continuous Diagnostics and Mitigation program (CDM) data can be viewed with the Cyber Indicators Analysis Program (CIAP). Officials stated that the CDM data now may be combined with known vulnerability findings from NCATS and known threats collected from the CIAP system to further prioritize signature development as necessary. We have requested a meeting with DHS to observe the described enhancements. We believe that we will be able to close this recommendation, once we observe the claimed enhancements.
    Recommendation: The Secretary of Homeland Security should direct US-CERT to develop a timetable for finalizing the incident notification process, to ensure that customer agencies are being sent notifications of potential incidents, which clearly solicit feedback on the usefulness and timeliness of the notification.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 Update: In Feb. 2017, DHS stated that US-CERT is in the process of developing a targeted survey of EINSTEIN customers (based off of a prior survey). Additionally, US-CERT has updated the Incident Reporting Guidelines to address previously mentioned process concerns. We have requested a copy of these guidelines and will review the modifications made within. Additionally, DHS stated that modifications to the Remedy ticketing system are underway that would allow for the inclusion of user feedback. These changes are anticipated to be implemented by October 2017. We likely would not be able to close this recommendation until we could review the results of the modifications.
    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop metrics that clearly measure the effectiveness of NCPS's efforts, including the quality, efficiency, and accuracy of supporting actions related to detecting and preventing intrusions, providing analytic services, and sharing cyber-related information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the Office of Cyber Security and Communications (CS&C) had developed, refined, and were baselining a first set of measures that relate to the Einstein 3A program. Further, they are considering adding one of these measures as an addition to the measures tracked in support of the yearly Government Performance and Results Act (GPRA) required reporting in FY 2018. Additionally, DHS officials stated they are developing information sharing related measures, including exploring how its public and private sector recipients of information measure the value cyber threat indicators and defensive measures. In March 2017, we requested a copy of the developed measures, when they became available. This recommendation will remain open until we are able to review the developed metrics and the subsequent data they are to measure.
    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop clearly defined requirements for detecting threats on agency internal networks and at cloud service providers to help better ensure effective support of information security activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS provided memos that gave an overview of the planned enhancements to the Continuous Diagnostics and Mitigation (CDM) program that included references to cloud providers. However, DHS did not provide any specific requirements for us to review. We have requested a follow-up meeting to review the specific requirements developed in support of the planned enhancements described in the provided memos. We will not be able to close this recommendation until we can review the developed requirements and determine that cloud providers are appropriately covered.
    Recommendation: The Secretary of Homeland Security should direct NSD to develop processes and procedures for using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, to help ensure DHS is using a risk-based approach for the selection/development of future NCPS intrusion prevention capabilities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS stated that the NCPS Program Management Office has made enhancements to the Continuous Diagnostics and Mitigation (CDM) dashboard, but had yet to fully develop the CDM/NCPS data correlation. In March 2017, we asked for update on the status of data correlation, once available. In order to close this recommendation, we would need to review this model and determine how, if at all, the vulnerability information was used as part of a risk-based approach to intrusion prevention.
    Recommendation: The Secretary of Homeland Security should direct NSD to work with their customer agencies and the Internet service providers to document secure routing requirements in order to better ensure the complete, safe, and effective routing of information to NCPS sensors.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the agency worked with the Office of Management and Budget to develop a draft Trusted Internet Connections Reference Architecture. This architecture is to serve as the new guidance for agencies on perimeter security capabilities as well as alternative routing strategies. In March 2017, we requested a copy of the guidance to review the alternative routing guidance. This recommendation will remain open until we have been able to review the information above.
    Director: Lawrance Evans
    Phone: (202) 512-8678

    4 open recommendations
    Recommendation: To ensure that NCUA has adequate authority to determine the safety and soundness of credit unions, Congress should consider modifying the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions.

    Agency: Congress
    Status: Open

    Comments: In July 2015, we suggested that Congress modify the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions. As of October 2016, Congress had not granted NCUA such authority.
    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency: Department of the Treasury: Office of the Comptroller of the Currency
    Status: Open

    Comments: In July 2015, we recommended that the Office of the Comptroller of the Currency (OCC) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In September 2015, OCC stated that it is taking two actions to respond to our recommendation. First, the agency is integrating the Cybersecurity Assessment Tool (Tool), developed by OCC and other federal financial institution regulators, into OCC's ongoing IT examinations of national banks and federal savings associations. Officials believe that the Tool will provide OCC with a repeatable and measurable process for assessing both the level of risk and the maturity of risk management processes within and across OCC-supervised institutions. Also, officials believe that data gathered in this process will allow OCC to monitor industry trends and identify new or emerging weaknesses where additional guidance or supervisory actions may be needed. Furthermore, the Tool will help OCC allocate examiner resources and better target examiner training. OCC began integrating the Tool in selected examinations in December 2015. Second, OCC stated that it enhanced its guidance and procedures for examiners to identify and aggregate supervisory concerns into matters requiring attention (MRAs), which are the mechanism OCC uses to communicate supervisory concerns to bank management and directors. OCC believes that the enhancements will facilitate systemic categorization of supervisory concerns that strengthen recording, monitoring, and analyzing of volumes and trends across bank portfolios. Also, the enhanced guidance discusses the relationship between MRAs, interagency ratings, OCC's risk assessment system, and enforcement actions. OCC believes that these process enhancements combined with the integration of the Tool, will improve its ability to assess information security practices at medium and small institutions. We will continue to monitor OCC's progress in implementing the Tool and the resulting trend analyses that the Tool is intended to facilitate.
    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency: Federal Reserve System
    Status: Open

    Comments: In July 2015, we recommended that the Board of Governors of the Federal Reserve System (Board) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. As of October 2016, the Board had not provided an update on its efforts to address this recommendation.
    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency: National Credit Union Administration
    Status: Open

    Comments: In July 2015, we recommended that the National Credit Union Administration (NCUA) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In July 2016, NCUA told us that it and the other federal financial institution regulators issued the Cybersecurity Assessment Tool (Tool) in June 2015 to provide a comprehensive method for institutions to benchmark their cybersecurity programs. Officials believe that the Tool will allow examiners to consistently and methodically look at credit union risks and trends, as well as collect detailed information on the risks and mitigating controls employed by credit unions. When the Tool is fully implemented, officials expect to be able to aggregate risk indicators and program gaps across the credit union industry to improve resource deployment and enhance cybersecurity supervisory oversight. NCUA plans to begin pilot testing the Tool in late 2016 with program integration targeted for July 2017. We will continue to monitor NCUA's progress with this program and revisit our recommendation in July 2017.
    Director: Clark, Cheryl E
    Phone: (202) 512-9377

    6 open recommendations
    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to develop and implement agency-wide procedures to routinely monitor the accuracy of penalties recorded in taxpayer accounts to timely detect and correct errors.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: During fiscal year 2015, IRS conducted a trial quality review to evaluate the accuracy of penalty assessments recorded in a sample of taxpayer accounts and took action to address the errors it identified. Based on its trial review, IRS developed procedures for performing this type of review in June 2016 and informed us that it would formalize procedures in the IRM to include routine monitoring and testing of the accuracy of penalty assessments in taxpayer accounts. However, as of September 30, 2016, IRS had not implemented these procedures or documented them in the IRM. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to determine the reason(s) why taxpayer assistance centers (TAC) managers and personnel did not consistently comply with existing Internal Revenue Manual (IRM) requirements that TAC managers and personnel (1) perform and document reviews of the Follow-Up Review Log by the last day of the following month, (2) maintain control copies of transmittal forms, and (3) ship taxpayer receipts and information via traceable overnight mail and, based on this determination, establish a process to better enforce compliance with these requirements.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that it has performed a study of the causes of noncompliance with the IRM requirements and will complete all related corrective actions by May 2017. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of IRS should update the IRM to require managers to reconcile transmittal forms with the Follow-Up Review Log to reasonably assure that personnel are properly entering transmittal forms into the log and are appropriately documenting follow-up on unacknowledged transmittals of taxpayer receipts and information.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: While IRS updated the IRM in April 2016 to require TAC managers to (1) perform a semiannual reconciliation of document transmittal forms to the associated Follow-Up Review Log to monitor employee compliance with IRM requirements and (2) document this reconciliation on Form 14698, Field Assistance Taxpayer Assistance Centers Remittance and Non-Remittance Log Reconciliation, our fiscal year 2016 audit testing identified instances where the use of the form was not fully implemented at the TACs we visited. Further, we continued to identify instances where TAC employees did not always (1) track document transmittals on the Follow-up Review Log and (2) follow up on late acknowledgments timely. In one instance, we found that TAC personnel did not document on the log the actions that were taken for a package that was lost; however, the manager had completed a review of the Follow-up Review Log. We will continue to evaluate the results of IRS's corrective actions during our fiscal year 2017 audit.
    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to establish a process to ensure that the requirement for unauthorized access awareness training is explicitly communicated to non-IRS contractors who have unescorted access to IRS facilities.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that by July 2017, it will partner with FPS and GSA to establish a process to help ensure that all contractors who require unescorted access are first approved for interim or final staff-like access and complete mandatory information protection and security awareness training within 10 business days of approved staff-like access. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to establish procedures to monitor whether non-IRS contractors with unescorted physical access to IRS facilities are receiving unauthorized access awareness training.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that by July 2017, it will send out a communication to its FMSS field offices that will include SOPs for monitoring training and acquiring unauthorized access awareness training documentation for each non-IRS contract employee. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to determine why staff did not consistently comply with IRS's existing requirements for the final candling of receipts at service center campuses and lockbox banks, including logging remittances found during final candling on the final candling log at the time of discovery, safeguarding the remittances at the time of discovery, transferring the remittances to the deposit unit promptly, and passing one envelope at a time over the light source, and based on this determination, establish a process to better enforce compliance with these requirements.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that by July 2017, it will identify and analyze the risks associated with candling at the SCCs and lockbox banks, along with any mitigating factors, to determine if further actions are warranted. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Director: Dalkin, James R
    Phone: (202) 512-3133

    1 open recommendations
    Recommendation: The U.S. Securities and Exchange Commission should direct the COO and CFO to implement controls, such as periodic reviews of asset dispositions, to help reasonably assure that SEC's procedures for the preparation and maintenance of documentation related to the disposition of assets are consistently implemented and that any deviations from established procedures are documented.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: SEC Officials are still working on corrective actions as of the end of fiscal year 2016. We will follow up on this recommendation during our fiscal year 2017 SEC financial statement audit.
    Director: David A. Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To improve the effectiveness of OMB streamlining efforts and ensure agency CIOs are better able to carry out their responsibilities in managing IT, including implementing OMB's IT reform initiatives, the Director of OMB should direct the Federal CIO, in collaboration with agency CIOs, to ensure there is a common understanding with agency CIOs on the priority of the current reporting requirements and related IT reform initiatives. This should include addressing underlying reasons cited by CIOs regarding the usefulness of requirements, including when department priorities are reportedly different than OMB's and the burdensome and duplicative nature of requirements.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) neither agreed or disagreed with our recommendation. Subsequently, OMB has taken steps to address some aspects of our recommendation. Specifically, in January 2017, OMB worked with the Chief Information Officer (CIO) Council to issue a report entitled "State of Federal Information Technology (SOFIT)" which outlined current IT trends and their key challenges, and made recommendations to improve implementation efforts. Notably, the report also identified differences in priorities between OMB and agency CIOs on key IT reform initiatives and the need for improved reporting requirements. In addition, in June 2017, OMB staff reported that they met the CIO and head of each agency this past spring regarding their priorities and challenges. While these are positive steps toward ensuring a common understanding of these initiatives and reporting requirements, OMB still needs to take action to address the underlying reasons for these differences in priorities and reduce burdensome and duplicative requirements. Until OMB takes action in these areas, there is a risk that key IT reform initiatives may not fully succeed. We will continue to evaluate OMB's progress in addressing our recommendation.
    Director: Joel C. Willemssen
    Phone: (202) 512-6253

    22 open recommendations
    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for developing a complete and reliable enterprise architecture that accurately captures the Library's current IT environment, describes its target environment, and outlines a strategy for transitioning from one to the other, and develop the architecture within the established time frame.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to address, this recommendation. Specifically, according to Library officials, they have developed a schedule and processes for developing an architecture that describes the current and target IT environments. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for implementing a Library-wide assessment of IT human capital needs and complete the assessment within the established time frame. This assessment should, at a minimum, analyze any gaps between current skills and future needs, and include a strategy for closing any identified gaps.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in July 2016 the Library engaged the Office of Personnel Management (OPM) to develop and conduct a skills assessment of the Library's IT workforce. According to Library officials, OPM led a focus group with IT specialists to review and revise competency and skill lists for IT positions. In June 2017, OPM administered a gap analysis survey to all IT specialists, supervisors, managers, and leaders within the Library. According to Library officials, the Library is developing a strategy for closing gaps identified in the survey results. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement a process for linking IT strategic planning, enterprise architecture, and IT investment management.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Library developed a template for IT investment proposals that calls for investment managers to provide information on how the investments align with the Library's IT strategic plan and enterprise architecture. Additionally, in February 2017, the Library provided us with IT investment proposals for 19 fiscal year 2017 investments. To the Library's credit, the proposals describe how many of the investments align with the IT strategic plan and enterprise architecture. However, we also identified instances where the alignment with the IT strategic plan and enterprise architecture was not included in the proposals or was not clearly defined. In a written response, the Library stated that the inconsistencies were attributable to manual processes for collecting the information and that it is working to make improvements to these processes for the fiscal year 2018 investments. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for reselecting investments that are already operational.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in June 2017 the Library finalized its regulation on Information Technology (IT) Investment Management. According to the regulation, all IT investment proposals, including those associated with operational investments, are to be reviewed annually by the Architecture Review Board, the IT Steering Committee, and the Executive Committee, and then approved by the Librarian. The Library plans to implement these procedures for reselecting investments by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for ensuring that investment selection decisions have an impact on decisions to fund investments.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in June 2017 the Library finalized its regulation on Information Technology (IT) Investment Management. According to the regulation, the Executive Committee is responsible for finalizing and recommending IT investment proposals that request increases to the Library's appropriations in future budget years. The Library plans to implement these procedures by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should ensure that appropriate governance bodies review all investments that meet defined criteria.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in June 2017 the Library finalized its regulation on Information Technology (IT) Investment Management. According to the regulation, all IT investment proposals, including those associated with operational investments, are to be reviewed annually by the Architecture Review Board, the IT Steering Committee, and the Executive Committee, and then approved by the Librarian. The Library plans to ensure that these governance bodies review all IT investments by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies for developing a comprehensive inventory of IT assets.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. The Library is revising its asset management policy to improve its process for developing and maintaining its inventory of IT assets. Additionally, the Office of the CIO engaged a contractor to perform a full inventory of its IT assets in September 2017. Further, the Library is working to reconcile the results of this IT asset inventory with the information in its asset management system. The Library plans to complete the steps necessary to implement this recommendation by March 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies and procedures consistent with the key practices on portfolio management, including (1) defining the portfolio criteria, (2) creating the portfolio, and (3) evaluating the portfolio.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include key practices on portfolio management. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should complete and implement an organization-wide policy for risk management that includes key practices as discussed in this report, and within the time frame the Library established for doing so.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for risk management. Further, the Project Management Office developed risk management guidance that includes key risk management practices. In addition, we are reviewing documentation for three key IT projects to evaluate the implementation of this guidance. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for requirements development that includes key practices as discussed in this report.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for requirements development. Further, the Project Management Office has finalized detailed guidance for the Library on requirements development. We are reviewing this information to determine the extent to which the guidance includes key practices for requirements development. In addition, we are reviewing documentation for three key IT projects to evaluate the implementation of this guidance. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for developing cost estimates that includes key practices as discussed in this report.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing cost estimates. Further, the Project Management Office has finalized detailed guidance for the Library on developing cost estimates. However, the guidance does not address all key practices for developing cost estimates. In December 2017, Library officials told us that they have additional guidance on cost estimating, which they will provide to GAO. In addition, we are reviewing documentation for three key IT projects to evaluate the implementation of this guidance. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish a time frame for finalizing and implementing an organization-wide policy for developing and maintaining project schedules that includes key practices as discussed in this report, and finalize and implement the policy within the established time frame.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer (OCIO) and tasked the office with communicating and enforcing Library requirements for project management and systems development. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing and maintaining schedules. Further, the Project Management Office has finalized detailed guidance for the Library on developing and maintaining schedules. However, the guidance does not address all key practices for developing and maintaining schedules. In December 2017, Library officials told us that they have additional guidance on schedule development, which they will provide to GAO. In addition, we are reviewing documentation for three key IT projects to evaluate the implementation of this guidance. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should revise information security policy to require system security plans to describe common controls, and implement the policy.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, the Information Technology Security Group reviewed all system security plans to ensure that they are complete. After the completion of this review, in August 2017 the Library provided us with system security plans for nine key systems. To its credit, the plans describe many of the common controls (i.e., where a system relies on controls established for another system) on which the systems relied. However, we also identified instances where the plans included conflicting information about whether certain controls are being implemented by the system, are inherited from another system, or are not being implemented. According to the Library, in August 2017 it hired additional information system security officers in order to improve the Library's management of information security, including information security planning. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that all system security plans are complete, including descriptions of how security controls are implemented and justifications for why controls are not applied.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, the Library's Information Technology Security Group reviewed all system security plans to ensure that they are complete. After completing this review, in August 2017 the Library provided us with system security plans for nine key systems. Each of the plans generally includes descriptions of how security controls are implemented and justifications for why controls are not applied. However, we also identified instances where the plans included conflicting information about whether certain controls are being implemented. According to the Library, in August 2017 it hired additional information system security officers in order to improve the Library's management of information security, including information security planning. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should conduct comprehensive and effective security testing for all systems within the time frames called for by Library policy, to include assessing security controls that are inherited from the Library's information security program.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, in August 2015 the Library began monthly security testing and vulnerability scans for servers, networks, and workstations. Additionally, in November 2015 the Library finalized guidance for its continuous monitoring program, which includes the establishment of ongoing security controls assessments for each system. The Library began to implement this guidance in fiscal year 2016 and plans to complete the steps necessary to implement this recommendation by June 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that remedial action plans for identified security weaknesses are consistently documented, tracked, and completed in a timely manner.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in August 2017, the Library provided us with remedial action plans for key Library systems. The Library has generally documented and tracked remedial action plans for these key systems and has completed many. However, we also identified instances of remedial actions that, as of August 2017, had yet to be completed and were past their expected completion date. According to the Library, in August 2017 it hired additional information system security officers in order to improve the Library's management of information security, including management of remedial action plans. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should finalize and implement guidance on continuous monitoring to ensure that officials are informed when making authorization decisions about the risks associated with the operations of the Library's systems.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in October 2015 the Library finalized its guidance on security assessment and authorization, which requires authorizing officials to review the security status of information systems on an ongoing basis to determine whether the risk of operating the system remains acceptable. The Library began to implement this guidance in fiscal year 2016 and plans to complete the steps necessary to implement this recommendation by June 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should develop contingency plans for all systems that address key elements.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in December 2016 the Library finalized an IT system contingency planning template that generally addresses key elements of National Institute of Standards and Technology guidance. Additionally, in April 2017 the Library required that contingency plans be established for all systems by September 2017. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should establish and implement a process for comprehensively identifying and tracking whether all personnel with access to Library systems have taken required security and privacy training.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. According to Library officials, the OCIO is developing a process to track user accounts, including contractors and volunteers, on Library systems to ensure completion of required annual IT Security Training. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should finalize and implement a Library-wide policy for developing service-level agreements that (1) includes service-level targets for agreements with individual service units and (2) covers services in a way that best meets the need of both ITS and its customers, including individual service units.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in September 2016 the Library's Office of the CIO finalized a new service catalog that captures its IT services. The catalog identifies 21 categories of IT services that are available to Office of the CIO customers (e.g., data network management, IT service desk, and website support) and describes applicable service-level targets relating availability, fulfillment, and response. Additionally, between May 2016 and May 2017, the Office of the CIO executed memorandums of understanding with the six main Library units. Each memorandum establishes roles and responsibilities for specialized application and services that the Office of the CIO provides to those units. Further, the Library's Office of the CIO is developing a directive on its memorandums of understanding and plans to brief its customers on that directive in November 2017. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should document and execute a plan for improving customer satisfaction with ITS services that includes prioritized improvement projects and associated resource requirements, schedules, and measurable goals and outcomes.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Office of the Chief Information Officer has begun drafting a customer satisfaction improvement plan. The Library expects this plan to be finalized by December 2017. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: In addition, to help ensure an efficient and effective allocation of the agency's IT resources, the Librarian should conduct a review of the Library's IT portfolio to identify duplicative or overlapping activities and investments, including those identified in our report, and assess the costs and benefits of consolidating identified IT activities and investments.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Library is drafting several policies and directives to relating to IT investment management, to include reviewing the Library's IT portfolio to identify duplicative or overlapping activities and investments. In addition, according to Library officials, the Library has taken a number of steps to reduce duplicative IT activities. For example, in March 2015 we reported that the Office of Security and Emergency Preparedness (OSEP) managed its own network independent of the Library's central IT provider. However, in June 2017 the Library reported that the Office of the CIO is now managing the OSEP network. Further, the Library plans to assess the costs and benefits of consolidating potentially duplicative email and network services identified in our March 2015 report. The Library plans to complete the steps necessary to implement this recommendation by March 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Director: Kingsbury, Nancy R
    Phone: (202) 512-2700

    3 open recommendations
    including 2 priority recommendations
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure contractors receive security awareness training within 5 business days of being granted access to an IRS information system.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: During the audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure that control testing methodology and results fully meet the intent of the control objectives being tested.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed these actions. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should update the remedial action verification process to ensure actions are fully implemented.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed actions to implement the recommendation. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    7 open recommendations
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that all staff with significant security responsibilities receive appropriate role-based training.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has provided partial documentation, but has not yet provided GAO sufficient evidence necessary to validate FAA's actions to establish a mechanism to ensure that all staff with significant security responsibilities receive appropriate role-based training. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to take steps to ensure that testing of security controls is comprehensive enough to determine whether security controls are in place and operating effectively, by, for example, examining artifacts such as audit reports, change tickets, and approval documents.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has updated its NAS testing policy and has provided evidence indicating that it has made progress toward ensuring that testing of security controls is comprehensive enough to determine whether security controls are in place and operating effectively. Subsequent to FAA providing additional evidence showing that its corrective actions have been fully implemented, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to take steps to ensure that identified corrective actions for security weaknesses are implemented within prescribed timeframes.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has updated its NAS Remediation Management Plan to include new risk management processes for identified security weaknesses. However, it has not yet provided GAO sufficient evidence necessary to show that the agency has taken steps to ensure that identified corrective actions for security weaknesses are implemented within prescribed timeframes. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NAS Cyber Operations (NCO) with full network packet capture capability for analyzing network traffic and detecting anomalies at major network interface points at FAA operational facilities.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by May 2018. As of July 2017, FAA has not provided GAO with documentation of the agency's actions to provide NCO with full network packet capture capability for analyzing network traffic and detecting anomalies at major network interface points at FAA operational facilities. Subsequent to FAA informing us that it has implemented the recommendation, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to integrate network traffic flow data into NCO's ad-hoc query systems.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by May 2018. As of July 2017, FAA has not provided GAO with documentation of the agency's actions to integrate network traffic flow data into NCO's ad-hoc query systems. Subsequent to FAA informing us that it has implemented the recommendation, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to ensure that contingency plans for NAS systems are sufficiently documented, and that tests of contingency plans address key elements of the contingency plans, including notification procedures, recovering the system on an alternate platform, and system performance on alternate equipment.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it plans to implement the recommendation by September 2017. As of July 2017, FAA has not yet provided sufficient evidence that it has taken sufficient action to ensure that contingency plans for NAS systems are sufficiently documented and that tests of the plans address key plan elements. Subsequent to FAA providing additional evidence, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NCO with security event log data for all Internet Protocol (IP)-connected NAS systems.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by December 2018. As of August 2017, FAA has provided GAO with its planned actions to provide NCO with security event log data for all IP-connected NAS systems, which indicate that the agency still plans to complete its actions by December 2018. We plan to validate these actions subsequent to FAA informing us that it has completed them.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Secretary of Homeland Security, in consultation with GSA, should develop and implement a strategy to address cyber risk to building and access control systems that, among other things: (1) defines the problem; (2) identifies roles and responsibilities; (3) analyzes the resources needed; and (4) identifies a methodology for assessing this cyber risk.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To address previously identified security vulnerabilities, the Secretary of Veterans Affairs should scan non-Windows network devices in authenticated mode.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    16 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test plan is developed.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, an independent assessor is selected to assess the system.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned to resolution are maintained.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA concurred with our recommendation. However, EPA has not yet provided evidence that it has implemented the recommendation. We plan to validate the department's actions when EPA informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA concurred with our recommendation. However, EPA has not yet provided evidence that it has implemented the recommendation. We plan to validate the department's actions when EPA informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Director of the Office of Personnel Management should develop, document, and implement oversight procedures for ensuring that a system test is fully executed for each contractor-operated system.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM concurred with our recommendation. However, as of April 2017, OPM had not implemented the recommendation to develop, document and implement oversight procedures to ensure that a system test is fully executed for each contractor-operated system. We will monitor OPM's efforts and validate OPM actions when evidence discloses that the recommendation has been implemented.
    Recommendation: To be able to effectively assist agencies with their contractor oversight programs, the Director of the Office of Management and Budget, in collaboration with the Secretary of Homeland Security, should develop and clarify reporting guidance to agencies for annually reporting the number of contractor-operated systems.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We requested comments on a draft of this report from the Office of Management and Budget, but none were provided. In June 2017, OMB stated that its and DHS's annual reporting requirements now contain an expanded list of criteria for contractor-operated systems, including definitions in related guidance from the National Institute of Standards and Technology. However, although the reporting requirements call for agencies to report on their total number of contractor-operated systems, neither the requirements or related guidance clarify which agency systems that have contractor relationships should be categorized as contractor-operated. The lack of clear instructions may continue to result in incomplete information regarding the number of contractor-operated systems within the government.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To improve the consistency and effectiveness of government-wide implementation of information security programs and privacy requirements at small agencies, the Director of OMB should include in the annual report to Congress on agencies' implementation of the Federal Information Security Management Act (FISMA): a list of agencies that did not report on implementation of their information security programs.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: OMB concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Gregory C.Wilshusen
    Phone: (202) 512-6244

    8 open recommendations
    Recommendation: To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should revise policies for incident response by including requirements for defining the incident response team's level of authority, and prioritizing the severity ratings of incidents for unclassified systems, based on impact.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should revise the department's incident response plan to include quantifiable metrics for measuring the incident response capability and its effectiveness.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should develop incident response procedures that provide instructions for prioritizing the handling of incidents by impact.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should ensure that all components test their incident response capability.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should revise policies for incident response by including requirements for defining the incident response team's level of authority, and establishing measures of performance.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should revise the department's incident response plan to include metrics for measuring the incident response capability and its effectiveness.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should test the department's incident response capability.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should train the department's incident response personnel per the agency's requirements.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs concurred with the recommendation and as of April 2017 has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To effectively implement key components of the IRS information security program, the Commissioner of Internal Revenue should update access request policies and procedures to ensure that they contain sufficiently detailed information of access requests and access assignments to facilitate effective review and verification of appropriate access privileges.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    8 open recommendations
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require documentation of the reasoning behind risk determinations for breaches involving PII.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to document the number of affected individuals associated with each incident involving PII.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should document the number of affected individuals associated with each incident involving PII.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Director: Powner, David A
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: The Secretary of Health and Human Services should direct appropriate officials to assess whether it would be cost effective to consolidate the remaining functions of the Medicare coverage determination systems.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We contacted the department and are awaiting a response on its efforts to implement this recommendation.
    Director: Wilshusen, Gregory C
    Phone: (202)512-6244

    2 open recommendations
    Recommendation: To effectively implement key components of the IRS information security program, the Acting Commissioner of Internal Revenue should update policies and procedures to ensure that they address (1) both methods available for granting all users access to mainframe resources, (2) audit and monitoring of access from one processing environment to another, (3) use of appropriate accounts by multiple databases on a single server, (4) data storage shared between systems, (5) out-of-date security standards, and (6) reconciliation of access privileges.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: We are evaluating IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Recommendation: To effectively implement key components of the IRS information security program, the Acting Commissioner of Internal Revenue should update mainframe test and evaluation processes to improve periodic monitoring of compliance with IRS policies.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: We are evaluating IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Director: Clark, Cheryl E
    Phone: (202)512-3000

    1 open recommendations
    Recommendation: The Commissioner of the Internal Revenue Service should direct the appropriate IRS officials to update the Internal Revenue Manual (IRM) to specify steps to be followed to prevent campus support clerks as well as any other employees who process payments through the electronic check presentment system from making adjustments to taxpayer accounts.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: During fiscal year 2012, IRS updated the IRM to require managers to verify that all campus support employees who process payments through the electronic check presentment system have the appropriate command code restriction in their IDRS profiles to prevent them from making adjustments to taxpayer accounts. However, during our subsequent audits we found that in updating the IRM, IRS did not undertake a global review of the level of access provided to all employee groups who handle hard-copy taxpayer receipts and related sensitive information to ensure that their levels of IDRS access were appropriate. As a result, in May 2016, IRS reassessed the risks at its TACs, including the specific risks and mitigating factors associated with allowing TAC employees to process taxpayer remittances through the electronic check presentment system and to adjust taxpayer accounts. However, IRS did not update the IRM to reflect the conclusions from the risk assessment related to TAC employees needing access to certain sensitive command codes as part of their normal job duties. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Director: Clark, Cheryl E
    Phone: (202)512-9521

    1 open recommendations
    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to, once IRS identifies the control weaknesses that result in inaccuracies or errors that affect the financial reporting of unpaid tax assessments, implement control procedures to routinely prevent, or to detect and correct, such errors.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS created a long-term corrective action plan that contains specific actions to improve control procedures to prevent or detect errors. While IRS completed some actions during fiscal year 2016, it has not completed most of the actions in the plan or documented milestones or target completion dates for these remaining actions. In addition, during fiscal year 2016, GAO and IRS continued to identify misclassified unpaid assessments that resulted from inaccuracies or errors in taxpayer accounts. Thus, IRS's actions to date have not been effective at fully addressing the issues that continue to cause a lack of transaction traceability and material inaccuracies produced by the subsidiary ledger. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.