Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Information systems"

    77 publications with a total of 309 open recommendations including 28 priority recommendations
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: The Director of the Office of Management and Budget, in consultation with the Secretary of Homeland Security, and the Chief Information Officers Council, should evaluate whether the full implementation of the capability maturity model developed by the Council of the Inspectors General on Integrity and Efficiency ensures that consistent and comparable results are achieved across all federal agencies. (Recommendation 1)

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    6 open recommendations
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that state-based marketplace annual sustainability plans, to the extent possible, have complete 5-year budget forecasts. (Recommendation 1)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that all state-based marketplaces provide required annual financial audit reports which are in accordance with generally accepted government auditing standards. (Recommendation 2)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that marketplace IT self-sustainability risk assessments are based on fully defined measurable terms, a clear categorization process, and a defined response to high risks. (Recommendation 3)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that states develop, update, and follow performance measurement plans that allow the states to continuously identify and assess the most important IT metrics for their state marketplaces. (Recommendation 4)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to conduct operational analysis reviews and systematically monitor the performance of states' marketplace IT systems using key performance indicators. (Recommendation 5)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that metrics collected from states to monitor marketplaces' operational performance link to performance goals and include baselines and targets to monitor progress. (Recommendation 6)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update the plans of action and milestones to reflect expected completion dates for implementing the recommendations made by US-CERT.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency plans to update the plans of action and milestones with the current status, including expected completion dates.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM partially concurred with the recommendation. The agency is working on making improvements to its automated system to further support its remedial action management processes, including timely closure.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update policy to reflect deployment of Department of Homeland Security threat indicators and the specific 24-hour scanning requirement.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of updating security policies.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of defining role-based training requirements for its continuous monitoring program.
    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should provide detailed guidance on the quality assurance process that includes evaluating security control assessments.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of developing additional standards for evaluating security controls testing and asserts it will use these standards for evaluating security control assessments.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: To effectively manage its information security program, the Chairman of the SEC should maintain up-to-date network diagrams and asset inventories in the system security plans for General Support System and a key financial system to accurately and completely reflect the current operating environment.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To effectively manage its information security program, the Chairman of the SEC should perform continuous monitoring using automated configuration and vulnerability scanning on the operating systems, databases, and network devices.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    10 open recommendations
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement the audit plans for the 12 systems and applications that we reviewed in the production computing environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that system administrators and security operations analysts are alerted in the event of audit processing failures.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should update information contingency plan test procedures to include updating contingency plans to reflect changes to the current operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that approved risk-based decisions pertaining to database configurations are based on suitable justification.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop, document, and implement the use of detailed procedures to facilitate the periodic review and analysis of audit records for its financial systems.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop an enterprise-wide system owner procedural document to control critical mainframe operating system commands.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should regularly update configuration standards and guidelines for network devices to incorporate recommendations from industry leaders, security agencies, and key practices from IRS partners to address known vulnerabilities applicable to IRS's environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement a compliance verification application, or other appropriate process, to ensure configuration policies are comprehensively tested on the mainframe.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that all known significant audit findings and recommendations related to financial reporting, which includes those in GAO's public and limited official use only reports, that directly relate to the objective of A-123 internal control tests are reviewed and monitored.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should identify and review service organizations' listing of user controls that are deemed relevant and test those controls to appropriately draw conclusions about the operating effectiveness of controls.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should specify elements that agency plans for reducing the unnecessary collection, use, and display of SSNs should contain and require all agencies to develop and maintain complete plans.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should require agencies to modify their inventories of systems containing personally identifiable information to indicate which systems contain SSNs and use the inventories to monitor their reduction of unnecessary collection and use of SSNs.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should provide criteria to agencies on how to determine unnecessary use of SSNs to facilitate consistent application across the federal government.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should take steps to ensure that agencies provide up-to-date status reports on their progress in eliminating unnecessary SSN collection, use, and display in their annual Federal Information Security Modernization Act of 2014 reports.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should establish performance measures to monitor agency progress in consistently and effectively implementing planned reduction efforts.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    5 open recommendations
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to update FMCSA's IT strategic plan to include well-defined goals, strategies, measures, and timelines for modernizing its systems.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to ensure that the IT investment process guidance lays out the roles and responsibilities of all working groups and individuals involved in the agency's governance process.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to finalize the restructure of the Office of Information Technology, including fully defining the roles and responsibilities of the CIO.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to ensure that appropriate governance bodies review all IT investments and track corrective actions to closure.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to ensure that required operational analyses are performed for Aspen, Motor Carrier Management Information System, Sentri 2.0, and Unified Registration System on an annual basis.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Asif A. Khan
    Phone: (202) 512-9869

    1 open recommendations
    Recommendation: The Secretary of Defense should direct the Office of the Under Secretary of Defense (Comptroller) to provide guidance in the DOD Financial Management Regulation on the timing of when DOD managers should use available tools to help ensure that monthly cash balances are within the upper and lower cash requirements.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with this recommendation and stated that it plans to update the DOD Financial Management Regulation as we recommended to provide additional guidance on the timing of when DOD managers should use available tools to help ensure that monthly cash balances are within the upper and lower cash requirements. DOD also stated that this change will be incorporated for the fiscal year 2019 President's Budget submission and subsequent budgets.
    Director: David A. Powner
    Phone: (202) 512-9286

    4 open recommendations
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to identify performance metrics and associated targets for the goals and objectives in the department's IT strategic plans, including the Information Resources Management strategic plan and the Health Information Strategic Plan, as they relate to the delivery of health IT and the VHA mission.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation and described planned coordination with the Office of Information and Technology and the Veterans Health Administration to develop or revise and maintain performance metrics that support the strategic and health information technology goals and objectives. The department plans to revise performance metrics to align to new goals and objectives by June 2018.
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that the department-level investment review structure is implemented as planned and that guidance on the IT governance process is documented and identifies criteria for selecting new investments, and reselecting investments currently operational at VHA.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation and provided meeting minutes for its Portfolio Investment Management Board and a document describing the proposed alignment and interdependencies between the 11 governance boards. We will continue to monitor the implementation of the proposed relationships and review any additional guidance issued that further describes the process used by the governance boards for selecting and reselecting information technology investments.
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to identify additional performance metrics to align with VHA's core business functions, and then use these metrics to determine the extent to which the department's IT systems support performance of VHA's mission.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation. In addition, the department outlined steps it intends to take to address our recommendation. These steps include developing a set of core metrics to provide continuous input into investment portfolio decisions and establishing a methodology for ensuring that information technology investments are aligned to business needs and that expected outcomes are defined prior to making the investments. The department plans to complete this work by September 2018. We will continue to monitor VA's progress on these efforts.
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that unmet IT needs identified by key program areas--pharmacy benefits management, scheduling, and community care--are addressed appropriately and that related business functions are supported by IT systems to the extent required.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation. The department has described its intention to ensure that unmet information technology needs for the pharmacy benefits management, scheduling, and community care program areas are addressed appropriately during fiscal year 2018 budget formulation. We will follow-up with VA to ascertain what needs have been addressed, closed, or reprioritized for each program office during fiscal year 2018.
    Director: Malenich, J Lawrence
    Phone: (202) 512-3406

    9 open recommendations
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to develop a mechanism that captures all of the key factors to be considered, such as materiality and risk, when designing the evaluation of internal control over financial reporting and collaborate, as appropriate, with the Inspector General to develop a similar mechanism for use by FHFA-OIG.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. FHFA is in the process of developing a mechanism that captures key factors, including risk and materiality, when designing the evaluation of internal control over financial reporting. This mechanism will be documented for the FY 2017 evaluation of internal control over financial reporting. FHFA and FHFA OIG are collaborating in these efforts.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to coordinate with the Inspector General, as appropriate, when calculating materiality thresholds to reasonably assure that materiality determinations are appropriate for the agency as a whole and rationale is adequately documented.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. During the FY 2017 evaluation of internal control over financial reporting, FHFA will coordinate with the FHFA OIG when calculating materiality thresholds to reasonably assure that materiality determinations are appropriate for the Agency as a whole and the rationale is adequately documented.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to coordinate with the Inspector General, as appropriate, to assess and document the aggregate effect of all deficiencies identified at the agency-wide level during the evaluation of internal control over financial reporting.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. FHFA will coordinate with the FHFA OIG during the FY 2017 evaluation of internal control over financial reporting to assess and document the aggregate effect of all deficiencies identified at the Agency-wide level.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to (1) summarize in sufficient detail by internal control principle those activities from the program offices that have an effect on internal control over financial reporting to reasonably assure the consideration of all internal control components and related principles; (2) collaborate, as appropriate, with the Inspector General to implement corresponding actions at FHFA-OIG; and (3) document how that information is used to conclude on the internal control components and related principles for financial reporting.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. During the FY 2017 evaluation of internal control over financial reporting, FHFA will summarize by internal control principle those activities from the program offices that have an effect on internal control over financial reporting to reasonably assure the consideration of all internal control components and related principles. FHFA will also document how information is used to conclude on the internal control components and related principles for financial reporting activities that are evaluated. FHFA will collaborate with FHFA OIG in these efforts.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to enhance the evaluation of internal control over financial reporting by identifying and testing all key control activities, including those related to the preparation of the financial statements.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. FHFA will enhance the FY 2017 evaluation of internal control over financial reporting by identifying and testing all key control activities, including those related to the preparation of the financial statements.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to (1) thoroughly document FHFA's review of SSAE No. 16 reports issued for the period under evaluation by reasonably assuring that all applicable control objectives and related control activities are clearly identified and described and the evaluation of user entity controls is adequately explained and (2) collaborate, as appropriate, with the Inspector General to implement corresponding actions at FHFA-OIG.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. During the FY 2017 evaluation of internal control over financial reporting, FHFA will thoroughly document FHFA's review of SSAE No. 16 reports issued for the period under evaluation by reasonably assuring that all applicable control objectives and related control activities are clearly identified and described and the evaluation of user entity controls is adequately explained. FHFA will collaborate with the FHFA OIG during these efforts.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to (1) clearly define and document an approach that identifies the information systems that are key to financial reporting, the process areas these information systems support, the key control activities for each information system, and how the key control activities are evaluated and (2) collaborate, as appropriate, with the Inspector General to implement corresponding actions at FHFA-OIG.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. During the FY 2017 evaluation of internal control over financial reporting, FHFA will clearly define and document an approach that identifies the information systems that are key to financial reporting, the process areas these information systems support, the key control activities for each information system, and how the key control activities are evaluated. FHFA will collaborate with the FHFA OIG in these efforts.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to collaborate, as appropriate, with the Inspector General to (1) develop a complete list of the specific provisions of laws and regulations that may have an effect on material amounts and related disclosures in the financial statements that are applicable to FHFA-OIG and (2) prepare documentation that clearly links each applicable provision of law or regulation to the key control activities tested.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. FHFA will collaborate with the FHFA OIG to develop a complete list of the specific provisions of laws and regulations that may have an effect on material amounts and related disclosures in the financial statements that are applicable to the FHFA OIG and prepare documentation that clearly links each applicable provision of law or regulation to the key control activities tested.
    Recommendation: The Director of the Federal Housing Finance Agency should direct the Chief Financial Officer to design an evaluation process that reasonably assures assignment of independent roles between the implementation and monitoring of control activities that are significant to the evaluation of internal control over financial reporting.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: FHFA agreed with this recommendation. FHFA is designing an evaluation process that reasonably assures assignment of independent roles between implementation and monitoring of control activities that are significant to the evaluation of internal control over financial reporting. To this end, FHFA has hired an independent contractor to aid in the evaluation process for FY 2017, and has involved staff from FHFA's Office of Quality Assurance in the FY 2017 evaluation process to reasonably assure independent roles between monitoring and implementation going forward.
    Director: Nick Marinos
    Phone: (202) 512-9342

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer to update the procedure for granting access to the key financial application, to include responsibilities and steps for ensuring that the access privileges granted have been approved by the users' supervisor.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    3 open recommendations
    Recommendation: To help improve the management of DOD's MAIS programs, the Secretary of Defense should direct the Secretary of the Army to direct the program manager for Global Combat Support System-Army Increment 1 to establish standard operating procedures for managing risks that include guidance for establishing thresholds and bounds for key risk areas.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the management of DOD's MAIS programs, the Secretary of Defense should direct the Secretary of the Air Force to direct the program manager for Air and Space Operations Center-Weapon System Increment 10.2 to develop an overall risk mitigation plan to guide the implementation of individual risk mitigation and contingency plan activities.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the management of DOD's MAIS programs, the Secretary of Defense should direct the Secretary of the Air Force to direct the program manager for Joint Space Operations Center, Mission System Increment 2 to appoint a chief developmental tester to oversee systems testing and integration activities.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Cary B. Russell
    Phone: (202) 512-5431

    2 open recommendations
    Recommendation: To better ensure quality financial execution information is available to guide the Joint Exercise Program, the Secretary of Defense should direct the Office of the Assistant Secretary of Defense for Readiness to direct the combatant commanders to take steps to comply with current Execution Management System guidance to upload supporting documentation that is reconcilable to funds executed from the Combatant Commanders Exercise Engagement and Training Transformation account.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To better ensure quality financial execution information is available to guide the Joint Exercise Program, the Secretary of Defense should direct the Office of the Assistant Secretary of Defense for Readiness to, as the department implements financial improvement plans in accordance with the Financial Improvement and Audit Readiness guidance, include specific internal control steps and procedures to address and ensure the completeness and accuracy of information captured for the Joint Exercise Program's Combatant Commanders Exercise Engagement and Training Transformation account.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Asif A. Khan
    Phone: (202) 512-9869

    8 open recommendations
    Recommendation: The Secretary of the Army should direct the Internal Review Directorate under the Assistant Secretary of the Army, Financial Management and Comptroller, to develop written policies and procedures for all financial management-related audit findings and recommendations under its purview that include the following: (1) how the status of the recommendations will be tracked; (2) the process and criteria to be followed for prioritizing the findings and recommendations; (3) the process for developing CAPs to remediate the findings and recommendations, including the detailed CAP elements recommended by the Implementation Guide for OMB Circular A-123; and (4) the process for monitoring the status and progress of the CAPs, including the documentation to be maintained for monitoring CAP status and any actions to be taken if a lack of progress is found.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: The Army concurred with this recommendation. The Army stated that the Internal Review Directorate has completed updating its written standard operating procedures to include monitoring financial management-related external audit findings and recommendations. The Army stated that this new guidance includes an explanation of how recommendations will be tracked; how findings and recommendations will be prioritized; how status and progress of corrective action plans (CAPs) will be developed; and how the status and progress of CAPs will be monitored.
    Recommendation: The Secretary of the Army should direct the Accountability and Audit Readiness Directorate under the Assistant Secretary of the Army, Financial Management and Comptroller, to enhance the directorate's policies and procedures for (1) tracking and prioritizing all financial management-related audit findings and recommendations under its purview and (2) developing and monitoring CAPs for all such recommendations so that they include sufficient details, such as the criteria used to prioritize the CAPs, the recommended CAP elements, and the process for monitoring and documenting the progress and status of CAPs.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: The Army concurred with this recommendation. The Army stated that the Accountability and Audit Readiness Directorate has completed actions to enhance its current standard operating procedures to include (1) updating its corrective action plan (CAP) database and reporting tool, (2) documenting its reporting procedures, and (3) updating its CAP template to include additional elements recommended by the Implementation Guide for OMB Circular A-123. In addition, the Army stated that its policies and procedures include steps to incorporate external financial management-related audit findings assigned to the Accountability and Audit Readiness Directorate by the Internal Review Directorate and that the existing process the Army uses to prioritize findings and the related CAPs and to monitor the progress and status of CAPs has been documented.
    Recommendation: The Secretary of the Navy should, when finalizing the Navy's policies and procedures for identifying and tracking its CAPs to remediate financial management-related audit findings and recommendations, enhance this guidance so it includes detailed steps and specific procedures for confirming and validating the completeness and accuracy of the status of these audit findings and recommendations.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: The Navy concurred with this recommendation. The Navy stated that it is (1) recording new findings and recommendations on a weekly basis in its deficiency database, (2) reviewing historical audits to ensure that previous findings and recommendations are recorded, and (3) collaborating with audit agencies to establish a process to reconcile the status of recommendations to ensure that its deficiency database accurately reports open and closed recommendations. The Navy also stated that these processes would be documented and implemented by January 31, 2017.
    Recommendation: The Secretary of the Air Force should design and document a comprehensive process to ensure that the complete universe of all financial management-related findings and recommendations from all audit sources is identified and tracked.

    Agency: Department of Defense: Department of the Air Force
    Status: Open

    Comments: The Air Force concurred with this recommendation. The Air Force stated that it will revise its existing process for identifying and tracking all financial management-related findings and recommendations from all audit sources. The Air Force stated that the process will include the procedures for summarizing the status of findings on a bi-monthly basis and providing a summary for the FIAR Governance Board meetings. The Air Force stated that it plans to implement this recommendation by January 31, 2018.
    Recommendation: The Secretary of the Air Force should update the Air Force's written policies and procedures for prioritizing financial management-related audit findings and recommendations from all audit sources and for developing and monitoring CAPs so that they include sufficient details. These procedures should include the following details: (1) The process to be followed for prioritizing the financial management-related findings and recommendations from audit sources. (2) The guidance for developing CAPs for all financial management-related audit findings and recommendations from all audit sources to include complete details, including the elements recommended by the Implementation Guide for OMB Circular A-123. (3) The process for monitoring the status of the CAPs for all financial management-related audit findings and recommendations from all audit sources, including the documentation to support any corrective actions taken, as recommended by the Implementation Guide for OMB Circular A-123.

    Agency: Department of Defense: Department of the Air Force
    Status: Open

    Comments: The Air Force concurred with this recommendation. The Air Force stated that it will revise its existing written policies and procedures for tracking and monitoring all financial management-related audit findings and recommendations. Specifically, the Air Force stated the these revised policies and procedures will (1) articulate prioritizing findings and recommendations; (2) provide guidance for developing detailed and actionable corrective action plans (CAPs), which address the condition and root cause of the findings and include elements recommended by OMB Circular A-123; and (3) provide clear guidance for monitoring the status and progress towards implementing and closing the CAPs. The Air Force plans to implement this recommendation by January 31, 2019.
    Recommendation: To improve DOD management's process for monitoring the military services' audit remediation efforts and to provide timely and useful information to stakeholders as needed, the Secretary of Defense should direct the Secretary of the Army, the Secretary of the Navy, and the Secretary of the Air Force to prepare and submit to the Under Secretary of Defense (Comptroller), on at least a bimonthly basis for availability at the FIAR Governance Board meetings, a summary of key information included in the CAPs that at a minimum contains the data elements recommended by the Implementation Guide for OMB Circular A-123 for each CAP related to critical capabilities for achieving audit readiness.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with this recommendation. DOD stated that it solicits input on a bi-monthly basis, on critical capability corrective action plans (CAPs) at a summary level. This information is provided routinely at regularly scheduled FIAR Governance Board meetings. DOD also stated that an updated notice of finding and recommendation (NFR) form template is being developed and will be provided to the military services to use for reporting this information so that it will include the recommended standard data elements outlined in OMB Circular A-123 to provide greater transparency into the nature of remediation plans. DOD also stated that FIAR Guidance will be updated to explicitly state that military services should include the OMB recommended standard data elements in CAPs.
    Recommendation: To reasonably assure that DOD management and external stakeholders have a comprehensive picture of the status of corrective actions needed for audit readiness throughout the department, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) to prepare a consolidated CAP management summary on a bimonthly basis that includes the data elements referred to above on the status of all CAPs related to critical capabilities for the military services and for the service providers and other defense organizations.

    Agency: Department of Defense
    Status: Open

    Comments: DOD partially concurred with this recommendation. According to DOD, the military services already provide summary-level updates on their critical capability corrective action plans (CAPs) at FIAR Governance Board meetings. It also stated that the template that is used to present CAPs to the FIAR Governance Board meetings at the summary level has been updated to align CAPs to critical capabilities. DOD still needs to address how all of the data elements from the Implementation Guide for OMB Circular A-123 will be summarized or otherwise reported for all CAPs pertaining to critical capabilities across the Department. In addition, DOD stated that because the DOD Comptroller takes responsibility for maintaining, monitoring, and reporting on the status of CAPs for the service providers and other defense organizations and of DOD-wide issues, the Comptroller will also summarize this information. However, DOD has not clarified what information from the military services will be summarized.
    Recommendation: To facilitate the development of a consolidated CAP management summary and the ability to efficiently respond to stakeholder requests, the Under Secretary of Defense (Comptroller) should develop and implement a centralized monitoring and reporting process that at a minimum (1) captures department-wide information on the military services' and other defense organizations' CAPs related to critical capabilities, including the standard data elements recommended in the Implementation Guide for OMB Circular A-123, and (2) maintains up-to-date information on the status of these CAPs.

    Agency: Department of Defense: Under Secretary of Defense (Comptroller)
    Status: Open

    Comments: DOD partially concurred with this recommendation. DOD stated that as outlined in the military services' responses to our recommendations directed to them, the Army, Navy, and Air Force have agreed to take the responsibility for developing, maintaining, and monitoring all CAPs at the level recommended by the Implementation Guide for OMB Circular A-123. Further, DOD stated that based on the Comptroller actively participating in monthly meetings with military services to gain an understanding of their CAPs and the information reported in bi-monthly FIAR Governance Board meetings, this provides the Department the ability to efficiently respond to stakeholder requests related to critical capabilities CAPs. However, DOD did not describe a centralized reporting process to ensure consistent standard data elements are provided in CAPs and that the information on the status of the CAPs is up to date.
    Director: Susan Fleming
    Phone: (202) 512-2834

    3 open recommendations
    Recommendation: To determine whether CSA interventions influence motor carrier safety performance, the Secretary of Transportation should direct the FMCSA Administrator to identify and implement, as appropriate, methods to evaluate the effectiveness of individual intervention types or common intervention patterns to obtain more complete, appropriate, and accurate information on the effectiveness of interventions in improving motor carrier safety performance. In identifying and implementing appropriate methods, FMCSA should incorporate accepted practices for designing program effectiveness evaluations, including practices that would enable FMCSA to more confidently attribute changes in carriers' safety behavior to CSA interventions.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To understand the efficiency of CSA interventions the Secretary of Transportation should direct the FMCSA Administrator to update FMCSA's cost estimates to determine the resources currently used to conduct individual intervention types and ensure FMCSA has cost information that is representative of all states.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enable FMCSA management to monitor the agency's progress in achieving its effectiveness and efficiency outcomes for CSA interventions and balance priorities, the Secretary of Transportation should direct the FMCSA Administrator to establish and use performance measures to regularly monitor progress toward both FMCSA's effectiveness outcome and its efficiency outcome.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David Powner
    Phone: (202) 512-9286

    25 open recommendations
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: United States Agency for International Development
    Status: Open

    Comments: We plan to follow up on the agency's actions to implement this recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Agriculture
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Education
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Commerce
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Energy
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Social Security Administration
    Status: Open

    Comments: In its comments on a draft of our report, SSA agreed with our recommendation. Subsequent to SSA informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of the Interior
    Status: Open

    Comments: We plan to follow up on the department's actions to implement this recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Transportation
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Labor
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of the Treasury
    Status: Open

    Comments: The department said it had no comments on our draft report and recommendation. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of State
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In its comments on a draft of our report, EPA generally agreed with our recommendation. Subsequent to EPA informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: In its comments on a draft of our report, NASA concurred with our recommendation. Subsequent to NASA informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: National Science Foundation
    Status: Open

    Comments: NSF stated that it had no comments on our draft report and recommendation. We will plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Small Business Administration
    Status: Open

    Comments: In comments on a draft of our report, SBA said the report captures its current posture. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: In comments on a draft of our report, NRC stated that it generally agreed with the report. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Office of Personnel Management
    Status: Open

    Comments: In its comments on a draft of our report, OPM concurred with our recommendation. Subsequent to OPM informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Defense should direct the responsible official to modify the department's existing processes to collect and review cost, technical, and business information for the enterprise and business IT systems within the Enterprise Information Environment Mission Area applications which are currently not reviewed as part of the department's process for business systems.

    Agency: Department of Defense
    Status: Open

    Comments: In comments on a draft of our report, the department disagreed with our recommendation. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Homeland Security should direct the department's CIO to identify one high-cost function it could collect detailed cost, technical, and business information for and modify existing processes to collect and review this information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of the Interior should direct the department's CIO to document and implement a plan for establishing policy that would define a standard analytical technique for rationalizing the investment portfolio.

    Agency: Department of the Interior
    Status: Open

    Comments: We plan to follow up on the department's actions to implement this recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Labor should direct the department's CIO to consider a segmented approach to further rationalize and identify a function for which it would modify existing processes to collect and review application-specific cost, technical, and business value information.

    Agency: Department of Labor
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Director of the National Science Foundation should direct the CIO to consistently document evaluations for all applications and report cost information for them in the roadmap or other documentation.

    Agency: National Science Foundation
    Status: Open

    Comments: NSF stated that it had no comments on our draft report and recommendation. We will plan to follow up.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    3 open recommendations
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to update security plans to ensure the plans fully and accurately document the controls selected and intended for protecting each of the six systems.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to implement a process to effectively monitor and track training for personnel with significant security roles and responsibilities.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to ensure that personnel with significant security responsibilities receive role-based training.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    22 open recommendations
    Recommendation: To assist CISOs in carrying out their responsibilities, the Director of OMB should issue guidance for agencies' implementation of the FISMA 2014 requirements to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) partially concurred with this recommendation, but does not intend to directly issue guidance as recommended. Instead, we are reviewing the relevant OMB memoranda that officials believe address the intent of the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with the FISMA 2014, the Secretary of Commerce should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce concurred with the recommendation, stating that the department's policy documents are expected to be updated by the end of the 4th Quarter in 2017. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the senior information security officer (SISO) is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that information security policies and procedures are developed and maintained.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) did not concur with our recommendation, nor has it provided evidence that it has implemented the recommendations.
    Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) partially concurred with our recommendation, but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) partially concurred with our recommendation, but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that all users receive information security awareness training.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that the department has a process for planning implementing, evaluating, and documenting remedial actions.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy in the periodic authorization of the department's information systems.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain Departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Health and Human Services should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Attorney General should define the CISO's role in department policy for ensuring that information security policies and procedures are developed and maintained.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Attorney General should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of State should define the CISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

    Agency: Department of State
    Status: Open

    Comments: The Department of State (State) concurred with this recommendation. We are currently reviewing the evidence provided by State to determine whether the role of the CISO has been defined in its policy to for ensuring that State has procedures for incident detection, response, and reporting.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2018. However, the department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that security controls are tested periodically.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2018. However, the department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the senior agency information security officer (SAISO) is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in its policy to for ensuring that subordinate security plans are documented for the agency's information systems.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in its policy to ensure recovery and continued operations of the agency's information systems in the event of a disruption.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy in the periodic authorization of the department's information systems.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in agency policy for the periodic authorization of the department's information systems.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the National Aeronautics and Space Administration should define the SAISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. We are currently reviewing the evidence provided by NASA to determine whether the role of the SAISO has been defined in agency policy for oversight of security for information systems that are operated by contractors on NASA's behalf.
    Recommendation: To ensure that the role of the CISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Small Business Administration should define the CISO's role in agency policy for ensuring that personnel with significant security responsibilities receive appropriate training.

    Agency: Small Business Administration
    Status: Open

    Comments: The Small Business administration (SBA) concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    8 open recommendations
    Recommendation: To assist VA in sustaining an IT workforce with the necessary knowledge, skills, and abilities to execute its mission and goals, the Secretary of Veterans Affairs should direct the Chief Information Officer to track and review OI&T historical workforce data and projections related to leadership retirements.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that OI&T's Human Capital Management Office (HCM) had completed a succession planning project that encompassed all senior leadership and included data review and risk assessment for each position. VA also stated that OI&T tracks the gains and losses associated with its leadership positions and provided this information for fiscal year 2016. However, the department has not provided documentation that supports the assertion that historical and projected OI&T leadership retirement data was presented and discussed as part of the succession planning project and did not provide data on projected retirements for OI&T's leadership positions. Additionally, the department stated that OI&T HCM has the ability to project retirement eligibility but has not provided documentation to support this assertion. It is important that VA tracks and reviews its OI&T historical workforce data and forecasts its leadership retirements to avoid being unprepared to effectively respond to vacancies in key leadership positions.
    Recommendation: To assist VA in sustaining an IT workforce with the necessary knowledge, skills, and abilities to execute its mission and goals, the Secretary of Veterans Affairs should direct the Chief Information Officer to identify IT skills needed beyond the current fiscal year to assist in identifying future skills gaps.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that Information Technology Workforce Development (ITWD) will produce reports that identify skill gaps and will contain long-term recommendations that show the types of IT skills each organization needs to increase and which proficiency level targets need the most emphasis. As of July 2017, VA stated that ITWD reviewed, and updated where needed, the fiscal year 2017 competencies within each OI&T competency model role in order to align the models to the OI&T Transformation initiative. According to the department, the resulting updates support learning solutions that sustain and accelerate OI&T's transformation. Additionally, VA stated that 85 percent of OI&T staff completed a validated competency self-assessment and provided the OI&T fiscal year 2017 Training Gap Analysis Report which shows the strengths and gaps of OI&T by organization, trends between fiscal years 2016 and 2017, findings, next steps, and recommended actions for the next fiscal year. The department also stated that ITWD held meetings to review skill gap and learning solution reports. VA provided these reports and they present the top gaps and strengths, key findings, and next steps to address the skill gaps. While the department has taken these actions, its OI&T Training Gap Analysis Report does not identify IT skills needed beyond fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to project planning, to include (1) estimating the level of effort that will need to be expended for work products and tasks, and (2) making adjustments to the project plan to reconcile differences between estimated and available resources.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and stated that OI&T is documenting changes to processes related to project planning as it transitions from PMAS to the Veteran-Focused Integration Process (VIP). According to VA, the VIP processes will lead to better requirements elaboration and prioritization, increasing significantly the accuracy of estimates related to level of effort. Additionally, the department stated that by using short Agile sprints, the project team will be able adjust the project plan frequently to reconcile differences between estimated and available resources. As of July 2017, VA stated that all projects have transitioned to the VIP, which ensures they are incorporating the Agile methodology into the project lifecycle. According to the department, the latest version of its VIP Guide incorporates the use of daily scrum and weekly scrum of scrum meetings that can be used to frequently adjust the project plan to reconcile differences between estimated and available resources. VA stated that the project planning processes will continue to evolve beyond July and expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to requirements management, to include identifying changes to be made to plans and work products as a result of requirements baseline changes.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that OI&T is revising its documentation related to requirements management as part of the transition to the Veteran-Focused Integration Process (VIP). According to VA, requirements will be tracked using the IBM Rational Tools Suite, which will be able to provide a snapshot of the original baseline and all captured changes in the form of an audit trail that captures the history of requirement changes. As of July 2017, the department stated that all projects have transitioned to the VIP and requirements baselines and subsequent changes are tracked in the Rational Tools Suite. VA also reported that efforts in fiscal year 2017 to consolidate all mandatory architectural, design, and process methodologies into a single library of requirements were successful, which resulted in combining the full body of requirements. Additionally according to the department, versioning of the requirements will allow the office to trace specific versions of individual requirements and their evolution by time period and project inheritance. VA stated that it expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to risk management, to include (1) determining costs and benefits of implementing the risk mitigation plan for each risk and (2) collecting performance measures on risk handling activities.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that the IBM Rational Tools Suite will be used to manage risks and issues. According to VA, the tools suite will allow requirements to be linked to risks, which will provide traceability; teams will be able to track and report steps taken to mitigate risks; and an audit trail will show the history of changes made to each risk. The department also reported that the Office of Privacy and Risk will establish risk mitigation strategies for OI&T. As of July 2017, VA stated that risks data capture has been developed as a standardized process and that data on project and program risks in the Rational Tools Suite is aggregated and prepared for use to verify aggressive management, and will be included in enterprise reporting. The department stated that work is underway with the Performance Management Office and that OI&T expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to project monitoring and control, to include the 10 best practices that were missing from the guidance.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that implementation of the Veteran-Focused Integration Process (VIP) and Agile processes within OI&T will address eight of the ten best practices related to project monitoring and control that were missing from its guidance. In regard to monitoring the knowledge and skills of project staff, OI&T's IT Workforce Development (ITWD) group collects and analyzes competency assessment data, which is used in requirements gathering meetings with OI&T leaders. According to VA, during these meetings organizational needs and next steps are discussed in detail. Additionally, the department's latest version of its VIP Guide states that the product team should be cross-functional and include all skills needed to deliver a product. Further, the department reported that data management activities, issues, and impacts will be managed using VIP, Agile, and IBM Rational Tools Suite. According to its VIP Guide, OI&T expects that all products follow the Agile product management process and use the Rational Tools Suite to manage scheduled product sprints and backlog, product requirements, risks and issues, and product planning and engineering documentation, among others. Also, VA stated that Agile methodologies will require stakeholders to be involved in the daily scrum meetings, user acceptance testing, and acceptance of deliverables, which will address stakeholders being involved regularly and documenting the results of stakeholder involvement status reviews. According to the VIP Guide, the Agile development methodologies require development teams to meet often with stakeholders to ensure transparency and foster a collaborative work environment. Additionally, the department stated that critical decision events are using Rational based data assessments to report on level of satisfaction of project controls and process compliance requirements. Further, according to the VIP Guide, the Product Owner will have a key role in the decision-making process during the development of the product and will be able to regularly express concerns and/or approvals to best meet user satisfaction. The department stated that critical decision events are being held at the portfolio level, and action items from these events are being tracked. VA provided meeting minutes from critical decision events that were held in October and December 2016. The December 2016 meeting minutes identified action items and the status of those items. Although VA has taken actions to address the majority of best practices related to project monitoring and control, the department's new VIP process does not include two practices that call for (1) tracking expended effort and (2) monitoring the utilization of staff and resources. Until OI&T's documented processes for project monitoring and control fully reflect best practices, the office is at risk that its projects will not achieve expected results.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to process and product quality assurance, to include (1) documenting a description of the quality assurance reporting chain and defining how objectivity will be ensured, and (2) periodically reviewing open noncompliance issues and trends with management that is designated to receive and act on them.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that the implementation of the Veteran-Focused Integration Process (VIP), Agile processes, and the Rational Toolset within OI&T will address process and product quality assurance. According to VA, as a part of VIP, the Product Owner is engaged from intake through project completion, which will ensure that the quality of the product is maintained throughout the life cycle. Additionally the department reported that the process of periodically reviewing open non-compliance issues and trends with management that is designated to receive and act on them will be accomplished through CIOStat meetings held with OI&T senior leadership. VA also reported that the Rational Quality Manager tool is used to automate routine testing activities to identify non-compliance issues and trends. As of July 2017, the department stated that the Product Owner is beginning to have a stronger role on the project team, which enables them to assist in all types of issues, including quality assurance. VA also stated that Release Agents develop and distribute Release Readiness Reports, which provide a status of all release requirements and of traceability among requirements, deliverables, and test results. VA expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to project scheduling, to include the 9 best practices that were missing from the guidance and revise the documented processes where the guidance was contrary to best practices.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that the implementation of VIP and Agile processes within OI&T will address five of the nine best practices related to project scheduling that are missing from its guidance. According to VA, business and compliance requirements will be captured during the planning phase and maintained in the IBM Rational Tools Suite to manage scheduled project/product builds and backlog which will allow the project to more accurately maintain the schedule baseline, capture all schedule changes, and provides an audit trail of all the changes. Additionally, the department reported that the IBM Rational Tools Suite connects requirements, change orders, test cases, and test results in order to have full traceability in a closed loop system. VA also noted that the use of short development builds within Agile increases the probability of successful adherence to the schedule; and Agile provides the flexibility to make schedule changes using the backlog to prioritize requirements. As of July 2017, VA stated that Project Build Planning sessions capture and prioritize all backlog items with high level activities captured in the VIP Dashboard; and that each project task receives an estimated duration. The department also stated that the project team commits to a high level scope for each build and then the scope is solidified and committed to in detail at each Sprint Plan. According to VA, at the end of each sprint the Product Owner accepts or rejects the product of what was committed to at Sprint Planning. The department also stated that there is a high-level commitment at the Critical Decision 1 meeting; that each build gets committed to at a more granular level; and that sprint planning includes establishing a firm commitment for exactly what will be completed during the sprint. The department further stated that part of the Agile process being used by OI&T removes rigid, mandatory constraints as long as project teams follow compliance epics. Additionally, the department reported that because of the use of Agile methodology, if a task is critical today, the project team can reprioritize and address the needs of the project immediately. According to VA, Agile supports both sustainment and development projects, by allowing changes to the project backlog to address high priority functionality. VA also stated that Agile allows flexibility to shift from one build to another based on priorities and to shift backlog items based on VIP Triad priorities. Additionally, according to the department, risks are managed in the Rational Tools Suite and impediments are raised and escalated during daily scrums and scrum of scrum calls. The VIP Guide indicates that product teams are required to make timely updates to the VIP Dashboard regarding schedule and that the Rational Tools Suite will be used to manage and administer source control and baselines; manage risks and issues; and manage scheduled product sprints and backlogs. However, the VIP Guide does not include practices to (1) document that each project task should receive a duration estimate; (2)require that the project schedule be traceable horizontally and vertically; (3) sequence all activities; and (4) confirm that the critical path is valid. Until OI&T's documented processes for developing schedules fully reflect best practices, the office is at risk that schedules created for its projects will not be reliable.
    Director: Valerie Melvin
    Phone: (202) 512-6304

    4 open recommendations
    Recommendation: To address weaknesses in the department's financial management systems modernization efforts, the Secretary of HUD should direct the Chief Financial Officer to work with the Chief Information Officer in managing subsequent initiatives to define a high-level depiction of the IT systems anticipated in the future state, a description of the operations that must be performed and who must perform them, and an explanation of where and how the operations are to be carried out.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In May 2017, HUD's Deputy Chief Information Officer reported that that the office was managing multiple enterprise-level initiatives no longer classified as financial management modernization efforts, but which are intended to address certain previously reported financial systems modernization needs. The department provided early high-level requirements and a solution architecture for one such initiative, including a future requirement to support data required for HUD's financial reporting needs from Treasury. However, HUD does not yet have a plan to develop a high-level concept of operations for IT systems anticipated in the future state. We intend to follow up on HUD's actions.
    Recommendation: To address weaknesses in the department's financial management systems modernization efforts, the Secretary of HUD should direct the Chief Financial Officer to work with the Chief Information Officer in managing subsequent initiatives to develop comprehensive plans for scope, schedule and cost.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In May 2017, the department provided an early project oversight plan and critical task schedule for one initiative related to enterprise data management, but these plans are not comprehensive and do not include, among other things, detailed cost estimates. We intend to follow up on HUD's actions.
    Recommendation: To address weaknesses in the department's financial management systems modernization efforts, the Secretary of HUD should direct the Chief Financial Officer to work with the Chief Information Officer in managing subsequent initiatives to ensure requirements are fully documented and traceable.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In March 2017, the department reported that the Chief Financial Officer and the Chief Information Officer intend to partner on future departmental financial management systems modernization efforts to fully document requirements and trace requirements to the functionality in the modernized system. In May 2017, department officials reported that the subsequent initiatives underway were following an Agile process yielding product-release backlogs as documentation of requirements for ongoing initiatives. They provided the initial backlog for an enterprise data management initiative. However, HUD could not demonstrate that these requirements were complete and traceable to mission needs. We intend to follow up on HUD's actions.
    Recommendation: The Secretary of HUD should also direct the Deputy Secretary to ensure that the Chief Information Officer takes action to improve IT governance control activities used for monitoring programs and identifying needed corrective actions, and strengthen investment oversight by improving coordination with stakeholders and alignment among IT modernization efforts.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In March 2017, the department reported on its fiscal year 2016 updates to charters of its IT governance boards, which provide oversight of all its IT investments, including financial management initiatives, and noted that business cases for proposed development and modernization initiatives had been discussed at governance meetings. HUD also reported that it had set up steering committees to supplement board governance and monitoring two enterprise-level modernization efforts and planned to apply mechanisms, such as project health assessments, intended to establish effective investment oversight. However, HUD has not yet demonstrated that the updated governance control activities have improved program monitoring and identified any needed corrective actions or that planned oversight mechanisms have improved coordination with stakeholders or alignment of modernization efforts. We intend to follow up on HUD's actions to ensure that planned improvements to governance and oversight mechanisms are effectively implemented and institutionalized.
    Director: Susan A. Fleming
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: To improve PHMSA's oversight of the explosives classification process, the Secretary of Transportation should direct the PHMSA Administrator to develop and implement a systematic approach for improving the guidance PHMSA provides test labs.

    Agency: Department of Transportation
    Status: Open

    Comments: PHMSA concurred with this recommendation and said it would take steps to implement it. When we confirm what actions PHMSA has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer develop and implement a policy that requires monitoring changes to critical files for the platforms identified during the audit.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: According to officials in FDIC's Division of Information Technology, the corporation plans to implement a new solution in 2017 to enable security personnel to identify users making file system changes. Subsequent to FDIC implementing a new solution, we plan to validate FDIC's actions.
    Director: Mark Goldstein
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To improve access to and awareness and applicability of ITS resources for ITS deployment, the Secretary of Transportation should direct the ITS Joint Program Office (JPO), in coordination with the Federal Transit Administration (FTA), to develop a strategy to raise awareness of JPO's training, technical assistance, and knowledge resources for transit ITS deployment in the transit community.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with GAO's recommendation and stated that its Professional Capacity Building Program has two initiatives under development that will raise awareness of existing Intelligent Transportation System knowledge resources. First, the department will develop an overall course catalog that will describe all existing resources offerings. Second, the department will develop a new strategic plan that will utilize information from the updated course catalog as well as internal analyses to determine which new knowledge resources need to be developed to meet the needs of the transit community. As of June 2017, GAO is awaiting the Department's response regarding the status of its efforts to implement this recommendation.
    Recommendation: To improve access to and awareness and applicability of ITS resources for ITS deployment, the Secretary of Transportation should direct the ITS JPO, in coordination with FTA, to include ITS adoption by small urban and rural transit providers in ITS monitoring efforts.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with GAO's recommendation and stated that the Federal Transit Administration is considering the development of a small urban and rural Intelligent Transportation System survey component as part of its 2019 Intelligent Transportation System Deployment Survey. As of June 2017, GAO is awaiting the Department's response regarding the status of its efforts to implement this recommendation.
    Director: Diana C. Maurer
    Phone: (202) 512-9627

    2 open recommendations
    including 2 priority recommendations
    Recommendation: To allow for more efficient use of data on missing and unidentified persons contained in the NCIC's Missing Persons and Unidentified Persons files and NamUs, the Directors of the FBI and NIJ should evaluate the feasibility of sharing certain information among authorized users, document the results of this evaluation, and incorporate, as appropriate, legally and technically feasible options for sharing the information.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In commenting on GAO's June 2016 report, DOJ disagreed with our recommendation, because DOJ believes it does not have the legal authority to fulfill the corrective action as described in the proposed recommendation. Specifically, DOJ stated that the National Missing and Unidentified Persons System (NamUs) does not qualify, under federal law, for access to the National Crime Information Center (NCIC) and is not an authorized user to receive NCIC data. Therefore, DOJ does not believe there is value in evaluating the technical feasibility of integrating these two databases. In March 2017, DOJ reiterated its position that any such sharing was prohibited by law. We understand the legal framework placed on NCIC and that it may be restricted from fully integrating with a public database. However, this statutory restriction does not preclude DOJ from exploring options to more efficiently share information within the confines of the current legal framework. Until DOJ studies whether such feasible mechanisms exist, it will be unable to make this determination, risking continued inefficiencies through fragmentation and overlap.
    Recommendation: To allow for more efficient use of data on missing and unidentified persons contained in the NCIC's Missing Persons and Unidentified Persons files and NamUs, the Directors of the FBI and NIJ should evaluate the feasibility of sharing certain information among authorized users, document the results of this evaluation, and incorporate, as appropriate, legally and technically feasible options for sharing the information.

    Agency: Department of Justice: Office of Justice Programs: National Institute of Justice
    Status: Open
    Priority recommendation

    Comments: In commenting on GAO's June 2016 report, DOJ disagreed with our recommendation, because DOJ believes it does not have the legal authority to fulfill the corrective action as described in the proposed recommendation. Specifically, DOJ stated that the National Missing and Unidentified Persons System (NamUs) does not qualify, under federal law, for access to the National Crime Information Center (NCIC) and is not an authorized user to receive NCIC data. Therefore, DOJ does not believe there is value in evaluating the technical feasibility of integrating these two databases. In March 2017, DOJ reiterated its position that any such sharing was prohibited by law. We understand the legal framework placed on NCIC and that it may be restricted from fully integrating with a public database. However, this statutory restriction does not preclude DOJ from exploring options to more efficiently share information within the confines of the current legal framework. Until DOJ studies whether such feasible mechanisms exist, it will be unable to make this determination, risking continued inefficiencies through fragmentation and overlap.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    17 open recommendations
    including 7 priority recommendations
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update security assessment plans for selected systems to ensure they include the test procedures to be performed.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system to support updates of security assessment plans that include the test procedures to be performed. Subsequent to NASA informing us that security assessment plans for selected systems include these test procedures, we plan to verify the agency's actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should re-evaluate security control assessments for selected systems to ensure that they comprehensively test technical controls.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation, and will re-evaluate the selected systems' security control assessments to ensure that technical controls will be comprehensively tested. NASA officials said that they expect to complete this action by January 15, 2018. Subsequent to NASA informing us that it has implemented the recommendation, we plan to verify the agency's actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update remedial action plans for selected systems, to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system that generates plans of actions and milestones (POA&Ms), but has not yet provided sufficient examples of remedial action plans for the selected systems. Subsequent to NASA informing us that it has updated POA&Ms for the selected systems to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates, we plan to verify these actions.
    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update the continuous monitoring strategy to include metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has issued an updated continuous monitoring strategy, but this strategy does not clearly identify specific metrics to be used. Subsequent to NASA informing us that the strategy includes metrics, ongoing status monitoring of metrics, and reporting of security status, we plan to verify these actions.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. NRC supplied documents regarding its cybersecurity assessment process, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update remedial action plans for selected systems, to include responsible organization, estimated funding, funding source, and scheduled completion dates.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency provided evidence that it is including the responsible organization and scheduled completion dates in its plans of action and milestones (POA&Ms). While the estimated funding and source of funding do not appear in the POA&Ms, the agency has indicated that this data is available elsewhere. We are following up with NRC to verify this information.
    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update the standard that addresses continuous monitoring to include metrics and ongoing status monitoring.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: NRC concurred with our recommendation. The agency expects to publish a revised computer security standard in 2018.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented, and where other plans are cross-referenced, ensure that the other system's plan appropriately addresses the control.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM concurred with our recommendation. The agency intends to migrate security plans to an automated system in order to improve management of security controls.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM partially concurred with our recommendation. OPM is in the process of reviewing its procedures for identifying employees and contractors who directly access its information systems and reviewing the training requirements for those individuals, as well as specialized training requirements, and how compliance is tracked.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM did not concur with our recommendation. OPM is developing additional standards for evaluating technical-controls testing and will incorporate these standards into its oversight of security assessments, once the standards are complete.
    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update remedial action plans for selected systems, to include source of funding and updated completion dates.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with our recommendation. OPM is in the process of migrating POA&Ms to a new automated system that will allow the source of funding to be included in plans of action and milestones.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA stated that all high-impact security controls have been addressed, and the agency expects to include all controls in one plan. Subsequent to the agency informing us that it has implemented the recommendation, we plan to verify its actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is tracking specialized training for staff who have significant security responsibilities. GAO plans to request further documentation and verify the completeness of VA's actions.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA has assessed technical controls, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update remedial action plans for selected systems, to include estimated funding and funding source.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is including more information in its remedial action plans for selected systems, but did not demonstrate that it is including estimated funding and funding sources in these plans.
    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should develop a continuous monitoring strategy that addresses organization-defined metrics, frequency of monitoring metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation. VA is developing a new framework to address the people, processes, technology, and performance monitoring mechanisms identified in the Information Security Continuous Monitoring (ISCM) Maturity Model. This framework and supporting program plan are linked to the Department of Homeland Security Continuous Diagnostics and Mitigation (CDM) phase 1 deployment that is ongoing and anticipated to be completed by the fourth quarter of 2017. VA's ISCM program plan and framework have been delayed to accommodate these changes.
    Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. In addition OMB provided limited access to a document describing best practices for federal security operation centers. GAO is requesting further access to this document on best practices in order to determine whether OMB has adequately addressed the recommendation.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    4 open recommendations
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to document artifacts that support recommendation closure consistent with SEC policy.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to document a comprehensive physical inventory of the systems and applications in the production environment.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to provide personnel appropriate access to continuous monitoring reports and tools to monitor, evaluate, and remedy identified weaknesses.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to institute a process and assign the necessary personnel to review information produced by the vulnerability scanning tools to monitor, evaluate, and remedy identified weaknesses.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Cary Russell
    Phone: (202) 512-5431

    2 open recommendations
    Recommendation: To ensure that risks associated with ALIS are addressed expediently and holistically, the Secretary of Defense should direct the F-35 Program Executive Officer to improve the reliability of its cost estimates, conduct uncertainty and sensitivity analyses consistent with cost-estimating best practices identified in GAO's Cost Estimating and Assessment Guide.

    Agency: Department of Defense
    Status: Open

    Comments: According to DOD officials, the F-35 Program regularly performs sensitivity analysis in its cost estimates. The F-35 Cost Team runs drills throughout the year on varying ground rules and assumptions for all elements of the sustainment Annual Cost Estimate (ACE), including ALIS cost elements. These drills are used to assess cost impacts of various proposed requirements changes from the F-35 Program Office and the Services. The cost models capture the sensitivity of those technical baseline changes and the F-35 Program Office and Services use those results to inform the final technical baseline definition that becomes the basis of the annual estimate update. Although these measures are regularly performed, they do not constitute a direct uncertainty or sensitivity analysis on ALIS itself. For that reason, as of September 2017, this recommendation remains open.
    Recommendation: To ensure that risks associated with ALIS are addressed expediently and holistically, the Secretary of Defense should direct the F-35 Program Executive Officer to improve the reliability of its cost estimates, ensure that future estimates of ALIS costs use historical data as available and reflect significant program changes consistent with cost-estimating best practices identified in GAO's Cost Estimating and Assessment Guide.

    Agency: Department of Defense
    Status: Open

    Comments: According to DOD officials, as part of the cost estimating processes in the F-35 Program Office, the sustainment Annual Cost Estimate does incorporate the latest available historical cost data and reflects the latest approved technical baseline. For example, the latest hardware procurement costs from the most recent annual contracts for the F-35 were incorporated into the 2016 Annual Cost Estimate update as were the manpower assembly installation costs based on final delivered item prices. Although these are positive measures for the program and the cost estimate, the program has not incorporated a range of potential future costs that may better reflect actual ALIS costs. Until this step is taken, the recommendation will remain open.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    6 open recommendations
    Recommendation: To help improve the management of MAIS programs, the Secretary of the Army should direct the Tactical Mission Command program manager to develop a requirements management plan to document and manage its requirements process.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: The Department of Defense concurred with our recommendation. We have requested documentation regarding the status of implementing this recommendation. As of April 2017, we have not received a response from the department to our request. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help improve the management of MAIS programs, the Secretary of the Navy should direct the Common Aviation Command and Control System program manager to identify weaknesses in the requirements traceability process and take corrective actions to manage the traceability of requirements to the respective lower-level requirements, and periodically evaluate work products, including the requirements management plan, and update them in accordance with the requirements guidance.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: The Department of Defense concurred with our recommendation. We have requested documentation regarding the status of implementing this recommendation. As of April 2017, we have not received a response from the department to our request. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help improve the management of MAIS programs, the Secretary of the Air Force should direct the Defense Enterprise Accounting and Management System program manager to address weaknesses in its controls for ensuring that all software requirements are tested and validated before deployment of new software releases.

    Agency: Department of Defense: Department of the Air Force
    Status: Open

    Comments: The Department of Defense concurred with our recommendation. We have requested documentation regarding the status of implementing this recommendation. As of April 2017, we have not received a response from the department to our request. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help improve the management of MAIS programs, the Director of OMB should instruct the Federal Chief Information Officer (CIO) to add the Under Secretary of Defense for AT&L as a responsible party to DOD's MAIS entries on the Federal IT Dashboard website, alongside the CIO, to publicly disclose the responsible party for the acquisition performance management of MAIS programs.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget did not agree with the recommendation, but stated it would work with the Department of Defense to address it. In April 2017, the Department of Defense stated that it is reorganizing the office of the Under Secretary of Defense for AT&L and its responsibilities. We will continue to follow up with the department subsequent to the reorganization in an effort to determine the party responsible for the acquisition performance management of MAIS programs and OMB's efforts to disclose the responsible party on the Federal IT Dashboard.
    Recommendation: To help improve the management of MAIS programs, the Secretary of Defense should examine the MAIS critical change reporting process to identify root causes for delays and implement corrective actions for the timely delivery of critical change reports.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense concurred with our recommendation. We have requested documentation regarding the status of implementing this recommendation. As of April 2017, we have not received a response from the department to our request. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help improve the management of MAIS programs, the Secretary of Defense should develop a mechanism for monitoring whether MAIS programs with late reports are restricted from obligating funds and in turn ensuring compliance with the Antideficiency Act.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense concurred with our recommendation. We have requested documentation regarding the status of implementing this recommendation. As of April 2017, we have not received a response from the department to our request. We will continue to monitor the department's progress in implementing this recommendation.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update system and application audit plans based on the current version of referenced policies and guidelines and when significant changes are made to a system or application.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: The IRS concurred with the recommendation and stated that it plans to implement it. Subsequent to IRS informing us that it has taken action on this recommendation, we plan to evaluate their implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update the security plan for systems that provide network infrastructure services to IRS personnel and information systems to reflect changes to the operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: On March 28, 2017, IRS officials informed us of the actions they were taking to address this recommendation. Upon receiving information from IRS, we plan to evaluate IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    9 open recommendations
    Recommendation: The Secretary of Homeland Security should direct Network Security Deployment (NSD) to determine the feasibility of enhancing NCPS's current intrusion detection approach to include functionality that would detect deviations from normal network behavior baselines.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 Update: In Feb. 2017, DHS officials stated that they have continued pilot activities that will enable DHS to identify suspicious network activity based on anomalous behavior and reputation and have collected lessons learned that are being tracked by the NCPS Program Management Office. Officials added that DHS had identified a contractor to support the transition of the pilot, including drafting an implementation plan; however, it had yet to award a contract due to lack of resources. As such, the agency did not have an estimated date on the completion of a draft plan for how the transition would be implemented. We requested that DHS provide a copy of the draft implementation plan for our review, when it became available. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct NSD to determine the feasibility of developing enhancements to current intrusion detection capabilities to facilitate the scanning of traffic not currently scanned by NCPS.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the NCPS Program Management Office is working with participating Internet Service Providers (ISP) to develop plans to support IPv6 for Traffic Aggregation, DNS redirection, and SMTP quarantining capabilities. Officials stated that an implementation plan that would include all ISP schedules for all planned intrusion prevention services would be available in the third quarter of fiscal year 2017. Additionally, regarding encrypted traffic, officials stated that it is conducting an analysis of Security on Encrypted Traffic (SonET) to better understand options for addressing the challenges, viability of options, and how the issue is being addressed at a broader industry level. The study is scheduled to continue through the fourth quarter of fiscal year 2017. We asked DHS to provide the ISP implementation plans (when finalized) and any findings from the ongoing SCADA and Encrypted traffic studies. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct United States Computer Emergency Readiness Team (US-CERT) to update the tool it uses to manage and deploy intrusion detection signatures to include the ability to more clearly link signatures to publicly available, open-source data repositories.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS stated that the NCPS PMO is working with participating Internet Service Providers (ISP) to develop plans to support IPv6 for Traffic Aggregation, DNS redirection, and SMTP quarantining capabilities. Officials stated that an implementation plan that would include all ISP schedules for all planned intrusion prevention services would be available in the third quarter of fiscal year 17. Additionally, officials stated that NSD is conducting an analysis on Security on Encrypted Traffic (SonET) to better understand options for addressing the challenges, viability of options, how the issue is being addressed at a broader industry level. The study will continue through the fourth quarter of fiscal year 2017. We asked DHS to provide the ISP implementation plans (when finalized) and any output/results (findings) from the ongoing studies DHS has related to SCADA and Encrypted traffic. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct US-CERT to consider the viability of using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, as an input into the development and management of intrusion detection signatures.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that enhancements were made so that Continuous Diagnostics and Mitigation program (CDM) data can be viewed with the Cyber Indicators Analysis Program (CIAP). Officials stated that the CDM data now may be combined with known vulnerability findings from NCATS and known threats collected from the CIAP system to further prioritize signature development as necessary. We have requested a meeting with DHS to observe the described enhancements. We believe that we will be able to close this recommendation, once we observe the claimed enhancements.
    Recommendation: The Secretary of Homeland Security should direct US-CERT to develop a timetable for finalizing the incident notification process, to ensure that customer agencies are being sent notifications of potential incidents, which clearly solicit feedback on the usefulness and timeliness of the notification.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 Update: In Feb. 2017, DHS stated that US-CERT is in the process of developing a targeted survey of EINSTEIN customers (based off of a prior survey). Additionally, US-CERT has updated the Incident Reporting Guidelines to address previously mentioned process concerns. We have requested a copy of these guidelines and will review the modifications made within. Additionally, DHS stated that modifications to the Remedy ticketing system are underway that would allow for the inclusion of user feedback. These changes are anticipated to be implemented by October 2017. We likely would not be able to close this recommendation until we could review the results of the modifications.
    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop metrics that clearly measure the effectiveness of NCPS's efforts, including the quality, efficiency, and accuracy of supporting actions related to detecting and preventing intrusions, providing analytic services, and sharing cyber-related information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the Office of Cyber Security and Communications (CS&C) had developed, refined, and were baselining a first set of measures that relate to the Einstein 3A program. Further, they are considering adding one of these measures as an addition to the measures tracked in support of the yearly Government Performance and Results Act (GPRA) required reporting in FY 2018. Additionally, DHS officials stated they are developing information sharing related measures, including exploring how its public and private sector recipients of information measure the value cyber threat indicators and defensive measures. In March 2017, we requested a copy of the developed measures, when they became available. This recommendation will remain open until we are able to review the developed metrics and the subsequent data they are to measure.
    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop clearly defined requirements for detecting threats on agency internal networks and at cloud service providers to help better ensure effective support of information security activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS provided memos that gave an overview of the planned enhancements to the Continuous Diagnostics and Mitigation (CDM) program that included references to cloud providers. However, DHS did not provide any specific requirements for us to review. We have requested a follow-up meeting to review the specific requirements developed in support of the planned enhancements described in the provided memos. We will not be able to close this recommendation until we can review the developed requirements and determine that cloud providers are appropriately covered.
    Recommendation: The Secretary of Homeland Security should direct NSD to develop processes and procedures for using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, to help ensure DHS is using a risk-based approach for the selection/development of future NCPS intrusion prevention capabilities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS stated that the NCPS Program Management Office has made enhancements to the Continuous Diagnostics and Mitigation (CDM) dashboard, but had yet to fully develop the CDM/NCPS data correlation. In March 2017, we asked for update on the status of data correlation, once available. In order to close this recommendation, we would need to review this model and determine how, if at all, the vulnerability information was used as part of a risk-based approach to intrusion prevention.
    Recommendation: The Secretary of Homeland Security should direct NSD to work with their customer agencies and the Internet service providers to document secure routing requirements in order to better ensure the complete, safe, and effective routing of information to NCPS sensors.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the agency worked with the Office of Management and Budget to develop a draft Trusted Internet Connections Reference Architecture. This architecture is to serve as the new guidance for agencies on perimeter security capabilities as well as alternative routing strategies. In March 2017, we requested a copy of the guidance to review the alternative routing guidance. This recommendation will remain open until we have been able to review the information above.
    Director: Valerie Melvin
    Phone: (202) 512-6304

    2 open recommendations
    Recommendation: To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to establish schedules and milestones for completing a version of an IT strategic plan that incorporates elements to align the plan's strategies with agency-wide priorities; includes results-oriented goals and performance measures that support the agency's mission, along with targets for measuring the extent to which outcomes of IT initiatives support FDA's ability to achieve agency-wide goals and objectives; identifies key IT initiatives that support the agency's goals; and describes interdependencies among the initiatives.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: FDA concurred with the recommendation and stated that the agency plans to implement it. We contacted the agency in March 2017 and have requested documents regarding FDA's actions to address the recommendation. We are waiting to receive the documents. We will update the status of the agency's actions after we receive and evaluate their response.
    Recommendation: To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to implement the plan to ensure that expected outcomes of the agency's key IT initiatives are achieved.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: FDA concurred with the recommendation and stated that the agency plans to implement it. We contacted the agency in March 2017 and have requested documents regarding FDA's actions to address the recommendation. We are waiting to receive the documents. We will update the status of the agency's actions after we receive and evaluate their response.
    Director: J. Alfredo Gómez
    Phone: (202) 512-3841

    2 open recommendations
    Recommendation: To help federal, state, local, and private sector decision makers access and use the best available climate information, the Executive Office of the President should designate a federal entity to develop and periodically update a set of authoritative climate change observations and projections for use in federal decision making, which state, local, and private sector decision makers could also access to obtain the best available climate information.

    Agency: Executive Office of the President
    Status: Open

    Comments: As of 6/7/17, the Executive Office of the President has yet to take action in response to this recommendation.
    Recommendation: To help federal, state, local, and private sector decision makers access and use the best available climate information, the Executive Office of the President should designate a federal entity to create a national climate information system with defined roles for federal agencies and nonfederal entities with existing statutory authority.

    Agency: Executive Office of the President
    Status: Open

    Comments: As of 6/7/17, the Executive Office of the President has yet to take action in response to this recommendation.
    Director: Melissa Emrey-Arras
    Phone: (617) 788-0534

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To strengthen management of the Direct Loan Program and ensure good customer service for borrowers, the Secretary of Education should direct the Office of Federal Student Aid's Chief Operating Officer to review its methods of providing instructions and guidance to servicers, identifying areas to improve clarity and sufficiency, and ensure consistent delivery of instructions and guidance to ensure program integrity and improve service to borrowers. For example, the Department could consider implementing a detailed, common servicing manual for the Direct Loan program.

    Agency: Department of Education
    Status: Open
    Priority recommendation

    Comments: The Department of Education agreed with this recommendation and has reviewed its guidance to servicers, as of October 2016. It has issued clarifications to servicers in several areas. In addition, the Department had been in the process of an acquisition for a new loan servicing solution but, as of September 2017, is reassessing its acquisition strategy. While the plan for the revised acquisition is not finalized, FSA expects its approach to significantly streamline the process of communicating instructions and guidance to servicers, as well as improve the overall experience for students and borrowers. Upon resolution of its acquisition strategy, Education needs to demonstrate that its final contract for a new loan servicing solution is structured to provide clear and consistent instructions and guidance to servicers to ensure program integrity and improve service to borrowers.
    Director: Cary Russell
    Phone: (202) 512-5431

    4 open recommendations
    Recommendation: To better determine the costs needed to sustain the equipment to support a Marine Air Ground Task Force capability, the Commandant of the Marine Corps should direct the Deputy Commandant for Installations and Logistics to incorporate the four characteristics of reliable cost estimates in the Marine Corps' forthcoming prepositioning programs budget development policy, and specifically to ensure that estimates are accurate and well-documented, require all relevant departments and subordinate commands to provide documentation of cost-estimating details that include both source data and calculations.

    Agency: Department of Defense: United States Marine Corps
    Status: Open

    Comments: Based on our review of DOD's database on DOD's actions addressing GAO recommendations and follow up with DOD officials, as of September 1, 2017, DOD has not yet addressed this recommendation.
    Recommendation: To better determine the costs needed to sustain the equipment to support a Marine Air Ground Task Force capability, the Commandant of the Marine Corps should direct the Deputy Commandant for Installations and Logistics to incorporate the four characteristics of reliable cost estimates in the Marine Corps' forthcoming prepositioning programs budget development policy, and specifically to ensure that estimates are credible, implement management requirements to establish and conduct formal cross-checks of major cost elements among the relevant departments and subordinate commands to determine whether they are replicable.

    Agency: Department of Defense: United States Marine Corps
    Status: Open

    Comments: Based on our review of DOD's database on DOD's actions addressing GAO recommendations and follow up with DOD officials, as of September 1, 2017, DOD has not yet addressed this recommendation.
    Recommendation: To better determine the costs needed to sustain the equipment to support a Marine Air Ground Task Force capability, the Commandant of the Marine Corps should direct the Deputy Commandant for Installations and Logistics to incorporate the four characteristics of reliable cost estimates in the Marine Corps' forthcoming prepositioning programs budget development policy, and specifically to ensure that estimates are comprehensive, implement a standardized structure for collecting all the necessary details used to develop and support cost estimates from all relevant departments and subordinate commands.

    Agency: Department of Defense: United States Marine Corps
    Status: Open

    Comments: Based on our review of DOD's database on DOD's actions addressing GAO recommendations and follow up with DOD officials, as of September 1, 2017, DOD has not yet addressed this recommendation.
    Recommendation: As part of its quality assurance program for ensuring that the Marine Corps has accurate and reliable information on inventory data for stored assets used to support combatant commanders' requirements, the Commandant of the Marine Corps, in consultation with the Norwegian Defence Logistics Organization, should take steps to update the Technical Manual on Logistics Support for the Marine Corps Prepositioning Program - Norway and the Local Bilateral Agreement, to incorporate guidance and instructions on conducting a quality assurance review that assesses the accuracy and reliability of the Norwegian Equipment Information Management System.

    Agency: Department of Defense: United States Marine Corps
    Status: Open

    Comments: Based on our review of DOD's database on DOD's actions addressing GAO recommendations and follow up with DOD officials, as of September 1, 2017, DOD has not yet addressed this recommendation.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    2 open recommendations
    Recommendation: To improve the oversight of states' marketplace IT projects, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to ensure that all CMS senior executives from IT and business units who are involved in the establishment of state marketplace IT projects review and approve funding decisions for these projects.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In 2015, Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) concurred with the recommendation. The department, in its agency comments, stated that it already included senior executives in its funding decisions for these projects. However, as noted in our report, CMS did not provide evidence that key senior executives from CCIIO, CMCS, and OTS were involved in various funding decisions associated with the states' IT projects. For example, CMS did not demonstrate that senior-level executives from all relevant business and IT units were involved in the initial approval of grant awards or the release of restricted IT funds from marketplace grants as states progressed with their projects. In addition, CMS did not provide evidence of senior executive involvement in the approval of Medicaid funds for marketplace IT projects. Furthermore, as of March 10, 2017, CMS still had not provided evidence that it had taken such actions to support the implementation of this recommendation. By ensuring such executive involvement, CMS would increase accountability for decisions to fund states' IT projects and ensure that these decisions are well informed in order to make efficient use of federal funds.
    Recommendation: To improve the oversight of states' marketplace IT projects, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to ensure that states have completed all testing of marketplace system functions prior to releasing them into operation.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In 2015, Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) concurred with the recommendation. The department noted that it would continue to follow its guidelines to determine if state marketplace system functions are ready for release. The department added that it would work closely with state-based marketplaces to improve their systems and verify that system requirements are met and fully tested before approving them for release into production. While CMS drafted guidance to update its process in June 2016, which required states to submit certain testing reports and supporting documentation, as of March 10, 2017, the agency had not provided evidence that it had determined that state systems had been sufficiently tested for release into operations.
    Director: J. Alfredo Gómez
    Phone: (202) 512-3841

    3 open recommendations
    Recommendation: The EPA Administrator should direct OGD to develop a timetable with milestones and identify and allocate resources for adopting electronic records management for all 10 regional offices.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: According to EPA officials, the Office of Grants and Debarment (OGD) established an agency-wide electronic grants record workgroup in fiscal year 2016. The workgroup identified the contents of the electronic grant file, technical options, and evaluation criteria. OGD completed its alternatives analysis for scope, general approach, and requirements in fiscal year 2017. As of May 2017, the next phase of work is on hold, subject to available funds and prioritization of work.
    Recommendation: The EPA Administrator should direct OGD to implement plans for adopting an up-to-date and comprehensive IT system by 2017 that will provide accurate and timely data on agencywide compliance with grants management directives.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: Implementation efforts are ongoing. According to EPA officials, OGD is conducting a multi-modular project to upgrade the agency's grants management IT system. As of May 2017, the final module is on schedule for deployment in fiscal year 2018. OGD will incorporate performance tracking of priority directives in accordance with the policy framework of the new grants management plan.
    Recommendation: Until the new IT system is implemented, the EPA Administrator should direct OGD to develop ways to more effectively use existing web-based tools to better monitor agencywide compliance with grants management directives.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: Implementation efforts are ongoing. According to EPA officials, OGD has developed the capability to provide managers cumulative annual baseline monitoring data. Further capabilities of web-based tools, namely the replacement of OGD's primary tool Quik Reports, was scheduled for deployment in fiscal year 2017. This effort, combined with updates to the Grants Datamart, will provide long-term enhancements for EPA's grant reporting needs. As of May 2017, the modernization of supported tools and web applications continues. EPA officials also said that extending centralized grant data to other internal systems is improving the continuity of data.
    Director: Gambler, Rebecca S
    Phone: (202) 512-8777

    3 open recommendations
    Recommendation: To strengthen USCIS's EB-5 Program fraud prevention, detection, and mitigation capabilities, and to more accurately and comprehensively assess and report program outcomes and the overall economic benefits of the program, the Director of USCIS should plan and conduct regular future fraud risk assessments of the EB-5 Program.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: The Department of Homeland Security's (DHS) U.S. Citizenship and Immigration Services (USCIS) is responsible for administering the Employment-Based Fifth Preference Immigrant Investor Program (EB-5 Program). In 2015, we reviewed the EB-5 program to determine if USCIS assesses fraud and other related risks facing the program. We found that USCIS had collaborated with its interagency partners to assess fraud and national security risks in the program in fiscal years 2012 and 2015 but that these assessments were onetime efforts that did not have documented plans to conduct regular future risk assessments, in accordance with fraud prevention practices, which could help inform efforts to identify and address evolving program risks. To strengthen the program's fraud prevention, detection, and mitigation capabilities, we recommended that USCIS plan and conduct regular future fraud risk assessments. USCIS concurred with the recommendation, stating that it will continue to conduct at least one fraud, national security, or intelligence assessment on an aspect of the program annually. In September 2015, USCIS stated that the Fraud Detection and National Security Directorate unit of its Immigrant Investor Program (IPO) will conduct its next fraud, national security, and intelligence assessment in FY 2016 and one assessment annually thereafter. In an August 2016 update, USCIS stated that it had conducted a national security assessment, the draft of which was under review by management, to be finalized by September 30, 2016. We will continue to monitor USCIS's efforts to ensure that the agency finalizes this assessment and documents plans to conduct future fraud assessments on a regular basis.
    Recommendation: To strengthen USCIS's EB-5 Program fraud prevention, detection, and mitigation capabilities, and to more accurately and comprehensively assess and report program outcomes and the overall economic benefits of the program, the Director of USCIS should develop a strategy to expand information collection, including considering the increased use of interviews at the I-829 phase as well as requiring the additional reporting of information in applicant and petitioner forms.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: In 2015, we evaluated the Department of Homeland Security's (DHS) U.S. Citizenship and Immigration Services (USCIS) Employment-Based Fifth Preference Immigrant Investor Program (EB-5 Program) to determine the extent to which the agency had addressed any identified fraud risks in the program. We found that USCIS had identified unique fraud risks in the program and had taken certain steps to address and enhance its fraud risk management efforts, including establishing a dedicated entity to oversee these efforts. However, we found that USCIS's information systems and processes limited its ability to collect and use data on EB-5 Program participants to comprehensively address fraud risks in the program. To strengthen the program's fraud mitigation capabilities, we recommended that USCIS develop a strategy to expand information collection, including considering the increased use of interviews at the application for permanent residency (form I-829) phase as well as requiring the additional reporting of information in applicant and petitioner forms. USCIS concurred with the recommendation, stating that IPO will develop a strategy to enhance and expand information collection, including publishing revised EB-5 application and petition forms, and considering the use of interviews. In a September 2015 update to this recommendation, USCIS stated that it had begun internal discussions for developing a comprehensive strategy to incorporate interviews into various stages of the EB-5 process, including the I-829 phase. In addition, USCIS was implementing a comprehensive approach for revising all EB-5 specific forms (I-526, I-924, and I-924A) to improve program integrity and data collection. USCIS expects the revised forms to be available after December 31, 2015. In an August 2016 update, USCIS stated that it has revised Forms I-924, I-924A, and I-526, and anticipated revising Forms I-924 and I-924A by November 2016 and Form I-829 by March 2017. USCIS also stated that IPO had initiated a new process to allow interview of Form I-829 petitioners by video conference, and planned to develop a comprehensive interview strategy based on the results of initial and future interviews as well as other relevant information. We will continue to monitor USCIS's efforts to develop and implement this more comprehensive EB-5 data collection strategy.
    Recommendation: To strengthen USCIS's EB-5 Program fraud prevention, detection, and mitigation capabilities, and to more accurately and comprehensively assess and report program outcomes and the overall economic benefits of the program, the Director of USCIS should track and report data that immigrant investors report, and the agency verifies on its program forms for total investments and jobs created through the EB-5 Program.

    Agency: Department of Homeland Security: United States Citizenship and Immigration Services
    Status: Open

    Comments: In 2015, we evaluated the Department of Homeland Security's (DHS) U.S. Citizenship and Immigration Services (USCIS)'s capacity to verify job creation and to use a valid and reliable methodology to report the economic benefits of its Employment-Based Fifth Preference Immigrant Investor Program (EB-5 Program). We found that over time USCIS had increased its capacity to verify job creation by increasing the size and expertise of its workforce and by providing clarifying guidance and training, among other actions. However, we found that USCIS's methodology for reporting program outcomes and overall economic benefits of the EB-5 Program was not valid and reliable because it may understate or overstate program benefits in certain instances as it was based on the minimum program requirements of 10 jobs and a $500,000 investment per investor, instead of the number of jobs and investment amounts collected by USCIS on individual EB-5 Program forms. To more accurately and comprehensively assess and report the overall economic benefits of the program, we recommended that USCIS track and report data that immigrant investors report, and the agency verifies on its program forms for total investments and jobs created. USCIS concurred with this recommendation, stating that IPO will develop a plan to collect and aggregate additional data regarding EB-5 investment amounts and job creation, including revising USCIS data systems and processes, as appropriate. In a September 2015 update, USCIS further stated that IPO officials had already met with officials from the USCIS Office of information Technology (OIT) on August 25, 2015, to discuss EB-5 data requirements, and that IPO is reviewing the fields in the Intranet Computer Linked Application Information Management System (iCLAIMS) database used for maintaining EB-5 and other immigration program data, to define data entry requirements. Once that is completed, USCIS stated that IPO will work with OIT to discuss any system changes needed to reliably aggregate data regarding EB-5 program investment amounts and job creation. In an August 2016 update, USCIS stated that through regular meetings with OIT, IPO has identified the assets needed to develop a case management system to meet the complex data needs of the EB-5 program. This system, which will be compatible with USCIS's electronic immigration system, is tentatively projected to be completed in FY 2017. We will continue to monitor USCIS's efforts to develop a system that will enable it to accurately and comprehensively assess and report the overall economic benefits of the program.
    Director: Cristina Chaplain
    Phone: (202) 512-4841

    2 open recommendations
    Recommendation: In order to improve DOD's procurement of SATCOM, to address DOD's fragmented procurement of commercial SATCOM, to better position DOD to identify needs, manage and acquire commercial SATCOM, and to address the incomplete data on commercial SATCOM spending and demand, the Secretary of Defense, in coordination with the Joint Chiefs, U.S. Strategic Command, combatant commands, military services, and DISA, should enforce current policy requiring DISA to acquire all commercial SATCOM for DOD.

    Agency: Department of Defense
    Status: Open

    Comments: DOD has reiterated, but not yet enforced, its policy requiring the Defense Information Systems Agency (DISA) to procure all commercial satellite communications (SATCOM). DOD published Instruction 8420.02, titled DOD Satellite Communications (SATCOM), in September 2016. This instruction prescribes the actions DOD component heads should follow in requesting commercial SATCOM capability through DISA, as required by the 2013 Chairman of the Joint Chiefs of Staff Instruction (CJCSI) 6250.01E, "Satellite Communications". It also outlines methods by which DISA can obtain and the DOD Chief Information Officer can analyze data that could inform commercial SATCOM resource usage, allocation, and requirements. While establishing a new policy to emphasize and assign SATCOM procurement responsibilities is a step in the right direction, policy requiring that DISA acquire all commercial SATCOM for DOD already existed at the time of GAO's report. Further, DOD Commercial Satellite Communications (COMSATCOM) users may still be out of compliance with the CJCSI, according to an October 2016 U.S. Strategic Command report on COMSATCOM usage which states that "DoD COMSATCOM users should compete their services through DISA, as outlined in CJCSI 6250.01E, as soon as practicable."
    Recommendation: In order to improve DOD's procurement of SATCOM, to better leverage DOD's buying power and help DOD understand its military and commercial SATCOM spending, and enable DOD to reform its commercial SATCOM acquisition and management processes, the Secretary of Defense, in conjunction with the Air Force and DISA, should complement the pathfinder efforts by conducting an assessment of whether further centralization of military and commercial SATCOM procurement, such as the identification of a single focal point within DOD to decide how to meet the overall demand or a central procurement knowledge focal point, could further save money and improve performance.

    Agency: Department of Defense
    Status: Open

    Comments: Although we reported in 2016 that the Joint Requirements Oversight Council approved a commercial satellite communications "Centralized Management Concept of Operations, which intends to implement a three-phased approach to centralize management of military and commercial wideband SATCOM," we have yet to obtain a copy of the Concept of Operations and assess the extent to which DOD conducted an assessment of whether further centralization of commercial and military procurement of satellite communications would save money and improve performance.
    Director: Dalkin, James R
    Phone: (202) 512-3133

    1 open recommendations
    Recommendation: The U.S. Securities and Exchange Commission should direct the COO and CFO to implement controls, such as periodic reviews of asset dispositions, to help reasonably assure that SEC's procedures for the preparation and maintenance of documentation related to the disposition of assets are consistently implemented and that any deviations from established procedures are documented.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: SEC Officials are still working on corrective actions as of the end of fiscal year 2016. We will follow up on this recommendation during our fiscal year 2017 SEC financial statement audit.
    Director: Gerald L. Dillingham, Ph.D.
    Phone: (202) 512-2834

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To better ensure that cybersecurity threats to NextGen systems are addressed, given the challenges FAA faces in meeting the Office of Management and Budget's (OMB) guidance to implement the latest security controls in the National Institute of Standards and Technology's (NIST) revised guidelines within one year of issuance, the Secretary of Transportation should instruct the FAA Administrator to develop a plan to fund and implement the NIST revisions within OMB's time frames.

    Agency: Department of Transportation
    Status: Open
    Priority recommendation

    Comments: DOT concurred with this recommendation. FAA officials told us the agency is unable to implement all requirements within OMB's one-year time frame based on resource availability to address the number of FAA's FISMA reportable systems and NIST's newly revised requirements. As such, FAA's approach to achieve compliance with the most current NIST security controls (NIST SP 800-53 Revision 4) is to adopt a three-year assessment cycle where at least one-third (1/3) of these controls for all systems are assessed each year over a three year period. Each system will be fully assessed against all new and modified security controls in the current revision by the end of fiscal year 2017. Systems with weaknesses that could be exploited by adversaries may be at increased risk if relevant controls are not implemented. A three-year assessment cycle may not be adequate to maintain currency with NIST standards as future revisions are released. Therefore, FAA should report to OMB on how its alternative plan for implementing revised NIST standards will be adequate to protect the security of NextGen systems. As of October 2016, FAA is in the final stages of developing a plan to fund and implement the NIST revisions within OMB's time frames. FAA said it plans to implement the recommendation in 2017. The agency will request closure for the recommendation once the plan has been completed.
    Director: Kingsbury, Nancy R
    Phone: (202) 512-2700

    3 open recommendations
    including 2 priority recommendations
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure contractors receive security awareness training within 5 business days of being granted access to an IRS information system.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: During the audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure that control testing methodology and results fully meet the intent of the control objectives being tested.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed these actions. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should update the remedial action verification process to ensure actions are fully implemented.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed actions to implement the recommendation. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Director: Cary Russell
    Phone: (202) 512-5431

    4 open recommendations
    including 2 priority recommendations
    Recommendation: To help improve collection of OCS issues by the military services and service component commands, the Secretary of Defense should revise existing DOD guidance, such as DOD Instruction 3020.41, to specifically detail the roles and responsibilities of the services in collecting OCS issues.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: As of October 2016, officials from the Office of the Deputy Assistant Secretary of Defense for Program Support reported that the department is in the process of updating DOD Instruction 3020.41, which identifies responsibilities related to operational contract support. Officials stated that the revised instruction, which is expected to be issued in December 2016, will detail the roles and responsibilities of the services in collecting lessons learned on operational contract support issues.
    Recommendation: To specifically identify and improve awareness of OCS roles and responsibilities and to collect OCS issues at the military services and the service component commands, the Secretary of Defense should direct the Secretaries of the Navy and Air Force to include the services' roles and responsibilities to collect OCS issues in comprehensive service-specific guidance on how the Navy, Marine Corps, and Air Force should integrate OCS.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: As of October 2016, officials from the Office of the Deputy Assistant Secretary of Defense for Program Support reported that the department is in the process of updating DOD Instruction 3020.41, which identifies responsibilities related to operational contract support. Officials stated that the revised instruction, which is expected to be issued in December 2016, will detail the roles and responsibilities of the services in collecting lessons learned on operational contract support issues. Once revisions to the instruction are completed, officials noted that the services will be postured to include this new guidance in their respective regulations and guidance documents. Officials estimate completion of these service-specific regulations and guidance in fiscal year 2017.
    Recommendation: To help improve awareness of OCS roles and responsibilities and to collect OCS issues at the military services and the service component commands, the Secretary of Defense should direct the Secretaries of the military departments, in coordination with the Chairman of the Joint Chiefs of Staff, to establish an OCS training requirement for commanders and senior leaders.

    Agency: Department of Defense
    Status: Open

    Comments: DOD concurred with this recommendation. In May 2016, officials from the Office of the Deputy Assistant Secretary of Defense for Program Support reported current OCS policy (DOD Instruction 3020.41) requires the Services and the Chairman to incorporate OCS into applicable policy, doctrine, programming, training, and operations. Officials stated that the revised instruction, which is expected to be issued in December 2016, will more clearly call out the OCS training requirement for commanders and senior leaders.
    Recommendation: To help improve DOD's management of OCS lessons learned, the Secretary of Defense should ensure that, as the department develops a concept for an OCS joint proponent, it include specific roles and responsibilities for a focal point responsible for integrating OCS issues from the Joint Lessons Learned Program.

    Agency: Department of Defense
    Status: Open

    Comments: DOD partially concurred with this recommendation. In May 2016, officials from the Office of the Deputy Assistant Secretary of Defense for Program Support reported the department decided against creating a joint proponent for OCS issues. Rather, the course of action chosen was to designate the Joint Staff J4 as the OCS focal point and the Under Secretary of Defense (Acquisition, Technology, and Logistics) as the Principal Staff Advisor. Officials stated that the Joint Staff (J4) will serve as the focal point for integrating OCS issues from the Joint Lessons Learned Program and into DOD processes and procedures. Officials said that this designation will be detailed in DOD Instruction 3020.41, which is expected to be issued in December 2016.
    Director: Carol R.Cha
    Phone: (202) 512-4456

    2 open recommendations
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics to require MAIS programs to establish their first acquisition program baseline within 2 years of beginning work on the programs.

    Agency: Department of Defense
    Status: Open

    Comments: The Department developed a draft process document that states that business system (e.g. financial management, logistics management) programs should start development on at least one release within 24 months after programs have identified the needed capabilities and received approval to conduct further analysis into the potential delivery of the capabilities. We will follow-up with the Department for the final process document and guidance, when available.
    Recommendation: The Secretary of Defense should direct the Secretary of the Army to direct the Army (Financial Management and Comptroller) to complete a plan for conducting auditability testing of LMP Increment 2 functionality to ensure that such testing occurs prior to the LMP program management office deploying future functionality.

    Agency: Department of Defense
    Status: Open

    Comments: According to DOD officials, in response to our recommendation, the department developed a plan to conduct system testing on LMP Increment 2 in accordance with the Federal Information System Controls Audit Manual. The officials stated that the department's plan was to conduct this testing both prior to and after the deployment of new functionality to users. We have requested additional information and documentation from DOD regarding these LMP Increment 2 test plans in order to determine whether the testing associated with auditability of the system was to be conducted before deployment to users.
    Director: David Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To improve the reliability and reporting of investment performance information and management of selected major investments, the Commissioner of the IRS should direct the Chief Technology Officer to modify reporting of the Affordable Care Act Administration testing status to senior management to include a comprehensive report on all impacted systems--including an explanation for why impacted systems were not tested at a particular level--and ensure this reporting is aligned with the manner in which testing is being performed.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS disagreed with this recommendation at the time we made it stating that it followed a rigorous risk-based process for planning the tests of ACA-impacted systems, including the types and levels of testing, and that it had comprehensive reporting for the filing season 2015 release, which included ACA impacted systems. However, as noted in our report, our review of ACA Testing Review Checkpoint reports and filing season reports, which officials stated were used to provide comprehensive reports to senior managers, did not identify the status of testing for all systems impacted by ACA Releases 5.0 and 6.0. We therefore concluded that the recommendation was still valid. As of July 2017, IRS had not changed its position. We will be following up with the agency to discuss the recommendation.
    Director: Cary B. Russell
    Phone: (202) 512-5431

    5 open recommendations
    Recommendation: To help improve DOD, State, and USAID's ability to track contracts and contractor personnel in contingency operations and to ensure SPOT-ES cost estimates are accurate and comprehensive, the Under Secretary of Defense for Personnel and Readiness should, in coordination with the Under Secretary of Defense for Acquisition, Technology and Logistics direct the system's program office to regularly update its life-cycle cost estimate to include defining and assessing its plans for SPOT-ES.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve DOD, State, and USAID's ability to track contracts and contractor personnel in contingency operations and to help improve timeliness and reliability of data in SPOT-ES, the Secretary of Defense should direct Defense Procurement and Acquisition Policy officials, through the Under Secretary of Defense for Acquisition, Technology and Logistics, to ensure that contracting officers use available mechanisms to track contractor performance of SPOT data entry, such as its Contractor Performance Assessment Reporting System or other appropriate performance systems or databases.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve DOD, State, and USAID's ability to track contracts and contractor personnel in contingency operations and to enhance the value of SPOT-ES data, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness to fully register SPOT-ES data in the DSE to make data visible and trusted, including taking the necessary steps related to authoritative data sources.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve DOD, State, and USAID's ability to track contracts and contractor personnel in contingency operations and to help ensure that DOD possesses the capability to collect and report statutorily required information and to clarify responsibilities and procedures, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology and Logistics to update SPOT provisions during the process of updating operational contract support guidance.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve DOD, State, and USAID's ability to track contracts and contractor personnel in contingency operations and to provide clarity about expectations for the Joint Asset Movement Management System (JAMMS) that can help improve the timeliness and reliability of data for SPOT-ES from JAMMS uploads, the Secretary of Defense should direct the Chairman of the Joint Chiefs of Staff, in coordination with the combatant commanders, to develop comprehensive guidance regarding the purpose of JAMMS and its role in supporting plans for different types of missions. Such guidance could include direction on the number and location of JAMMS terminals and how frequently JAMMS's data should be uploaded into SPOT-ES to meet DOD's information needs.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Melvin, Valerie C
    Phone: (202) 512-6304

    1 open recommendations
    Recommendation: To ensure that the federal government's and states' investments in information systems result in outcomes that are effective in supporting efforts to save funds through the prevention and detection of improper payments in the Medicaid program, the Secretary of Health and Human Services should direct the Administrator of CMS to require states to measure quantifiable benefits, such as cost reductions or avoidance, achieved as a result of operating information systems to help prevent and detect improper payments. Such measurement of benefits should reflect a consistent and repeatable approach and should be reported when requesting approval for matching federal funds to support ongoing operation and maintenance of systems that were implemented to support Medicaid program integrity purposes.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In comments on our report, agency officials agreed with this recommendation and provided information on CMS's plans to use a template to track cost savings resulting from state Medicaid offices' use of information systems for program integrity purposes. In April 2017, CMS officials said that they were no longer planning to use the template to gather information from the states, because of the varied approaches that states take to implement systems support for program integrity purposes. The officials stated that they are developing an alternative approach for capturing this information from the states, which will be provided to us when completed. We will continue to monitor CMS's progress toward addressing the recommendation.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Secretary of Homeland Security, in consultation with GSA, should develop and implement a strategy to address cyber risk to building and access control systems that, among other things: (1) defines the problem; (2) identifies roles and responsibilities; (3) analyzes the resources needed; and (4) identifies a methodology for assessing this cyber risk.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.
    Director: Melvin, Valerie C
    Phone: (202) 512-6304

    3 open recommendations
    Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to improve reporting of FOIA costs by including salaries, employee benefits, non-personnel direct costs, indirect costs, and costs for other offices.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In responding to our recommendation, DHS said it has developed a spreadsheet that is to be used by its components to track FOIA costs. However, as of September 2017, DHS has not yet provided information containing such details as when its components will be required to use the spreadsheet and if the spreadsheet is to track all the categories of costs discussed in our report. We plan to update the status of this recommendation when DHS provides documentation that further explains, and confirms the department's use of, the spreadsheet.
    Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to direct USCIS and Coast Guard to fully implement the recommended FOIA processing system capabilities and the section 508 requirement.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In response to our recommendation, DHS issued a memo to all of the department's FOIA officers in March 2015 which focused on ensuring that each component's FOIA processing systems are 508 compliant. However, as of September 2017, DHS has not yet provided us with evidence that the U.S. Citizenship and Immigration Services and the Coast Guard have implemented system capabilities that are 508 compliant. When DHS provides information concerning its actions taken to make the systems compliant, we will update the status of the recommendation.
    Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to determine the viability of re-establishing the service-level agreement between the U.S. Citizenship and Immigration Services (USCIS) and U.S. Immigration and Customs Enforcement to eliminate duplication in the processing of immigration files. If the benefits of doing so would exceed the costs, re-establish the agreement.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS has stated that it is taking steps to determine if the U.S. Immigration and Customs Enforcement and the U.S. Citizenship and Immigration Services will re-establish the service-level agreement to process FOIA requests related to immigration files. In addition, the department has stated that duplication no longer exists in the processing of these type of requests. However, DHS has not yet provided evidence, such as a cost-benefit analysis, that could demonstrate the steps it is taking regarding the service-level agreement. Further, GAO has not yet received evidence from the department to support its assertion that duplication no longer exists in the processing of immigration files. We will update the status of this recommendation when DHS provides documentation.
    Director: Randall B. Williamson
    Phone: (202) 512-7114

    2 open recommendations
    Recommendation: To ensure that the Family Caregiver Program is able to meet caregivers' demand for its services, the Secretary of the Department of Veterans Affairs should expedite the process for identifying and implementing an IT system that fully supports the program and will enable VHA program officials to comprehensively monitor the program's workload, including data on the status of applications, appeals, home visits, and the use of other support services, such as respite care.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and stated that its efforts to develop and implement a new IT system has two key steps. First, VA will enhance and stabilize the existing Caregiver Action Tracker IT system. Second, a replacement IT system with new features and capabilities will be implemented by the end of FY 2017. However, in January 2017, VA reported that the short-term stabilization effort for the current IT system continues to experience multiple challenges resulting in significant schedule delays. Furthermore, the replacement IT system--which is partially dependent on the success of the current stabilization effort--has experienced project barriers of its own, and lacks the funding needed for a contract extension to complete the work. According to VA, the successful implementation of the replacement IT system is at significant risk.
    Recommendation: The Secretary of the Department of Veterans Affairs should direct the Undersecretary for Health to use data from the IT system, once implemented, as well as other relevant data to formally reassess how key aspects of the program are structured and to identify and implement modifications as needed to ensure that the program is functioning as envisioned so that caregivers can receive the services they need in a timely manner.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with this recommendation; however, in January 2017, VA reported that barriers continue to place the replacement IT system at significant risk as stated in Recommendation 1. In advance of the electronic solution, VA has developed manual processes to obtain and monitor key data points, allowing it to reassess policies and procedures for the Program of Comprehensive Assistance for Family Caregivers. In its June 2015 update, VA stated that the Caregiver Support Program had started collaborating with VA's Health Services Research and Development to establish a Partnered Evaluation Center (PEC). The PEC is assessing the impact of all caregiver support services in order to evaluate their effectiveness and impact on the health and well-being of veterans and caregivers. In January 2017, VA reported that the PEC's initial work had concluded and key findings had been identified.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    16 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test plan is developed.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of Energy
    Status: Open

    Comments: DOE concurred with the recommendation. However, DOE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when DOE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, an independent assessor is selected to assess the system.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation and is planning to develop, document, and implement oversight procedures for each contractor-operated, contractor-owned system. However, STATE has not yet provided sufficient evidence that it has implemented the recommendation. We plan to validate the department's actions when STATE informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has satisfactorily implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned to resolution are maintained.

    Agency: Department of Transportation
    Status: Open

    Comments: In written comments on a draft of this report, the department agreed to consider our recommendations. We continue to believe that the department needs to develop, document, and implement oversight procedures for each contractor-operated system. DOT has not yet provided sufficient evidence that it has taken these actions. We plan to validate the department's actions when DOT informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA concurred with our recommendation. However, EPA has not yet provided evidence that it has implemented the recommendation. We plan to validate the department's actions when EPA informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: EPA concurred with our recommendation. However, EPA has not yet provided evidence that it has implemented the recommendation. We plan to validate the department's actions when EPA informs us that it has implemented the recommendation.
    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Director of the Office of Personnel Management should develop, document, and implement oversight procedures for ensuring that a system test is fully executed for each contractor-operated system.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: OPM concurred with our recommendation. However, as of April 2017, OPM had not implemented the recommendation to develop, document and implement oversight procedures to ensure that a system test is fully executed for each contractor-operated system. We will monitor OPM's efforts and validate OPM actions when evidence discloses that the recommendation has been implemented.
    Recommendation: To be able to effectively assist agencies with their contractor oversight programs, the Director of the Office of Management and Budget, in collaboration with the Secretary of Homeland Security, should develop and clarify reporting guidance to agencies for annually reporting the number of contractor-operated systems.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We requested comments on a draft of this report from the Office of Management and Budget, but none were provided. In June 2017, OMB stated that its and DHS's annual reporting requirements now contain an expanded list of criteria for contractor-operated systems, including definitions in related guidance from the National Institute of Standards and Technology. However, although the reporting requirements call for agencies to report on their total number of contractor-operated systems, neither the requirements or related guidance clarify which agency systems that have contractor relationships should be categorized as contractor-operated. The lack of clear instructions may continue to result in incomplete information regarding the number of contractor-operated systems within the government.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To improve the consistency and effectiveness of government-wide implementation of information security programs and privacy requirements at small agencies, the Director of OMB should include in the annual report to Congress on agencies' implementation of the Federal Information Security Management Act (FISMA): a list of agencies that did not report on implementation of their information security programs.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: OMB concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Jacqueline M. Nowicki
    Phone: (617) 788-0580

    3 open recommendations
    Recommendation: In order to improve grantees' planning and implementation efforts, increase the effectiveness of grantee efforts to integrate and manage resources, and learn more about the program's impact, the Secretary of Education should clarify program guidance about planning and implementation grants to provide reasonable assurance that planning grantees are better prepared to continue their efforts in the absence of implementation funding. Additional guidance could include encouraging grantees to set aside a small amount of the grant to identify and deliver early, tangible benefits to their neighborhoods.

    Agency: Department of Education
    Status: Open

    Comments: Education stated that it would communicate to planning grant applicants that implementation funding is contingent on the availability of funds and that it would clarify to grantees that planning grant funds could be used to achieve early, tangible benefits. However, Education has not awarded any new planning grants since 2012. In FY17, ED reported that if new funding becomes available for the Promise Neighborhoods' planning and implementation awards, the Department will emphasize to all interested applicants that grant awards are contingent on the availability of funds and the results of the competitive award process. Education also stated that it would provide more targeted technical assistance to planning grant recipients regarding strategies for continuing grantees' efforts absent implementation funding. In 2015, its technical assistance provider published information on planning for growth and sustainability of Promise Neighborhoods.
    Recommendation: In order to improve grantees' planning and implementation efforts, increase the effectiveness of grantee efforts to integrate and manage resources, and learn more about the program's impact, the Secretary of Education should develop and disseminate to grantees on an ongoing basis an inventory of federal programs and resources that can contribute to the Promise Neighborhoods program's goal to better support coordination across agency lines.

    Agency: Department of Education
    Status: Open

    Comments: Education stated that it would work with its technical assistance providers to create a mechanism to distribute a comprehensive list of external funding opportunities, programs and resources on a regular basis to better support the grantees' implementation efforts. In FY15, ED reported that the program office held a grantee meeting in July 2015 featuring at least three workshops on sustainability and leveraging additional funding sources. The program office also had a website (promiseneighborhoods.ed.gov) with a number of resources under the "toolbox" tab that can assist interested programs in financing their ongoing needs. While the workshops and web resources were good first steps that can assist grantees, GAO maintains that Education, rather than individual grantees, is best positioned to develop and share such an inventory of federal programs that relate to the goals of the Promise Neighborhoods program. Without such an inventory, Education may be missing opportunities to better support grantees; find other federal program for future coordination efforts; and identify potential fragmentation, overlap and duplication at the federal level. In FY17, Education did not provide any updates on this recommendation, nor has it provided such an inventory.
    Recommendation: In order to improve grantees' planning and implementation efforts, increase the effectiveness of grantee efforts to integrate and manage resources, and learn more about the program's impact, the Secretary of Education should develop a plan to use the data collected from grantees to conduct a national evaluation of the program.

    Agency: Department of Education
    Status: Open

    Comments: Education stated that it would consider options for how and whether it can use the data collected from grantees to conduct a national evaluation. As a first step, Education said it would conduct a systematic evaluation of the reliability and validity of the data. In its 2016 Notice of Funding Availability for Implementation Grants, Education acknowledged that grantees have struggled to collect the full range of data necessary to conduct meaningful evaluation activities and emphasized the importance of helping grantees develop robust data systems. In addition, in its agency comments, Education had stated that it had not received sufficient funding to support a national evaluation. In FY2017, ED provided documentation of its request for funding for conducting an evaluation and the response to the request. However, the entity within ED that is responsible for impact evaluations maintains that it has no plans to conduct an impact evaluation, given that grantees were not randomly selected. GAO agrees that the program was not designed for impact evaluation, however, as we reported, there are other options for evaluating such programs that can provide meaningful information about how well grantees are addressing the problem of poor student outcomes in impoverished neighborhoods. Not evaluating the program limits Education and other agencies from learning about the extent to which model is effective and should be replicated. Developing an evaluation plan would provide critical information about the resources required to conduct an evaluation, and could better inform future funding requests for such an evaluation.
    Director: David A. Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To improve the reliability of reported cost and schedule variance information for major investments, the Commissioner of IRS should direct the Chief Technology Officer to ensure that projected cost and schedule variances for in-process activities are updated monthly, for the six investments for which we reviewed monthly updates, consistent with OMB and Treasury reporting requirements, by ensuring investment staff have a consistent understanding of the information to be included in monthly reports.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: To address this recommendation, in October 2014, IRS provided training to its project staff, which focused on, among other things, the monthly update of investment performance information. In addition, in fiscal year 2016, IRS began using a tool to track performance information, including progress in meeting cost and schedule goals for ongoing investments, for two investments in development. IRS is now expanding the use of this tool to other investments. As of November 2017, we were reviewing the implementation of the tool as part of an ongoing review of IRS's information technology operations. We will determine whether IRS's implementation of the tool fully addresses this recommendation.
    Director: Zina D.Merritt
    Phone: (202) 512-5257

    1 open recommendations
    Recommendation: To improve the efficiency of data exchanges between LMP and other service ammunition systems, the Secretary of Defense, in coordination with the Under Secretary of Defense for Acquisition, Technology, and Logistics, should direct the Secretary of the Navy to (1) take steps to incorporate Defense Logistics Management Standards (DLMS) into the Ordnance Information System and (2) direct the Commandant of the Marine Corps to take similar steps with regard to the Ordnance Information System-Marine Corps.

    Agency: Department of Defense
    Status: Open

    Comments: The Navy and Marine Corps have taken steps to incorporate Defense Logistics Management Standards into their ammunition information systems -- Ordnance Information System and Ordnance Information System-Marine Corps, respectively. The Navy has provided some documentation, and the Marine Corps has stated that it would provide documentation in the near future as well.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    1 open recommendations
    Recommendation: To better ensure that the Defense Agencies Initiative (DAI) implements effective risk management and information technology (IT) acquisition best practices, the Secretary of Defense should direct the Director of the Defense Logistics Agency to direct the DAI program office to establish a comprehensive risk log that includes all up-to-date risks with evaluations and categorizations that comply with DLA's defined parameters; and associated mitigation plans.

    Agency: Department of Defense
    Status: Open

    Comments: The Defense Logistics Agency established a risk log for DAI that includes risk evaluations and categorizations, and associated mitigation plans. We will continue monitoring the program's implementation of this recommendation to ensure that the agency is periodically reviewing the status of each risk and updating DAI's risk log and mitigation plans, as intended by the recommendation.
    Director: Zina Merritt
    Phone: (202) 512-5257

    1 open recommendations
    Recommendation: To provide greater assurance of the accuracy of manpower requirements reports produced by AWPS for use at Army industrial sites, the Secretary of the Army should direct AMC--with assistance as needed from USAMAA--to submit AWPS to USAMAA for review and validation as a manpower requirements determination tool, in accordance with Army regulations.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: In commenting on the final report, the Army concurred and stated that AWPS was developed to address deficiencies in the Army's manpower requirements determination process by capturing and using the actual hours of the work performed in previous periods to project future requirements. The Army also stated that an integrated AWPS/LMP solution may result in a different manpower predictive tool that must be validated through USAMAA, and that it is important the Army focus on developing a business case analysis to include AWPS functionality into the Army's enterprise resource planning systems. In December 2014, the Under Secretary of the Army directed the Commanding General, AMC, to complete the overlap assessment between AWPS and LMP and to submit the approved manpower requirements determination approach to USAMAA for validation. In November 2015, the Army reported that AMC will not submit AWPS to USAMAA for review and validation because additional funding would be needed to modify AWPS to meet USAMAA requirements for a manpower requirements determination tool, and AMC decided not to make those modifications. Furthermore, the Army also reported that, based on its overlap assessment of AWPS and LMP, it plans to integrate AWPS functionality into LMP. Specifically, the Army plans to migrate all AWPS functions related to the collection and reporting of manpower resources executed in support of approved work at the AMC industrial base sites. As of March 2017, Army officials confirmed that the Army will not submit AWPS to USAMAA for review and validation, and that preparations for integrating AWPS functionality into LMP are ongoing.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    17 open recommendations
    Recommendation: To make government-wide computer matching program planning efforts more consistent, the Director of OMB should revise guidance on computer matching to clarify whether front-end verification queries are covered by the Computer Matching Act.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To make government-wide computer matching program planning efforts more consistent, the Director of OMB should direct agencies to address all key elements when preparing cost-benefit analyses.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To make government-wide computer matching program planning efforts more consistent, the Director of OMB should ensure that agencies receive assistance in implementing computer matching programs as envisioned by the act.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Agriculture should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Agriculture
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Agriculture should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Agriculture
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Agriculture should ensure the DIB performs annual reviews and submits annual reports on the agency's computer matching activities, as required by the act.

    Agency: Department of Agriculture
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Education should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education stated that it has already developed policies and procedures for preparing cost-benefit analyses related to computer matching agreements (CMA). The agency believes these analyses already incorporate the appropriate key elements, although it continues to reexamine them in the interest of continuous improvement. ED also noted that not all key elements apply to every computer matching program. For example, the agency did not think it appropriate to address the recovery of improper payments and debts for matching programs to establish eligibility. However, we believe all key elements should be addressed in cost benefit analyses, even if only to note that certain types of benefits have been considered and determined not to be applicable in the specific circumstances of a given computer matching program. Without a thorough assessment, the Data Integrity Board may not have sufficient information to determine whether a thorough cost analysis has been conducted. In 2017, the agency provided three cost benefit analyses from recent CMAs that include personnel and computer costs.
    Recommendation: To improve the implementation of the act, the Secretary of Health and Human Services should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Health and Human Services should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet received information needed to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Labor should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Labor
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Labor should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Labor
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Labor should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Labor
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Veterans Affairs should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Administrator of Social Security should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Social Security Administration
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    8 open recommendations
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require documentation of the reasoning behind risk determinations for breaches involving PII.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Defense
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to document the number of affected individuals associated with each incident involving PII.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the department stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should document the number of affected individuals associated with each incident involving PII.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency: Federal Reserve System
    Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that it has taken action, we plan to verify whether implementation has occurred.
    Director: Bertoni, Daniel
    Phone: (202) 512-7215

    2 open recommendations
    Recommendation: In order to enhance the accuracy of and ensure appropriate agency access to SSA's death data, and to clarify how SSA applies the eligibility requirements of the Social Security Act and enhance agencies' awareness of how to obtain access, the Social Security Administration's Acting Commissioner should direct the Deputy Commissioner of Operations to develop and publicize guidance it will use to determine whether agencies are eligible to receive SSA's full death file.

    Agency: Social Security Administration
    Status: Open

    Comments: The Social Security Administration (SSA) disagreed with this recommendation, stating that each request to obtain the full death file is unique, and that officials must review them on a case-by-case basis to ensure compliance with various legal requirements. It also expressed concern that developing this guidance as we recommended would require agency expenditures unrelated to its mission in an already fiscally constrained environment. SSA noted that any federal agency that would like to explore accessing the full death master file (which includes state death records) should submit a request to SSA. SSA will review the file and, if satisfactory, enter into an Information Exchange Agreement covering terms, conditions and reimbursement for the exchange. As of April 2017, SSA reports that it is continuing its efforts and there is no change in status. GAO appreciates that agencies may base their request for the full death file on different intended uses, and supports SSA's efforts to ensure compliance with all applicable legal requirements. However, developing such guidance could help to ensure consistency in SSA's future decision making by the new Office of Data Exchange, and enhance agencies' ability to obtain the data in a timely and efficient manner.
    Recommendation: In order to enhance the accuracy of and ensure appropriate agency access to SSA's death data, and to increase transparency among recipient agencies, the Social Security Administration's Acting Commissioner should direct the Deputy Commissioner of Operations to share a more detailed explanation of how it determines reimbursement amounts for providing agencies with death information.

    Agency: Social Security Administration
    Status: Open

    Comments: The Social Security Administration (SSA) reported that it has implemented improvements in its estimating procedures for future reimbursable agreements to ensure consistent estimates for all customers. It reviews all reimbursable requests on a case-by-case basis to determine full costs (including direct and indirect expenses) to provide goods, resources, or services. However, the agency stated that it is not a typical government business practice to share these detailed costs for reimbursable agreements. As of April 2017, SSA reports that it is continuing its efforts and there is no change in status. We are encouraged that SSA has made efforts to standardize the estimates it shares with its federal partners. While we recognize that there may be limitations on the type of cost details SSA can provide to recipient agencies, we continue to believe that more transparency in conveying the factors that lead to the estimated and final reimbursement amounts recipient agencies are charged could help them make more informed decisions.
    Director: Clark, Cheryl E
    Phone: (202) 512-9377

    3 open recommendations
    Recommendation: The Commission should direct the appropriate officials to establish and implement written policies and procedures requiring timely and continuous supervisory review of all financial transactions.

    Agency: American Battle Monuments Commission
    Status: Open

    Comments: In the Commission's fiscal year 2016 Independent Auditor's Report, the auditor reported that the Commission resolved the material weakness related to not effectively reviewing financial transactions to ensure that they were accurate, valid, complete, and recorded in the appropriate accounting period. We contacted the agency to ask for further information on the policy and process for supervisory review of financial transactions, but no response was received within the established deadline for us to conduct our follow up. Therefore, because we were not able to verify that related policies and procedures were established and implemented, we will follow up on this open recommendation at a later date.
    Recommendation: To improve its monitoring of internal control, the Commission should direct the appropriate officials to establish and implement written policies and procedures for planning and conducting the Commission's annual assessment of internal control over financial reporting as required by OMB A-123. The policies and procedures should include; (1) documenting an understanding of its internal control environment, which entails such elements as the tone at the top, ethical standards, and personnel management, which can have a significant effect on how the organization functions and the integrity of its financial accounting and reporting; (2) documenting its assessment of the risk of material misstatement to its financial statements; (3) establishing and documenting its internal control objectives and related internal control activities in place to meet those objectives; (4) documenting the tests to be performed and the results of each test, clearly identifying exceptions and resulting deficiencies; and (5) establishing a corrective action plan for all identified deficiencies that specifies how and when each deficiency will be corrected, and assigning responsibility for its effective and timely resolution.

    Agency: American Battle Monuments Commission
    Status: Open

    Comments: In the Commission's fiscal year 2016 Independent Auditor's Report, the auditor continued to report that the Commission did not have an adequate process for monitoring the design and operating effectiveness of its internal control to identify, evaluate, and correct internal control deficiencies. For example, the Commission did not document its OMB A-123 approach for assessing its internal control, or provide sufficient, appropriate evidence to support its conclusions on the effectiveness of its internal control activities. The Commission responded that it will continue to implement an enterprise-wide system of controls and monitor and report on those controls in compliance with FMFIA. During fiscal year 2017, the Commission informed us that they issued a related policy, however, their independent auditor continues to identify this area as a material weakness. Therefore, we will follow up on this open recommendation at a later date.
    Recommendation: To improve its monitoring of internal control, the Commission should direct the appropriate officials to establish and implement written policies and procedures for monitoring the activities of the external service organizations that perform significant aspects of the Commission's financial transaction processing and reporting, including implementing relevant complementary user entity controls identified by the service auditors.

    Agency: American Battle Monuments Commission
    Status: Open

    Comments: In the Commission's fiscal year 2015 Independent Auditor's Report, the auditor continued to report that the Commission did not adequately document and monitor the effectiveness of internal controls at the service organizations that performed significant aspects of its financial transaction processing and reporting, including processing its federal employee payroll transactions, reconciling its fund balance with Treasury, and preparing its annual financial statements. Specifically, ABMC did not evaluate the service organizations' service auditor reports that contained information on the service organizations' controls and the effectiveness of those controls, and did not consider the impact of the findings and conclusions contained in the service auditor reports on the effectiveness of its internal control. Further, ABMC did not design and implement appropriate complementary user entity controls that were identified by the service auditors. The Commission stated that it will continue to implement an enterprise-wide system of controls and monitor and report on those controls in compliance with FMFIA during fiscal year 2017. Therefore, we will follow up on this open recommendation at a later date.
    Director: Khan, Asif A
    Phone: (202) 512-9869

    2 open recommendations
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense, in his capacity as the Chief Management Officer and in consultation with the Under Secretary of Defense (Comptroller), to design and implement department-level policies and detailed procedures for FIAR Plan risk management that incorporate the five guiding principles for effective risk management. The following are examples of key features of each of the guiding principles that DOD should, at a minimum, address in its policies and procedures. (1) Identify risks. Generate a comprehensive and continuously updated list of risks that includes the root cause of each risk, audit area(s) each risk will affect, and the potential consequences if a risk is not effectively mitigated. (2) Analyze risks. Consult with key stakeholders, including program managers; use analytical techniques, such as risk categorization, risk urgency assessment, or sensitivity analysis; and determine the impact of the identified risks on individual DOD components' abilities to achieve audit readiness. (3) Plan for risk mitigation. Assign responsibility or ownership of the risk mitigation actions, define roles and responsibilities in executing mitigation plans, establish deadlines or milestones for individual mitigation actions, and estimate resource needs. (4) Implement risk mitigation plan. Document the implementation of mitigation actions, develop appropriate metrics that allow for tracking of progress, and validate reported metrics. (5) Monitor risks. Track identified risks and assess the effectiveness of implemented mitigation actions on a continuous basis, including identifying and planning for new risks.

    Agency: Department of Defense
    Status: Open

    Comments: DOD partially concurred with our recommendation. While DOD did concur with our assessment that they did not have a risk management policy and procedures related to implementing the FIAR guidance. They did not concur with our assessment of the overall environment of DOD's risk management of the FIAR initiative. DOD has taken steps to address our recommendation including implementing an NFR tracker and standard operating procedures designed to track DOD component material weaknesses. DOD has also documented a critical path and milestones in Appendix F of their FIAR Guidance; military component tasks and milestones in appendix G of the FIAR Guidance; and audit readiness deal breakers, now referred to as critical capabilities. However, while these are positive actions, they do not address our recommendation for DOD to implement risk management policies and procedures for FIAR implementation. Further, DOD has not provided GAO with evidence of planned actions it summarized in its agency comments. Specifically, DOD has not provided documentation related to (1) improving risk management documentation, (2) reinstating the DOD probability and impact matrix, and (3) re-evaluation of metrics to monitor progress and risk of audit readiness. Lastly, DOD's tracking of military component material weaknesses does not identify risks to audit readiness, or the agencies capabilities to manage risks to audit readiness. According to the May 2017 FIAR Status Update for the HASC Panel Recommendations, DOD has reinforced the importance of internal controls over areas of significant risk by updating the FIAR Guidance with a new chapter dedicated to internal controls. DOD has also changed how they respond to recommendation follow-up by way of the Washington Headquarters Service (WHS). We are currently waiting for a POC to be assigned. We will continue to evaluate the status of actions to address this recommendation.
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense, in his capacity as the Chief Management Officer and in consultation with the Under Secretary of Defense (Comptroller), to consider and incorporate, as appropriate, the Navy's and DLA's risk management practices in department-level policies and procedures.

    Agency: Department of Defense
    Status: Open

    Comments: DOD has changed how they respond to recommendation follow-up by way of the Washington Headquarters Service (WHS). We are currently waiting for a POC to be assigned. We will continue to evaluate the status of actions to address this recommendation.
    Director: Czerwinski, Stanley J
    Phone: (202) 512-6806

    3 open recommendations
    including 3 priority recommendations
    Recommendation: The Director of OMB should, in collaboration with the members of COFAR, develop and make publicly available an implementation schedule that includes performance targets, goal leaders who can be held accountable for each goal, and mechanisms to monitor, evaluate, and report on results.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open
    Priority recommendation

    Comments: In January 2017, GAO reported that although COFAR had released its updated priorities for Fiscal Years 2016 through 2017, it had not released to the public an implementation schedule that included key elements such as performance targets, mechanisms to monitor, evaluate, and report on progress made toward its stated priorities. For this reason, this recommendation remains open.
    Recommendation: The Director of OMB should, in collaboration with the members of COFAR, clarify the roles and responsibilities for various streamlining initiatives and steps for decision making, in particular how COFAR will engage with relevant grant-making agency stakeholders and utilize agency resources.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open
    Priority recommendation

    Comments: In January 2017, GAO reported that although COFAR had released its updated priorities for Fiscal Years 2016 through 2017, the document did not provide clarification on roles and responsibilities for its members. For this reason, this recommendation remains open.
    Recommendation: The Director of OMB should, in collaboration with the members of COFAR, improve efforts to develop an effective two-way communication strategy that includes the grant recipient community, smaller grantmaking agencies that are not members of COFAR, and other entities involved with grants management policy.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open
    Priority recommendation

    Comments: In January 2017, GAO reported that although COFAR had released its updated priorities for Fiscal Years 2016 through 2017, the document did not provide a detailed communication strategy for the grant recipient community. For this reason, this recommendation remains open.
    Director: Gomez, Jose A
    Phone: (202) 512-3841

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that EPA maximizes its limited resources and addresses the statutory, regulatory, and programmatic needs of EPA program offices and regions when IRIS toxicity assessments are not available, and once demand for the IRIS Program is determined, the EPA Administrator should direct the Deputy Administrator, in coordination with EPA's Science Advisor, to develop an agencywide strategy to address the unmet needs of EPA program offices and regions that includes, at a minimum: (1) coordination across EPA offices and with other federal research agencies to help identify and fill data gaps that preclude the agency from conducting IRIS toxicity assessments, and (2) guidance that describes alternative sources of toxicity information and when it would be appropriate to use them when IRIS values are not available, applicable, or current.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of August 2017, EPA's Integrated Risk Information System (IRIS) Program officials stated that IRIS assessments that support policy and regulatory decisions for EPA's programs and regions, and state agencies, are being consolidated into a new portfolio to optimize the application of best available science and technology. According to IRIS Program officials, the new portfolio is being shaped for use by many EPA program and regional offices, states, and other federal agencies. IRIS Program officials told us that they expect these changes to significantly increase the number of completed assessments. GAO will update this recommendation after receiving documentation that elaborates on the new portfolio, or other efforts, that strengthen coordination across EPA offices and with other federal research agencies to help identify and fill data gaps, and describe alternative sources of information, consistent with the intent of the original recommendation.
    Director: Powner, David A
    Phone: (202)512-9286

    3 open recommendations
    Recommendation: To improve the reliability of reported cost and schedule variance information for the seven major investments we reviewed, the Acting Commissioner of IRS should direct the Chief Technology Officer to improve the reliability of cost estimates by addressing the weaknesses we identified in this report so that each investment at least substantially meets each of the characteristics of a reliable cost estimate.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: We followed up on the status of IRS's actions to address this recommendation for the Customer Account Data Engine (CADE) 2, the Return Review Program (RRP), and IRS.gov, the three investments with significant planned expenditures for development in fiscal year 2017, according to data reported on the Federal IT dashboard (the remaining four investments in our 2013 review are primarily in operations and maintenance based on the same IT dashboard data). We selected CADE 2, RRP, and IRS.gov because they would benefit most from improvements to cost estimates given their life cycle stage. In the Summer of 2017, IRS provided documentation to demonstrate actions taken to address the weaknesses we had identified with the CADE 2, and RRP cost estimates. We are currently analyzing this information. For IRS.gov, IRS told us the investment had been in operations and maintenance for several years and was therefore not producing the cost documentation that is typically associated with development efforts. We requested documentation supporting this claim and as of September 2017 were waiting to receive it.
    Recommendation: To improve the reliability of reported cost and schedule variance information for the seven major investments we reviewed, the Acting Commissioner of IRS should direct the Chief Technology Officer to improve the extent to which schedules are well-constructed and controlled by addressing the weaknesses we identified in this report so that each investment at least substantially meets each of these characteristics.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: We followed up on the status of IRS's actions to address this recommendation for the Customer Account Data Engine (CADE) 2, the Return Review Program (RRP), and IRS.gov, the three investments with significant expenditures planned for development in fiscal year 2017, according to data reported on the Federal IT dashboard (the remaining four investments in our 2013 review are primarily in operations and maintenance based on the same IT dashboard data). We selected CADE 2, RRP, and IRS.gov because they would benefit most from improvements to schedule estimates given their life cycle stage. In the Summer of 2017, IRS provided documentation to demonstrate actions taken to address the weaknesses we had identified with the CADE 2, and RRP schedule estimates. We are currently analyzing this documentation. For IRS.gov, IRS told us the investment had been in operations and maintenance for several years and was therefore not producing the schedule estimates that are typically associated with development efforts. We requested documentation supporting this claim and as of September 2017 were waiting to receive it.
    Recommendation: To improve the reliability of reported cost and schedule variance information for the seven major investments we reviewed, the Acting Commissioner of IRS should direct the Chief Technology Officer to develop and implement guidance that specifies best practices--such as including evaluating critical path (for projected schedule), using earned value management data, evaluating the performance of completed work and comparing it to the remaining budget, assessing commitment values for material needed to complete remaining work, and estimating future conditions--to consider when determining projected cost and schedule amounts.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In June 2016, we reported on IRS's development and implementation of its Investment Performance Tool for tracking cost, schedule and scope metrics for its IT investments. At the time, IRS was using the tool for two investments. As of September 2017, we were reviewing the agency?s use of the tool as part of an ongoing review. We plan to further examine the use of the tool and the supporting guidance to determine the extent to which they address this recommendation.
    Director: Maurer, Diana C
    Phone: (202) 512-9627

    3 open recommendations
    including 2 priority recommendations
    Recommendation: To promote coordination as a practice to help avoid overlap, the Secretary of Homeland Security, the Attorney General, and the Director of ONDCP should work through the Information Sharing and Access Interagency Policy Committee (ISA IPC) or otherwise collaborate to develop a mechanism, such as performance metrics related to coordination, that will allow them to hold field-based information-sharing entities accountable for coordinating with each other and monitor and evaluate the coordination results achieved.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: The Department of Justice (DOJ), in coordination with the Department of Homeland Security (DHS) and the Office of National Drug Control Policy (ONDCP), has made progress toward addressing GAO's April 2013 recommendation but has not included all of the relevant field-based information sharing entities in its efforts. Through their involvement in an interagency policy committee within the Executive Office of the President, DHS, DOJ, and ONDCP have developed a mechanism to hold state and urban area fusion centers, Regional Information Sharing System (RISS) centers, and High Intensity Drug Trafficking Area (HIDTA) Investigative Support Centers accountable for coordinating their analytical and investigative activities. However, the agencies have not fully addressed the action because DOJ's Federal Bureau of Investigation's (FBI) Joint Terrorism Task Forces (JTTF) and Field Intelligence Groups (FIG), two of the five field-based entities included in GAO's April 2013 report, have not participated in the assessment on which the mechanism is based. In December 2015, DHS developed a field-based partners report in which DHS, DOJ and ONDCP reported data for state and urban area fusion centers, RISS centers, and HIDTA Investigative Support Centers. These data were focused on field-based collaboration, including governance, colocation, and other information sharing, analytic, and deconfliction-focused topics. However, the report did not include data for DOJ's JTTFs or FIGs. DOJ has noted that JTTFs and FIGs are different from the other entities because JTTFs are operational law enforcement investigative entities and FIGs provide intelligence support to FBI Field Offices. However, GAO's April 2013 report identified areas in which the missions and activities of JTTFs and FIGs overlapped with those of the other entities and that coordination with other field based entities was important to prevent unnecessary overlap and potential duplication. Considering the exclusion of two of the five entities, the agencies do not have a collective mechanism that can hold FIGS and JTTFs accountable for coordinating with the other field-based information sharing entities and allow the agencies to monitor progress and evaluate results across entities. Such a mechanism can help entities maintain effective relationships when new leadership is assigned and avoid unnecessary overlap in activities, which in turn can help entities to leverage scarce resources. As of March 2017, DOJ had provided no new updates. GAO will continue to monitor DOJ's progress in this area.
    Recommendation: To help identify where agencies and the field-based entities they support could apply coordination mechanisms to enhance information sharing and reduce inefficiencies resulting from overlap, the Secretary of Homeland Security, the Attorney General, and the Director of ONDCP should work through the ISA IPC or otherwise collaborate to identify characteristics of entities and assess specific geographic areas in which practices that could enhance coordination and reduce unnecessary overlap, such as cross-entity participation on governance boards and colocation of entities, could be further applied. The results of this assessment could be used by the agencies to provide recommendations or guidance to the entities to create coordinated governance boards or colocate entities, which can result in increased efficiencies through shared facilities and resources and reduced overlap through coordinated or collaborative products, activities, and services.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: The Department of Justice (DOJ), in coordination with the Department of Homeland Security (DHS) and the Office of National Drug Control Policy (ONDCP), has made progress toward addressing GAO's April 2013 recommendation but has not included all of the relevant field-based information sharing entities in its efforts. The three agencies have taken the necessary steps to assess the extent to which practices that can enhance coordination are being implemented at state and urban area fusion centers, Regional Information Sharing System (RISS) centers, and High Intensity Drug Trafficking Area (HIDTA) Investigative Support Centers through their involvement in an interagency policy committee within the Executive Office of the President. However, the assessment did not include DOJ's Federal Bureau of Investigation's (FBI) Joint Terrorism Task Forces (JTTF) or Field Intelligence Groups (FIG), two of the five field-based entities included in GAO's April 2013 report. In December 2015, DHS, DOJ, and ONDCP developed a field-based partners report in which DOJ and ONDCP collected and reported data elements for RISS centers and HIDTA Investigative Support Centers similar to those DHS uses in its annual fusion center assessment. These data were focused on field-based collaboration, including governance, colocation, and other information sharing, analytic, and deconfliction-focused topics. However, the report did not include data for DOJ's FBI JTTFs or FIGs. A collaborative assessment of where practices that enhance coordination can be applied to reduce overlap, collaborate, and leverage resources for all five field-based information-sharing entities would allow the agencies to provide recommendations or guidance to the entities on implementing these practices. As of March 2017, DOJ had provided no new updates. GAO will continue to monitor DOJ's progress in this area.
    Recommendation: To help ensure that an assessment of practices that could enhance coordination and reduce unnecessary overlap is shared and used to further enhance collaboration and efficiencies across agencies, the Program Manager, with input from the ISA IPC collaborating agencies, should report in the Information Sharing Environment (ISE) annual report to Congress the results of the assessment, including any additional coordination practices identified, efficiencies realized, or actions planned.

    Agency: Office of the Director of National Intelligence: Office of the Program Manager--Information Sharing Environment
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information. Status last updated August 31, 2017.
    Director: Melvin, Valerie C
    Phone: (202) 512-6304

    1 open recommendations
    Recommendation: To better ensure that GCSS-Army implements effective risk management and project monitoring and control practices, the Secretary of Defense should direct the Secretary of the Army to direct the GCSS-Army program office to specify the roles and responsibilities of the IV&V agent to ensure that it acts as a third party that validates and verifies the risks and mitigation plans developed by the program office and system integrator.

    Agency: Department of Defense
    Status: Open

    Comments: According to officials from Army's Program Executive Office Enterprise Information Systems in July 2017, the Army is working to draft an updated independent verification and validation policy in response to our recommendation. These officials expected the policy to be signed by the Program Executive Officer later this summer. We will continue to follow-up with the Army regarding this draft policy and the implementation of this recommendation.
    Director: Wilshusen, Gregory C
    Phone: (202)512-6244

    2 open recommendations
    Recommendation: To effectively implement key components of the IRS information security program, the Acting Commissioner of Internal Revenue should update policies and procedures to ensure that they address (1) both methods available for granting all users access to mainframe resources, (2) audit and monitoring of access from one processing environment to another, (3) use of appropriate accounts by multiple databases on a single server, (4) data storage shared between systems, (5) out-of-date security standards, and (6) reconciliation of access privileges.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: We are evaluating IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Recommendation: To effectively implement key components of the IRS information security program, the Acting Commissioner of Internal Revenue should update mainframe test and evaluation processes to improve periodic monitoring of compliance with IRS policies.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: We are evaluating IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Director: Clark, Cheryl E
    Phone: (202)512-3000

    1 open recommendations
    Recommendation: The Commissioner of the Internal Revenue Service should direct the appropriate IRS officials to update the Internal Revenue Manual (IRM) to specify steps to be followed to prevent campus support clerks as well as any other employees who process payments through the electronic check presentment system from making adjustments to taxpayer accounts.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: During fiscal year 2012, IRS updated the IRM to require managers to verify that all campus support employees who process payments through the electronic check presentment system have the appropriate command code restriction in their IDRS profiles to prevent them from making adjustments to taxpayer accounts. However, during our subsequent audits we found that in updating the IRM, IRS did not undertake a global review of the level of access provided to all employee groups who handle hard-copy taxpayer receipts and related sensitive information to ensure that their levels of IDRS access were appropriate. As a result, in May 2016, IRS reassessed the risks at its TACs, including the specific risks and mitigating factors associated with allowing TAC employees to process taxpayer remittances through the electronic check presentment system and to adjust taxpayer accounts. However, IRS did not update the IRM to reflect the conclusions from the risk assessment related to TAC employees needing access to certain sensitive command codes as part of their normal job duties. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Director: Bertoni, Daniel
    Phone: (202) 512-7215

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To help ensure that SSA's disability decisions are as equitable and consistent with modern views of disability as possible, the Commissioner of Social Security should conduct limited and focused studies on the availability and effects of considering more fully assistive devices and workplace accommodations in its disability determinations.

    Agency: Social Security Administration
    Status: Open
    Priority recommendation

    Comments: On September 30, 2015 a committee convened by the Health and Medicine Division (HMD) of the National Academies of Sciences, Engineering, and Medicine initiated a study on assistive technology and workplace accommodations. As of April, 2017, SSA reported that the committee held public sessions on May 16, 2016, July 18, 2016, and September 27, 2016 at which several experts presented on relevant topics. The committee will use the information from these presentations along with their own research and literature to review and provide findings and conclusions for their final report which is expected by July 31, 2017. In April 2017, SSA also indicated it has collected additional information on consideration of reasonable accommodations through the Idea Scale system--a crowd sourcing technology. Depending on the results of the HMD study, SSA may potentially collect additional information on work accommodations through the Bureau of Labor Statistics' OIS project. We will continue to monitor the status and results of the HMD analysis and SSA's actions based on the committee's results and recommendations.
    Director: Merritt, Zina Dache
    Phone: (202) 512-5257

    4 open recommendations
    Recommendation: To complete its implementation and management framework for IUID by incorporating key elements of a comprehensive management approach, such as a complete analysis of the return on investment, quantitatively-defined goals, and metrics for measuring progress, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics to update the IUID task force report's estimates of costs and benefits by incorporating key elements of a sound investment analysis including a more complete estimate of all associated costs, an appropriate methodology for estimating benefits, and a sensitivity analysis of these estimates.

    Agency: Department of Defense
    Status: Open

    Comments: As of September 2017, DOD claims that this recommendation should be closed. When we receive documentation, we will update this recommendation accordingly.
    Recommendation: To enable DOD to successfully share UII data enterprisewide and integrate IUID functionality with its Enterprise Resource Planning systems, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics to coordinate with the military services and the Defense Logistics Agency to define the requirements for using UII data across DOD and within the components' Enterprise Resource Planning systems.

    Agency: Department of Defense
    Status: Open

    Comments: As of September 2017, DOD claims that this recommendation should be closed. When we receive documentation, we will update this recommendation accordingly.
    Recommendation: To enable DOD to successfully share UII data enterprisewide and integrate IUID functionality with its Enterprise Resource Planning systems, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics to coordinate with the military services and the Defense Logistics Agency to develop or revise integrated master schedules for the integration of IUID technology with the components' individual Enterprise Resource Planning systems-and between these systems-across DOD. These schedules should fully integrate distinct IUID activities.

    Agency: Department of Defense
    Status: Open

    Comments: As of September 2017, DOD claims that this recommendation should be closed. When we receive documentation, we will update this recommendation accordingly.
    Recommendation: The Secretary of Defense should direct the Secretary of the Navy to develop a plan to share UII data enterprisewide.

    Agency: Department of Defense
    Status: Open

    Comments: As of September 2017, DOD claims that this recommendation should be closed. When we receive documentation, we will update this recommendation accordingly.
    Director: Melvin, Valerie C
    Phone: (202) 512-6304

    2 open recommendations
    Recommendation: To help ensure the success of FDA's modernization efforts, the Commissioner of FDA should direct the CIO to, in completing the assessment of Mission Accomplishments and Regulatory Compliance Services (MARCS), develop an integrated master schedule (IMS) that (1) identifies which legacy systems will be replaced and when; (2) identifies all current and future tasks to be performed by contractors and FDA; and (3) defines and incorporates information reflecting resources and critical dependencies.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: In commenting on our report, the Department of Health and Human Services neither agreed nor disagreed with our recommendations. However, in response to this recommendation, FDA officials developed an integrated master schedule (IMS) for the Mission Accomplishment and Regulatory Compliance System, along with corresponding sub-project schedules. The officials also provided explanations of their approach for updating the schedules and estimating resources that are reflected in the schedules, and evidence that the agency is updating the schedule regularly. However, the IMS did not identify all legacy systems to be replaced, did not trace all tasks and contractor subproject schedules, and did not include information reflecting the use of government resources. In 2016, we requested that FDA provide an update on their efforts to address these limitations. As of September 2017, the agency restructured MARCS into two projects and notified us that it was working to establish an IMS for each. FDA officials expect to complete the schedules by the end of calendar year 2017. Until FDA takes steps to address the noted deficiencies, it will lack key information needed for determining what work remains and for identifying and addressing potential problems, thus increasing risks to the success of the agency's modernization efforts. We will continue to work with the Department to address this recommendation.
    Recommendation: To help ensure the success of FDA's modernization efforts, the Commissioner of FDA should direct the CIO to monitor progress of MARCS against the integrated master schedule IMS.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: In commenting on the report, the Department of Health and Human Services neither agreed nor disagreed with our recommendations. However, in response to this recommendation, FDA officials provided a baseline schedule, integrated master schedule (IMS), and sub-project schedules intended to be used to monitor progress of the agency's efforts to implement changes to the Mission Accomplishment and Regulatory Compliance System (MARCS). Nonetheless, while the IMS is updated regularly, it contains data anomalies, and FDA has not documented reasons for changes to the schedule. Consequently, the schedule does not include complete and reliable information needed for monitoring progress of the system investment. As of September 2017, the agency restructured MARCS into two projects and notified us that it was working to establish an IMS for each. FDA officials expect to complete the schedules by the end of calendar year 2017, and to use the schedules to continually monitor the status of the projects. Until FDA takes steps to address deficiencies noted in the IMS for MARCS, it will continue to lack key data needed to monitor progress of the implementation of the system, and increase the risks of this key component of the agency's modernization efforts. We will continue to work with the Department to address this recommendation.
    Director: Trimble, David C
    Phone: 202-512-9338

    5 open recommendations
    including 4 priority recommendations
    Recommendation: To better ensure the credibility of IRIS assessments by enhancing their timeliness and certainty, the EPA Administrator should require the Office of Research and Development to assess the feasibility and appropriateness of the established time frames for each step in the IRIS assessment process and determine whether different time frames should be established, based on complexity or other criteria, for different types of IRIS assessments.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of Fall 2017, EPA's Integrated Risk Information System (IRIS) Program officials told GAO that IRIS assessments that support policy and regulatory decisions for EPA's programs and regions, and state agencies, are being consolidated into a new portfolio to optimize the application of best available science and technology. According to IRIS Program officials, the IRIS workflow will be reoriented and timelines and resources will be tailored to fit the intended purpose of the IRIS assessment. This approach was presented to EPA's Science and Technology Policy Council in July 2017 and was presented to the Science Advisory Board's Chemical Assessment Advisory Committee in September 2017 for their consideration and evaluation. In addition, according to EPA IRIS officials, there were improvements in project management for IRIS assessments, such as working with IRIS assessment chemical managers individuals who manage IRIS assessments to develop timelines and a system that tracks the portfolio of IRIS products in development, to allow the IRIS Program to more effectively use resources across assessment projects and ensure timely delivery of products. GAO continues to believe that these efforts show important progress, but that EPA needs to continue to determine whether different time frames should be established for different types of assessments, and the feasibility and appropriateness of the established time frames.
    Recommendation: To better ensure the credibility of IRIS assessments by enhancing their timeliness and certainty, the EPA Administrator should require the Office of Research and Development, should different time frames be necessary, to establish a written policy that clearly describes the applicability of the time frames for each type of IRIS assessment and ensures that the time frames are realistic and provide greater predictability to stakeholders.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of Fall 2017, EPA's Integrated Risk Information System (IRIS) Program officials told GAO that they met with the Science Advisory Board's Chemical Assessment Advisory Committee in September 2017 to discuss responses to this recommendation. After the meeting, EPA's IRIS Program officials expect to issue a public statement that will emphasize the new portfolio approach to chemical evaluation and reflect that IRIS milestones will be varying based on the scale and type of assessment needed. EPA's IRIS Program officials told GAO that these activities will also provide the Program an opportunity to evaluate whether additional training on project management has provided the consistency in planning and delivery that was expected. GAO continues to believe that EPA has made progress and we will continue to review information provided by EPA as the agency works to ensure that the time frames are realistic and provide greater predictability to stakeholders.
    Recommendation: To ensure that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users--including stakeholders such as EPA program and regional offices, other federal agencies, and the public--the EPA Administrator should direct the Office of Research and Development to annually publish the IRIS agenda in the Federal Register each fiscal year.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: As of Fall 2017, EPA's Integrated Risk Information System (IRIS) Program officials told GAO that starting in 2017, on an annual basis, the IRIS Program is reviewing the information in the December 2015 Multi-Year Agenda to ensure that it remains responsive to GAO's recommendation. According to IRIS Program officials, this process was informal in 2017 but will be formalized starting in 2018 and updates to the Multi-Year Agenda will be published on the IRIS website and disseminated appropriately. GAO continues to believe that current and accurate information on the chemicals EPA plans to assess through IRIS should be made available to IRIS users. As the program continues its work, GAO will monitor EPA's progress to determine if information is provided annually in the Federal Register.
    Recommendation: To ensure that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users--including stakeholders such as EPA program and regional offices, other federal agencies, and the public--the EPA Administrator should direct the Office of Research and Development to indicate in published IRIS agendas which chemicals EPA is actively assessing and when EPA plans to start assessments of the other listed chemicals.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of Fall 2017, EPA's Integrated Risk Information System (IRIS) Program officials told GAO that starting in 2017, on an annual basis, the IRIS Program is reviewing the information in the December 2015 Multi-Year Agenda to ensure that it remains responsive to GAO's recommendation. According to IRIS Program officials, this process was informal in 2017, but will be formalized starting in 2018, and updates to the Multi-Year Agenda will be published on the IRIS website and disseminated appropriately. EPA IRIS Program officials stated that they received feedback from the Science Advisory Board's Chemical Assessment Advisory Committee in September 2017. IRIS officials intend to publish an updated Agenda that will list which chemicals EPA is actively assessing and when EPA plans to start assessments of the other listed chemicals. GAO continues to believe that annually providing current and accurate information on chemicals that EPA plans to assess through the IRIS program is critical for IRIS users as well as specifically identifying which chemicals EPA is actively assessing and when EPA plans to start assessments of the other listed chemicals.
    Recommendation: To ensure that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users--including stakeholders such as EPA program and regional offices, other federal agencies, and the public--the EPA Administrator should direct the Office of Research and Development to update the IRIS Substance Assessment Tracking System (IRISTrack) to display all current information on the status of assessments of chemicals on the IRIS agenda, including projected and actual start dates, and projected and actual dates for completion of steps in the IRIS process, and keep this information current.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of August 2017, EPA's Integrated Risk Information System (IRIS) Program officials stated that starting in 2017, on an annual basis, the IRIS Program is reviewing the information in the December 2015 Multi-Year Agenda to ensure that it remains responsive to GAO's recommendation. According to EPA IRIS Program officials, this process was informal in 2017 but will be formalized starting in 2018, and updates to the Multi-Year Agenda will be published on the IRIS website and disseminated appropriately. EPA IRIS Program officials stated that they received feedback from the Science Advisory Board's Chemical Assessment Advisory Committee in September 2017. Officials indicated that after the feedback is received, the IRIS website will be updated with information consistent with GAO's recommendation, such as projected and actual start dates. GAO will monitor EPA's progress, and consider whether updates are annually providing current and accurate information on chemicals that EPA plans to assess through the IRIS program, as necessary for IRIS users.
    Director: Wilshusen, Gregory C
    Phone: (202)512-3000

    4 open recommendations
    Recommendation: To ensure that PIV cards do not remain in the possession of staff whose employment or contract with the federal government is over, the Secretary of Commerce should establish controls, in addition to time frames for implementing a new tracking system, to ensure that PIV cards are revoked in a timely fashion.

    Agency: Department of Commerce
    Status: Open

    Comments: As of June 2017, Commerce had not submitted information or plans regarding revoking PIV cards in a timely fashion.
    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of the Interior should develop specific implementation plans for enabling PIV-based access to the department's major facilities, including identifying necessary infrastructure upgrades and time frames for deployment.

    Agency: Department of the Interior
    Status: Open

    Comments: As of June 2017, Interior had not yet provided specific implementation plans for enabling PIV access to the department's major facilities.
    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Labor should ensure that the department's plans for PIV-enabled physical access at major facilities are implemented in a timely manner.

    Agency: Department of Labor
    Status: Open

    Comments: As of June 2017, Labor had not provided any information about whether the department's plans for PIV-enabled physical access at major facilities were being implemented in a timely manner.
    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal networks and systems, the Administrator of NASA should develop and implement procedures for PIV-based logical access when using Apple Mac and mobile devices that do not rely on direct interfaces with PIV cards, which may be impractical.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: As of March 2017, NASA reported that it had begun implementing procedures for PIV-based logical access for the Apple Mac computers and mobile devices in its computing environment. NASA procured software to begin the transition of the Apple computers, but due to configuration issues the transition was not scheduled to be completed until December 2017. Further, NASA had begun the transition for mobile devices, which was scheduled to be completed by September 2017.
    Director: Khan, Asif A
    Phone: (202)512-9869

    3 open recommendations
    Recommendation: To improve the development, implementation, documentation, and oversight of the department's financial management improvement efforts, and to ensure that the Air Force develops and implements its Financial Improvement Plan in accordance with the FIAR Guidance, the Secretary of Defense should direct the Secretary of the Air Force to ensure that the Air Force's Financial Improvement Plans include documentation that the Air Force performed a reconciliation of the complete population of transactions for an assessable unit to the relevant general ledger(s) and to the amount(s) reported in the financial statements, including researching and resolving reconciling items.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) concurred with this recommendation. In November 2015, an independent public accountant (IPA) issued a disclaimer of opinion in connection with its audit of Air Force's fiscal year 2015 General Fund Schedule of Budgetary Activity (SBA) because Air Force was unable to provide sufficient audit evidence to provide a basis for an audit opinion. In addition, the IPA specifically identified Air force's inability to validate the completeness of transactions underlying the SBA as one of three material weaknesses in internal controls over financial reporting. We followed up with DOD officials in August 2017 and have not been able to obtain documentation indicating that actions were taken to address this recommendation. As a result, this recommendation remains open.
    Recommendation: To improve the development, implementation, documentation, and oversight of the department's financial management improvement efforts, and to improve DOD's monitoring and oversight of FIP activities, the Secretary of Defense should direct the Secretary of the Navy to ensure that all responsible parties within the Navy, including the Assistant Secretary of the Navy (Financial Management and Comptroller), carry out their responsibilities for ensuring that FIP development and implementation complies with the FIAR Guidance and that the FIP contains sufficient information to indicate audit readiness before it is signed.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) concurred with this recommendation. In February 2016, an independent public accountant (IPA) issued a disclaimer of opinion in connection with its audit of Navy's fiscal year 2015 General Fund Schedule of Budgetary Activity because Navy was unable to provide sufficient audit evidence regarding its completeness and accuracy. In addition, the IPA identified three material weaknesses in internal control over financial reporting such that there is a reasonable possibility that a material misstatement of its financial statements will not be prevented, or detected and corrected, on a timely basis. Ensuring the completeness and accuracy of financial reports are key elements of the FIAR Guidance. We followed up with DOD officials in August 2017 and have not been able to obtain documentation indicating that actions were taken to address this recommendation. As a result, this recommendation remains open.
    Recommendation: To improve the development, implementation, documentation, and oversight of the department's financial management improvement efforts, and to improve DOD's monitoring and oversight of FIP activities, the Secretary of Defense should direct the Secretary of the Air Force to ensure that all responsible parties within the Air Force, including the Assistant Secretary of the Air Force (Financial Management and Comptroller) carry out their responsibilities for ensuring that FIP development and implementation complies with the FIAR Guidance and that the FIP contains sufficient information to indicate audit readiness before it is signed.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) concurred with this recommendation. In November 2016, an independent public accountant (IPA) issued a disclaimer of opinion in connection with its audit of Air Force's fiscal year 2015 General Fund Schedule of Budgetary Activity (SBA) because Air Force was unable to provide sufficient audit evidence to provide a basis for an audit opinion. In addition, the IPA identified three material weaknesses in internal control over financial reporting such that there is a reasonable possibility that a material misstatement of its financial statements will not be prevented, or detected and corrected, on a timely basis. Ensuring the completeness and accuracy of financial reports are key elements of the DOD FIAR Guidance. We followed up with DOD officials in August 2017 and have not been able to obtain documentation of actions taken to address this recommendation. As a result, this recommendation remains open.
    Director: Caldwell, Stephen L
    Phone: (202) 512-9610

    1 open recommendations
    Recommendation: To facilitate better agency understanding of the potential need and feasibility of expanding electronic verification of seafarers, to improve data collection and sharing, and to comply with the Inflation Adjustment Act, the Secretary of Homeland Security should direct the Commandant of the Coast Guard and Commissioner of CBP to jointly establish an interagency process for sharing and reconciling records of absconder and deserter incidents occurring at U.S. seaports.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security (DHS) concurred and stated that U.S. Customs and Border Protection (CBP) and the Coast Guard would begin to assess the appropriate offices within each component involved in the review and to establish a working group to evaluate the current reporting process within each component, and between CBP and Coast Guard. Further, DHS noted that it was working to co-locate the Coast Guard's ICC Coastwatch and CBP's National Targeting Center-Passenger and that this would help to eliminate many of the absconder-and deserter- reporting inconsistencies GAO identified between Coast Guard and CBP. In January 2013, CBP and Coast Guard officials reported that they had studied the CBP and Coast Guard data and found that multiple factors had likely contributed to the data variances, including differences in definitions for absconders/deserters among CBP and Coast Guard field units, and the method in which field units had recorded and reported absconder and deserter incidents. Officials reported that the two agencies were planning to develop an interagency memorandum of agreement (MOA) with field guidance for reporting absconder and deserter incidents. Officials reported that they expected to finalize and implement the MOA and field guidance by November 30, 2013. In July 2014, CBP described a new process in place for interagency data reconciliation, reporting that this action was taken in lieu of previously discussed plans to develop an interagency MOU. In December 2015, CBP reported that it expected to complete the effort by March 2016. In March 2016, CBP report that it expected to complete the effort by September 2016. CBP officials reported that the Coast Guard and CBP determined that the absconder data variances were caused by the agencies using different reporting criteria. Officials reported that the two agencies were preparing a memo and guidance to issue to field units by August 31, 2016. Officials reported that the recommendation would be fully implemented by September 30, 2016. In September 2016, CBP reported that it expected to implement the effort by December 31, 2016. In December 2016, CBP reported that the agency had drafted a memo to coincide with new Coast Guard procedure for conducting asymmetric migration vetting and deconfliction. CBP was also working to require all ports of entry to report all maritime asymmetric migration events directly to Coastwatch or a Targeting Framework event. However, on October 18, 2016, the DHS Deputy Secretary issued Department Policy Regarding Investigative Data and Event Deconfliction Policy Directive 045-04 that sets forth DHS policy for investigative data and event deconfliction and the use of related deconfliction systems in the course of certain law enforcement activity. As a result of the newly published Directive, DHS requires that CBP develop and implement related policy, by January 17, 2017. The policy directive requires DHS components to develop a policy applicable to components having equities in Investigative Data and Event Deconfliction. The policy will focus on more effective coordination of investigative activity to ensure officer safety by identifying links between ongoing criminal investigations. The Policy also requires that CBP components, at a minimum, conduct deconfliction thru the Deconfliction and Information Coordination Endeavor, Regional Information Sharing Systems Officer Safety Event Deconfliction System, Secure Automated Fast Event Tracking Network or Case Explorer systems. CBP and Coast Guard are now looking at a directive which makes it a port responsibility to deconflict case related information. The timeline for drafting and finalizing that directive is January 2017. Because of this change in direction, CBP and Coast Guard are requesting an extension to March 31, 2017 to finalize and disseminate the new policy.
    Director: White, James R
    Phone: (202)512-5594

    2 open recommendations
    Recommendation: To understand the scope of the business nonfiler population, the Commissioner of Internal Revenue should estimate the magnitude of business nonfiling among businesses registered with IRS, using data from its operational files to select cases for further investigation. Based on the results of this work IRS should develop a tax gap estimate for the impact of business nonfiling insofar as doing so is cost-effective.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of August 2017, IRS said it did not plan to develop a partial estimate of the business nonfiler rate, as we recommended in August 2010. IRS reported that funding would likely be unavailable for it to do so using operational data. According to IRS, its existing operational data on business nonfilers are sufficient. However, even a partial estimate could give IRS additional information that would be useful in its strategic planning and help it determine what priority it should place on this type of noncompliance.
    Recommendation: To monitor the performance of business nonfiler activities, the Commissioner of Internal Revenue should set a deadline for developing data that can be used to measure the performance of the BMF CCNIP and its business nonfiler compliance activities overall.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS has determined that it does not have the necessary data that could be used to measure its business nonfiler efforts across the agency and that it therefore cannot set a deadline for developing such data, as GAO recommended in August 2010. According to IRS, developing such data would be prohibitively costly. Rather, as of August 2017, IRS plans to continue to use the data at the operating division level. Without going through the process of developing performance data, IRS is unable to know what data would aid in monitoring and evaluating its business nonfiler efforts. Absent cross-agency performance data, IRS is unable to fully understand the outcomes of its business nonfiler efforts.
    Director: Goldenkoff, Robert N
    Phone: (202)512-2757

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To improve the Bureau's use of its master schedule to manage the 2020 decennial census, the Secretary of Commerce should require the Director of the U.S. Census Bureau to include estimates of the resources, such as labor, materials, and overhead costs, in the 2020 integrated schedule for each activity as the schedule is built, and prepare to carry out other steps as necessary to conduct systematic schedule risk analyses on the 2020 schedule.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: Commerce neither agreed nor disagreed with this recommendation. The Bureau continues to refine its 2020 Census master schedule, which it recently announced it completed in July 2016. Bureau officials have periodically described their intent to link resources to activities within their schedules, but as of July 2016 had confirmed that it had not yet done so. The Bureau has provided us with copies of its schedule, but not yet satisfactory evidence of having completed such an analysis. We are beginning an audit of the Bureau's scheduling practices this summer and will review actions the Bureau may have taken to address this recommendation. As of July 2017, we have received initial documents as we begin this review.