Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Security threats"

    20 publications with a total of 69 open recommendations including 11 priority recommendations
    Director: Lori Rectanus
    Phone: (202) 512-2834

    8 open recommendations
    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection should, with regard to the updated Security Policy and Procedures Handbook, include the ISC's Risk Management Process for Federal Facilities requirement to assess all undesirable events, consider all three factors of risk, and document deviations from the standard.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, with regard to the updated Security Policy and Procedures Handbook, should include data collection and analysis requirements for monitoring the performance of CBP's physical security program.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, should revise the assumptions used in the plan to address the backlog to balance assessments with competing priorities, such as updating the policy manual and reviewing new construction design, to develop a feasible time frame for completing the assessment backlog.

    Agency: Department of Homeland Security: United States Customs and Border Protection
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to develop a plan that provides sufficient details on the activities needed and time frames within the date when FAA will implement an improved methodology.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to require the use of a methodology that fully aligns with the ISC's Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to include ongoing monitoring of physical security information.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should include data collection and analysis requirements for monitoring the performance of agencies' physical security programs, in the department's revised physical-security manual.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should direct the Administrator of the Agricultural Research Service and the Chief of the Forest Service to implement and monitor a long-term assessment schedule with key milestones to ensure that higher-level facilities are reassessed at least once every 3 years.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Seto J. Bagdoyan
    Phone: (202) 512-6722

    4 open recommendations
    Recommendation: The NIST Director should incorporate elements of key practices into the implementation of the Security Sprint action plans, by establishing a comprehensive communication strategy for employees; interim milestone dates; and measures to assess effectiveness. (Recommendation 1)

    Agency: Department of Commerce: National Institute of Standards and Technology
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the Office of Security (OSY), in coordination with the NIST Director, should conduct an evaluation of the effectiveness of the current security management structure as compared to a consolidated security structure, centrally managed by OSY, to identify the most effective and feasible approach to physical security at NIST. (Recommendation 2)

    Agency: Department of Commerce: Office of Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of OSY should ensure that the draft Commerce risk management policy is finalized and implemented in accordance with the ISC's RMP Standard, by requiring the following: (1) Use and documentation of a sound risk assessment methodology that assesses the threats, vulnerabilities, and consequences for each of the undesirable events required by the RMP Standard, and use of these three factors to measure risk. (2) Documentation of key risk management decisions, such as justification and tenants' approval for facility security level (FSL) determinations, justification for deviation from baseline levels of risk or protection, as well as risk acceptance and consideration of alternative countermeasures. (3) Establishment of a facility security committee (FSC) at multitenant facilities and campuses, including locations such as the NIST Boulder campus. (4) ISC training for all OSY assessors and the individuals responsible for deciding to implement countermeasures and accepting risk. (Recommendation 3)

    Agency: Department of Commerce: Office of Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The NIST Director should finalize and implement risk management policies and procedures, ensuring that they contain a formal coordination mechanism between OSY and NIST and are aligned with Commerce's revised risk management policy, particularly with regard to establishing FSCs. (Recommendation 4)

    Agency: Department of Commerce: National Institute of Standards and Technology
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Lori Rectanus
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To ensure that current pilot programs related to electronic advance data provide insights that help in assessing USPS's effectiveness at providing mail targeted by CBP for inspection, the Secretary of Homeland Security should direct the Commissioner of CBP to, in conjunction with USPS, (1) establish measureable performance goals for pilot programs and (2) assess the performance of the pilots in achieving these goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To provide information on the costs and benefits of collecting electronic advance data for use in targeting inbound international mail for screening, the Secretary of Homeland Security should direct the Commissioner of CBP to, in conjunction with USPS, evaluate the relative costs and benefits of collecting electronic advance data for targeting mail for inspection in comparison to other methods.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Kirschbaum, Joseph W
    Phone: (202) 512-9971

    2 open recommendations
    Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

    Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

    Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Lori Rectanus
    Phone: (202) 512-2834

    7 open recommendations
    Recommendation: The Secretary of the Interior should direct the Director of the National Park Service to direct the U.S. Park Police to ensure that performance measures linked to program goals are included as part of its updated strategic plan and direct it to develop a timeline for completion of this plan.

    Agency: Department of the Interior
    Status: Open

    Comments: Interior concurred with this recommendation and said it would take steps to implement it. When we confirm what actions Interior has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of the Interior should direct the Director of the National Park Service to direct the U.S. Park Police to seek additional input from federal entities with expertise regarding ways to enhance testing of its physical security program.

    Agency: Department of the Interior
    Status: Open

    Comments: Interior concurred with this recommendation and said it would take steps to implement it. When we confirm what actions Interior has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of the Smithsonian Institution should direct the Office of Protection Services to develop program goals and ensure that performance measures linked to those goals are included as part of the strategic plan for security and develop a timeline for completion of this plan.

    Agency: Smithsonian Institution
    Status: Open

    Comments: The Smithsonian concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the Smithsonian has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of the Smithsonian Institution should direct the Office of Protection Services to seek additional input from federal entities with expertise regarding ways to enhance testing of the physical security program.

    Agency: Smithsonian Institution
    Status: Open

    Comments: The Smithsonian concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the Smithsonian has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to develop a process for documenting risk management decisions.

    Agency: National Gallery of Art
    Status: Open

    Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the National Gallery has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to ensure that program goals and performance measures linked to those goals are included as part of the master security plan and develop a timeline for completion of this plan.

    Agency: National Gallery of Art
    Status: Open

    Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the National Gallery has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to seek additional input from federal entities with expertise regarding ways to enhance testing of the physical security program.

    Agency: National Gallery of Art
    Status: Open

    Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. When we confirm what actions the National Gallery has taken in response to this recommendation, we will provide updated information.
    Director: Rebecca Gambler
    Phone: (202) 512-8777

    5 open recommendations
    Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP to assess and document how the alternative technological solutions being considered will fully meet operational needs related to ultralight aircraft.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation and stated that it plans to assess and document requirements related to ultralight aircraft threats and how technological solutions will address these requirements as part of U.S. Customs and Border Protection Air and Marine Operations air domain awareness efforts. DHS plans to complete these efforts by July 2018.
    Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP and the Director of ICE to jointly establish and monitor performance measures and targets related to cross-border tunnels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation and stated that U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement will review available information and develop performance measures and targets as deemed appropriate by February 2018.
    Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP to establish and monitor performance targets related to ultralight aircraft.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred and stated that within U.S. Customs and Border Protection, Air and Marine Operations and the U.S. Border Patrol are developing a joint performance measure and targets for interdicting ultralight aircraft. DHS plans to complete these efforts by October 2017.
    Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the U.S. Customs and Border Protection (CBP)-U.S. Immigration and Customs Enforcement (ICE) tunnel committee to convene and establish standard operating procedures for addressing cross-border tunnels, including procedures for sharing information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS did not concur with this recommendation. However, CBP and ICE agreed that strengthening operational procedures may be beneficial and stated that they will jointly review procedures and discuss revising and/or consolidating the procedures. We continue to believe that the recommendation is valid and will monitor DHS's efforts to address it.
    Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commandant of the Coast Guard, Commissioner of CBP, and the Director of ICE to establish and monitor Regional Coordinating Mechanisms performance measures and targets related to panga boat and recreational vessel smuggling.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS did not concur with this recommendation. DHS stated that that it believes that by establishing common terminology to address our first recommendation, the RECOMs will have more reliable, usable analyses to inform their maritime interdiction efforts. However, DHS did not believe that performance measures and targets related to smuggling by panga boats would provide the most useful strategic assessment of operations to prevent all illicit trafficking, regardless of area of operations or mode of transportation. DHS also cited the recent creation of the DHS Office of Policy, Strategy, and Plans that is to work with U.S. Coast Guard, U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, and other components and offices to better evaluate the effectiveness of all operations that work to prevent the illegal entry of goods and people into the country, as appropriate. We continue to believe that the recommendation is valid and will monitor DHS's efforts to address it.
    Director: Michael J. Courts
    Phone: (202) 512-8980

    5 open recommendations
    including 5 priority recommendations
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct the Bureau of Diplomatic Security (DS) to create consolidated guidance for RSOs that specifies required elements to include in post travel notification and transportation security policies. For example, as part of its current effort to develop standard templates for certain security directives, DS could develop templates for transportation security and travel notification policies that specify the elements required in all security directives as recommended by the February 2005 Iraq ARB as well as the standard transportation-related elements that DS requires in such policies.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in April 2017 describing its plans to address the recommendation. However, as of October 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to clarify whether or not the FAH's armored vehicle policy for overseas posts is that every post must have sufficient armored vehicles, and if DS determines that the policy does not apply to all posts, articulate the conditions under which it does not apply.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in April 2017 describing its plans to address the recommendation. However, as of October 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to develop monitoring procedures to ensure that all posts comply with the FAH's armored vehicle policy for overseas posts once the policy is clarified.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in April 2017 describing its plans to address the recommendation. However, as of October 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to clarify existing guidance on refresher training, such as by delineating how often refresher training should be provided at posts facing different types and levels of threats, which personnel should receive refresher training, and how the completion of refresher training should be documented.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in April 2017 describing its plans to address the recommendation. However, as of October 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to improve guidance for RSOs, in coordination with other relevant State offices and non-State agencies as appropriate, on how to promote timely communication of threat information to post personnel and timely receipt of such information by post personnel.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in April 2017 describing its plans to address the recommendation. However, as of October 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Director: Jennifer Grover
    Phone: (202) 512-7141

    6 open recommendations
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should update the Risk Assessment of Airport Security to reflect changes to its risk environment, such as those updates reflected in Transportation Sector Security Risk Assessment (TSSRA) and JVA findings, and share results of this risk assessment with stakeholders on an ongoing basis.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should establish and implement a process for determining when additional risk assessment updates are needed.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should develop and implement a method for conducting a system-wide assessment of airport vulnerability that will provide a more comprehensive understanding of airport perimeter and access control security vulnerabilities.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should use security event data for specific analysis of system-wide trends related to perimeter and access control security to better inform risk management decisions.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should update the 2012 Strategy for airport security to reflect changes in risk assessments, agency operations, and the status of goals and objectives. Specifically, this update should reflect: (1) information from the Risk Assessment of Airport Security, as well as information contained in the most recent TSSRA and JVAs; (2) new airport security-related activities; (3) the status of TSA efforts to address goals and objectives; and (4) finalized outcome-based performance measures and performance levels--or targets--for each relevant activity and strategic goal.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should establish and implement a process for determining when additional updates to the Strategy are needed.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Andrew Von Ah
    Phone: (213) 830-1011

    4 open recommendations
    Recommendation: To ensure the quality of the risk assessments used to inform its future QHSR processes, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to ensure future QHSR risk assessment methodologies reflect key elements of successful risk assessment methodologies, such as being: (1) Documented, which includes documenting how risk information was integrated to arrive at the assessment results, (2) Reproducible, which includes producing comparable, repeatable results, and (3) Defensible, which includes communicating any implications of uncertainty to users of the risk results.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2016, the Office of Policy's Office of Strategy, Plans, Analysis and Risks completed initial meetings with government and non-government subject matter experts to refine risk analyses for the upcoming 2018 QHSR. Representatives from the department's component and headquarters staff are to take part in the Department's Risk Modeling and Analysis Steering Committee by reviewing, documenting and approving proposed new methodologies planned to help identify and prioritize threats and hazards. This effort is intended to lead to a documented, reproducible, and defensible assessment, according to the DHS officials. As of November 2017, this recommendation remains open until DHS provides information allowing us to verify that the risk analysis contains these elements.
    Recommendation: To enable the use of risk information in supporting resource allocation decisions, guiding investments, and highlighting the measures that offer the greatest return on investment, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to refine its risk assessment methodology so that in future QHSRs it can compare and prioritize homeland security risks and risk mitigation strategies.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk, with support from the RAND Corporation, proposed a methodology to assess threats, hazards, and vulnerabilities impacting U.S. homeland security. In addition, the department's Risk Modeling and Analysis Executive Steering Committee was to review and approve the proposed methodology. The methodology is intended to enable the Department of Homeland Security to compare and prioritize homeland security risks and risk mitigation strategies, according to DHS officials. As of November 2017, the recommendation will remain open until DHS provides information that enables us to verify that the methodology allows such comparisons.
    Recommendation: To ensure proper management of the QHSR stakeholder consultation process, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to identify and implement stakeholder meeting processes to ensure that communication is interactive when project planning for the next QHSR.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk finalized a draft stakeholder outreach plan to include use of the Office of Management and Budget's Max electronic collaboration website to engage with federal, state, and local stakeholders. The OMB-MAX website is available to government and non-government offices and allows the posting of documents, articles, and links, as well as facilitating collaborative editing of documents and participant interaction threads, according to DHS officials. In addition, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk is exploring the use of different tools to facilitate more interactive stakeholder engagement. For example, DHS's Office of Partnerships and Engagement is to facilitate additional engagement with external subject matter experts, arrange interagency coordination, and organize review and approval with parties of the homeland security enterprise in order to coordinate and approve the development of the 2018 QHSR. As of November 2017, this recommendation remains open until DHS provides information enabling us to verify that interactive communication approaches are implemented.
    Recommendation: To ensure proper management of the internal QHSR stakeholder consultation process, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to clarify component detailee roles and responsibilities when project planning for the next QHSR.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, the Office of Policy's Office of Strategy, Plans, Analysis, and Risk (SPAR) drafted a memorandum for the Deputy Secretary to solicit Component subject matter experts. The memorandum specifies component detailee roles and responsibilities, to include serving in an advisory, consultation, and coordination role, according to DHS officials. SPAR was to lead an integrated group of analysts and strategic planners that are to be supported and augmented by the subject matter experts. The experts and detailees were to serve as members of study teams analyzing key threats, trends, and strategy and policy alternatives associated with issues and challenges relating to DHS's mission and objectives. A second memorandum requesting additional detailee support was to be issued in November 2016, prior to the formal review phase of the new QHSR which was to begin in January 2017. As of November 2017, this recommendation will remain open until DHS provides information allowing us to verify that clarified detailee roles and responsibilities are finalized and implemented.
    Director: David C. Trimble
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To ensure that any future NNSA effort--through the OTH initiative or another process--to assess proliferation threats and the implications for DNN produces high-quality information, the NNSA Administrator should implement established methods, including literature reviews, structured interviews, and peer reviews.

    Agency: Department of Energy: National Nuclear Security Administration
    Status: Open

    Comments: NNSA is in the process of revising its threat assessment process. We are currently evaluating NNSA's actions.
    Director: Joseph W. Kirschbaum
    Phone: (202) 512-9971

    2 open recommendations
    Recommendation: To assist U.S. installations in protecting against insider threats, the Secretary of Defense should direct the military services to share information about actions U.S. installations have taken to address insider threats by consistently using existing mechanisms--such as working groups, lessons-learned information systems, and antiterrorism web portals.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To assist DOD leadership in their oversight and decision-making process, the Secretary of Defense should direct the DOD leaders on the Mission Assurance Coordination Boards and the military services to take steps to improve the consistency of reporting and monitoring of the implementation of recommendations from the independent review of the 2009 Fort Hood shooting. Such steps could include DOD and the military services developing criteria for consistent reporting on the progress of recommendations and the military services providing periodic reports to the Mission Assurance Coordination Boards on the status of Fort Hood recommendations at the service level and installation level.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Charles Michael Johnson, Jr.
    Phone: (202) 512-7331

    1 open recommendations
    Recommendation: To further improve the ability of U.S. government agencies and others to assess the timeliness of U.S. security assistance to Yemen, the Secretary of Defense should take steps to improve the accuracy of data used to track when Section 1206 projects are congressionally cleared for implementation.

    Agency: Department of Defense
    Status: Open

    Comments: DOD officials indicated that they will correct the historical congressional notification clearance data for Yemen and ensure it is correct going forward, with the goal of having correct data by May, 2015. They also noted there is a policy in place requiring the congressional notification clearance date entered into the database to be drawn from the e-mail from the DOD Comptroller's office indicating the clearance date. In order to correct the historical data, DOD will try to find documents showing the actual clearance dates, but when those are unavailable, DOD will add fifteen days to the date of the congressional notification. As of November 2017, DOD had not provided documentation in response to our requests for a status update regarding this recommendation. We will monitor these efforts to determine when they have been completed.
    Director: Mark L. Goldstein
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Secretary of the Department of Homeland Security should direct FPS to develop and implement a strategy for using covert-testing data and data on prohibited items to improve FPS's security-screening efforts. The strategy should, at a minimum, aim to ensure that: (1) covert-testing data are used to systematically monitor, review, and improve performance nationwide; (2) covert-testing data are used to determine which testing scenarios will be implemented or reinstated; and (3) data on prohibited items are analyzed to determine the reasons for wide variations in the number of reported prohibited-items detected across buildings and to assist with managing the screening process and informing policy.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of June 2016, implementation of this recommendation was in process, according to the Federal Protective Service (FPS). FPS provided no additional information, but plans to update GAO in the coming weeks on the status of this and other open recommendations.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    12 open recommendations
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that all contractor staff complete annual security awareness training as required by federal law and FAA policy.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. However, as of July 2017, FAA has provided partial documentation, but has not yet provided GAO with sufficient evidence to validate FAA's actions to establish a mechanism to ensure that all contractor staff complete annual security awareness training as required by federal law and FAA policy. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that all staff with significant security responsibilities receive appropriate role-based training.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has provided partial documentation, but has not yet provided GAO sufficient evidence necessary to validate FAA's actions to establish a mechanism to ensure that all staff with significant security responsibilities receive appropriate role-based training. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that personnel with incident response roles and responsibilities take appropriate training, and that training records are retained.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has provided partial documentation, but has not yet provided GAO sufficient evidence necessary to validate FAA's actions to establish a mechanism to ensure that personnel with incident response roles and responsibilities take appropriate training, and that training records are retained. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to take steps to ensure that testing of security controls is comprehensive enough to determine whether security controls are in place and operating effectively, by, for example, examining artifacts such as audit reports, change tickets, and approval documents.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has updated its NAS testing policy and has provided evidence indicating that it has made progress toward ensuring that testing of security controls is comprehensive enough to determine whether security controls are in place and operating effectively. Subsequent to FAA providing additional evidence showing that its corrective actions have been fully implemented, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to take steps to ensure that identified corrective actions for security weaknesses are implemented within prescribed timeframes.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has updated its NAS Remediation Management Plan to include new risk management processes for identified security weaknesses. However, it has not yet provided GAO sufficient evidence necessary to show that the agency has taken steps to ensure that identified corrective actions for security weaknesses are implemented within prescribed timeframes. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NAS Cyber Operations (NCO) with full network packet capture capability for analyzing network traffic and detecting anomalies at major network interface points at FAA operational facilities.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by May 2018. As of July 2017, FAA has not provided GAO with documentation of the agency's actions to provide NCO with full network packet capture capability for analyzing network traffic and detecting anomalies at major network interface points at FAA operational facilities. Subsequent to FAA informing us that it has implemented the recommendation, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to integrate network traffic flow data into NCO's ad-hoc query systems.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by May 2018. As of July 2017, FAA has not provided GAO with documentation of the agency's actions to integrate network traffic flow data into NCO's ad-hoc query systems. Subsequent to FAA informing us that it has implemented the recommendation, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NCO with access to network sensors on key network gateways for reviewing intrusion detection, network traffic, and network session data.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by December 2018. As of July 2017, FAA had developed a coordinated procedure with the FTI Security Operations Center to provide packet capture information from network sensors based on identified incidents. However, it has not provided GAO with sufficient documentation to demonstrate that the procedure has been implemented. Subsequent to FAA providing additional evidence, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to ensure that NAS incident response capabilities are adequately tested, and that test results are sufficiently documented.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA provided evidence that it has taken steps to ensure that NAS incident response capabilities are adequately tested, and that test results are sufficiently documented. However, it has not yet provided sufficient evidence that it has fully implemented its corrective actions. Subsequent to FAA providing sufficient evidence, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to ensure that contingency plans for NAS systems are sufficiently documented, and that tests of contingency plans address key elements of the contingency plans, including notification procedures, recovering the system on an alternate platform, and system performance on alternate equipment.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it plans to implement the recommendation by September 2017. As of July 2017, FAA has not yet provided sufficient evidence that it has taken sufficient action to ensure that contingency plans for NAS systems are sufficiently documented and that tests of the plans address key plan elements. Subsequent to FAA providing additional evidence, we plan to validate its actions.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NCO with security event log data for all Internet Protocol (IP)-connected NAS systems.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by December 2018. As of August 2017, FAA has provided GAO with its planned actions to provide NCO with security event log data for all IP-connected NAS systems, which indicate that the agency still plans to complete its actions by December 2018. We plan to validate these actions subsequent to FAA informing us that it has completed them.
    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to finalize the incident response policy for the Air Traffic Organization and ensure that NAS system-level incident response policies specify incident reporting timeframes and the need for all incidents to be reported in accordance with FAA guidance.

    Agency: Department of Transportation
    Status: Open

    Comments: FAA concurred with our recommendation. As of July 2017, FAA has finalized the incident response policy for the Air Traffic Organization and updated one system-level incident response policy to specify incident reporting timeframes and the need for all incidents to be reported. However, it has not yet provided sufficient evidence showing that all system-level incident response policies specify reporting timeframes and the need for all incidents to be reported. Subsequent to FAA providing evidence that it has updated the remaining system-level incident response policies, we plan to validate FAA's actions.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To address previously identified security vulnerabilities, the Secretary of Veterans Affairs should scan non-Windows network devices in authenticated mode.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: David C. Trimble
    Phone: (202) 512-3841

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that the security of radiological sources at industrial facilities is reasonably assured, the Chairman of the Nuclear Regulatory Commission should conduct an assessment of the T&R process--by which licensees approve employees for unescorted access--to determine if it provides reasonable assurance against insider threats, including (1) determining why criminal history information concerning convictions for terroristic threats was not provided to a licensee during the T&R process to establish if this represents an isolated case or a systemic weakness in the T&R process; and (2) revising, to the extent permitted by law, the T&R process to provide specific guidance to licensees on how to review a employee's background. NRC should also consider whether certain criminal convictions or other indicators should disqualify an employee from T&R or trigger a greater role for NRC.

    Agency: Nuclear Regulatory Commission
    Status: Open
    Priority recommendation

    Comments: On December 14, 2016, the NRC provided Congress with a report detailing its review of the effectiveness of the requirements in 10 CFR Part 37 to determine whether any additional security measures, guidance updates, rulemaking changes, or licensee outreach efforts are appropriate. The completion of the 10 CFR Part 37 program review included insights into the effectiveness of the T&R process. Specifically, the review generated recommendations for enhancements in the area of T&R, including, among other things, increased controls for protection of information related to individuals having access to Category 1 and 2 quantities of radioactive materials; improved guidance related to information individuals must disclose when applying for unescorted access; development of sample forms or templates for use in T&R evaluations; and improved coordination efforts with the FBI to share potential terrorist threat information involving individuals seeking approval for new or continued unescorted access to Category 1 and 2 quantities of radioactive materials. However, certain aspects of the NRC staff's assessment of the T&R process remain ongoing. Specifically, on November 25, 2016, the staff closed Temporary Instruction (TI) 2800/042, "Evaluation of Trustworthiness and Reliability Determinations," and is using the information gained from the TI to consider additional enhancements to the T&R process. As part of this continuing effort, the NRC will evaluate the potential use of disqualifying criteria in making T&R determinations and the incorporation of additional insider mitigation program features, such as requiring the self-reporting of legal actions, into the T&R process to which the individual has been subject. The NRC expects this evaluation to be completed in December 2017.
    Director: Charles Michael Johnson, Jr.
    Phone: (202) 512-7331

    4 open recommendations
    including 4 priority recommendations
    Recommendation: To strengthen State's ability to ensure that U.S. civilian personnel are in compliance with the FACT training requirement, the Secretary of State should identify a mechanism to readily determine the universe of assigned U.S. civilian personnel under chief-of-mission authority who are required to complete FACT training.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation, but has not yet identified a mechanism to readily determine the universe of assigned U.S. civilian personnel under chief-of-mission authority who are required to complete FACT training. As of March 2017, GAO continues to monitor State's efforts to implement this recommendation.
    Recommendation: To strengthen State's ability to ensure that U.S. civilian personnel are in compliance with the FACT training requirement, the Secretary of State should take steps to ensure that management personnel responsible for assigning personnel to designated high-threat countries consistently verify that all assigned U.S. civilian personnel under chief-of-mission authority who are required to complete FACT training have completed it before arrival in the designated high-threat countries.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State agreed with the recommendation, and on July 7, 2014--subsequent to our report issuance and addressing this finding--State issued a memo to all agencies that states that it is the responsibility of each agency to ensure its employees are in compliance with FACT training requirements prior to travel to the relevant posts. The memo also requires employees to provide a FACT completion certificate to posts upon request. In October 2016, State officials reported that State had rolled out a ClassNet SharePoint site, and that they expected that the site would include Bureau of Near Eastern Affairs and Bureau of South and Central Asian Affairs posts by January 1, 2017. The SharePoint site allows designated users in Washington, D.C. and at posts to access the Foreign Service Institute's training records database. As of March 2017, GAO continues to monitor State's efforts to fully address the recommendation.
    Recommendation: To strengthen State's ability to ensure that U.S. civilian personnel are in compliance with the FACT training requirement, the Secretary of State should take steps to ensure that management personnel responsible for granting country clearance consistently verify that all short-term TDY U.S. civilian personnel under chief-of-mission authority who are required to complete FACT training have completed it before arrival in the designated high-threat countries.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: In response to GAO's recommendation, as of March 2017, State had taken several steps to ensure that the electronic Country Clearance (eCC) is easier for personnel to use, but these steps do not ensure that the personnel responsible for verifying FACT training before deployment are doing so. For instance, State updated the current eCC to require personnel traveling to High Threat, High Risk Posts to certify FACT training, with radio buttons for the following: (1) whether the stay is greater than 45 days; (2) whether the traveler has spent more than 45 total days at a High Threat, High Risk Post within the last 365-days; and (3) whether the traveler has completed FACT. If the eCC user responds that the traveler has not taken FACT, he or she must provide a justification. In addition, the eCC system requires personnel traveling to High Threat, High Risk Posts to certify whether they have completed FACT and to provide the completion date. When the eCC user enters this information, he or she is prompted with a box that instructs him or her to "provide documentation of FACT Training (e.g. Certificate) upon arrival at Post" and to click OK to continue. Since May 2016, the agency had been developing a new eCC application that will include automated checks of training records. Agency officials expect to produce this new application in the summer of 2017. GAO continues to monitor State's efforts to fully address the recommendation.
    Recommendation: To strengthen State's ability to ensure that U.S. civilian personnel are in compliance with the FACT training requirement, the Secretary of State should monitor or evaluate overall levels of compliance with the FACT training requirement among U.S. civilian personnel under chief-of-mission authority who are subject to the requirement.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: As of May 2015, State officials said that they are developing a plan to utilize various electronic systems to monitor overall levels of compliance for assigned and short-term TDY personnel. The plan is being developed iteratively and is subject to change based on findings and lessons learned from each stage as well as constraints based on cyber security compliance. As of March 2017, State did not report further progress on this recommendation.
    Director: Grover, Jennifer A
    Phone: (202) 512-7141

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To help ensure that security-related funding is directed to programs that have demonstrated their effectiveness, the Secretary of Homeland Security should direct the TSA Administrator to limit future funding support for the agency's behavior detection activities until TSA can provide scientifically validated evidence that demonstrates that behavioral indicators can be used to identify passengers who may pose a threat to aviation security.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: The Department of Homeland Security (DHS) did not concur with GAO's November 2013 recommendation to the TSA Administrator to limit future funding support for the agency's behavior detection activities until TSA can provide scientifically validated evidence that demonstrates that behavioral indicators can be used to identify passengers who may pose a threat to aviation security. However, as of July 2017, DHS has reduced funding for its behavior detection activities and taken some steps toward identifying additional evidence to support its use of behavioral indicators. TSA officials stated that GAO's recommendation contributed to DHS's decision to reduce the number of behavior detection officers (BDO) from 3,131 full-time equivalents in fiscal year 2013 to 2,393 full-time equivalents employed in fiscal year 2016. Further, in the summer of 2016 and consistent with the Aviation Security Act of 2016, the agency began assigning BDOs to other positions at passenger screening checkpoints where they are able to observe passengers while performing screening duties. According to TSA officials, all BDOs have now been converted into transportation security officers with behavior detection capabilities, which is expected to reduce the cost of the agency's behavior detection activities. As of August 2017, TSA does not yet have an estimate of any associated cost reductions. Since GAO's 2013 report, TSA has revised its list of behavioral indicators and taken some steps to identify evidence that these indicators can be used to identify passengers who may pose a threat to aviation security. Specifically, TSA hired a contractor to search available literature for sources supporting its revised list of 36 behavioral indicators. However, in 2017, GAO reviewed all 178 sources TSA identified and found that 98 percent (175 of 178) did not provide valid evidence for specific behavioral indicators in its revised list and that the remaining 3 sources could be used as valid evidence to support 8 of the 36 indicators. GAO reported that TSA should continue to limit funding for the agency's behavior detection activities until TSA can provide valid evidence demonstrating that behavioral indicators can be used to identify passengers who may pose a threat to aviation security, consistent with the recommendation in its November 2013 report.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To help mitigate vulnerabilities in mobile devices, the Chairman of the Federal Communications Commission should monitor progress of wireless carriers and device manufacturers in achieving their milestones and time frames once an industry baseline of mobile security safeguards has been implemented.

    Agency: Federal Communications Commission
    Status: Open

    Comments: FCC plans on monitoring the progress of wireless carriers and device manufacturers in achieving their milestones and time frames through one-on-one cyber risk management assurance meetings with service providers. FCC stated that it anticipates the meetings will begin within the next year pending the Commission's adoption of the policy statement for conducting the recommended meetings. We will validate these actions in the coming year.
    Director: Currie, Christopher
    Phone: (404)679-3000

    1 open recommendations
    Recommendation: In order to help build and maintain a national biosurveillance capability in a manner that accounts for the particular challenges and opportunities of reliance on state and local partnerships, we recommend the Homeland Security Council direct the National Security Staff to take the following action as part of its implementation of our previous recommendation for a national biosurveillance strategy: Ensure that the national biosurveillance strategy (1) incorporates a means to leverage existing efforts that support nonfederal biosurveillance capabilities, (2) considers challenges that nonfederal jurisdictions face in building and maintaining biosurveillance capabilities, and (3) includes a framework to develop a baseline and gap assessment of nonfederal jurisdictions' biosurveillance capabilities.

    Agency: Executive Office of the President: Homeland Security Council
    Status: Open

    Comments: In June 2010, GAO recommended a national biosurveillance strategy to provide a framework for building and maintaining a national biosurveillance capability. In October 2011, building on that recommendation, we called for such a strategy to address key challenges we identified in state and local biosurveillance by accounting for the need to leverage nonfederal resources. In July 2012, the White House released the National Strategy for Biosurveillance. A strategic implementation plan was to be published within 120 days of strategy issuance. The July 2012 strategy did not adequately address the issues we raised related to state and local biosurveillance and acknowledged but did not meaningfully address the need to leverage nonfederal resources. As of March 14, 2013 the implementation plan has not been released.