Reports & Testimonies

  1. Share with Facebook 
  2. Share with Twitter 
  3. Share with LinkedIn 
  4. Share with mail 

Recommendations Database

GAO’s recommendations database contains report recommendations that still need to be addressed. GAO’s priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. Below you can search only priority recommendations, or search all recommendations.

Our recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Moreover, when implemented, some of our priority recommendations can save large amounts of money, help Congress make decisions on major issues, and substantially improve or transform major government programs or agencies, among other benefits.

As of October 25, 2020, there are 4812 open recommendations, of which 473 are priority recommendations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented.

Browse or Search Open Recommendations

Search


Have a Question about a Recommendation?

  • For questions about a specific recommendation, contact the person or office listed with the recommendation.
  • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.

« Back to Results List Sort by   

Results:

Subject Term: "Access control"

8 publications with a total of 19 open recommendations
Download these results in CSV format or XLSX format.
Passenger Rail Security: TSA Engages with Stakeholders but Could Better Identify and Share Standards and Key Practices
GAO-20-404, Apr 3, 2020
Director: Triana McNeil
Phone: (202) 512-8777

1 open recommendations
Display
Recommendation: The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it by updating the BASE Cybersecurity Security Action Item section to ensure it reflects the NIST Cybersecurity Framework Detect and Recover functions. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.
Aviation Security: TSA Could Strengthen Its Insider Threat Program by Developing a Strategic Plan and Performance Goals
GAO-20-275, Feb 10, 2020
Director: Triana McNeil
Phone: (202) 512-8777

1 open recommendations
Display
Recommendation: The TSA Administrator should develop performance goals for its Insider Threat Program that assess progress achieving the strategic objectives in the insider threat strategic plan. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: In May 2020, TSA published its strategic framework, the TSA Insider Threat Roadmap, for mitigating insider threats in the transportation sector. The Roadmap contains three overarching strategic priorities and specific objectives for each of these priorities to refine and continue to improve its efforts to detect, deter, and mitigate insider threats. TSA described that its next steps will be to develop implementation plans for each of these priorities and objectives, including detailed plans of actions with timelines and performance measures to assess its progress achieving the Roadmap's priorities and objectives. We will continue to monitor TSA's efforts to implement our recommendation.
DOD Installations: Monitoring Use of Physical Access Control Systems Could Reduce Risks to Personnel and Assets
GAO-19-649, Aug 22, 2019
Director: Diana Maurer
Phone: (202) 512-9627

5 open recommendations
Display
Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Intelligence requires that DOD components (including the military departments and the Defense Logistics Agency) monitor the use of PACS at their installations. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of the Army should ensure that the Office of Provost Marshal General monitors the use of PACS at Army installations. (Recommendation 2)

Agency: Department of Defense: Department of the Army
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of the Navy should ensure that the Commander, Navy Installations Command, monitors the use of PACS at Navy installations. (Recommendation 3)

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of the Navy, in coordination with the Commandant of the Marine Corps, should ensure that the Commander, Marine Corps Installations Command, monitors the use of PACS at Marine Corps installations. (Recommendation 4)

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Personnel and Readiness develops appropriate performance measures and associated goals for the timely resolution of the Defense Biometric Identification System technical issues to facilitate improved PACS performance. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Building Security: Actions Needed to Help Achieve Vision for Secure, Interoperable Physical Access Control
GAO-19-138, Dec 20, 2018
Director: Lori Rectanus
Phone: (202) 512-2834

2 open recommendations
Display
Recommendation: The Director of OMB should determine a government-wide baseline level of progress in meeting physical access control system requirements, including implementation of GSA-approved systems, and should monitor progress in meeting these requirements. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: In August 2019, GAO contacted OMB to determine if any progress has been made implementing this recommendation. GAO is awaiting OMB's response.
Recommendation: The Secretary of Homeland Security should direct the ISC, in collaboration with member agencies, to assess the extent of, and develop strategies to address, government-wide challenges to implementing physical access control systems. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In August 2019, GAO learned that DHS has recently completed the "Physical Access Control System (PACS) Modernization Working Group Charter." This charter was created under the direction of the Co-Chairs of the Federal Chief Information Security Officer Council, Identity, Credentialing and Access Management Subcommittee, and the Program Director of the DHS Interagency Security Committee. The purpose of the PACS Modernization Working Group is to facilitate the implementation and use of the technology and processes related to modernizing electronic-PACS within the federal government, thereby increasing security, coordination, and compliance with national-level policies and standards. GAO is following up with DHS to obtain additional information about this effort and to determine whether it addresses this recommendation.
Management Report: Actions Needed to Improve National Nuclear Security Administration Contract Document Management
GAO-18-246R, Aug 1, 2018
Director: Bawden, Allison
Phone: (202) 512-3841

1 open recommendations
Display
Recommendation: OAPM should monitor how field offices currently manage older, existing Management and Operating contract documents and use the results to improve its process for accessing such documents. (Recommendation 2)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation. Per NNSA, as of October 2018, it was developing a plan and schedule for implementing Procurement Management Reviews (PMRs), which will include monitoring how NNSA field offices manage older management and operating contract documents and use the results to improve access to such documents. As of April 2020, we will continue to monitor how NNSA carries out its oversight of field offices contract document management practices.
Information Security: IRS Needs to Rectify Control Deficiencies That Limit Its Effectiveness in Protecting Sensitive Financial and Taxpayer Data
GAO-18-391, Jul 31, 2018
Director: Gregory C. Wilshusen
Phone: (202) 512-6244

3 open recommendations
Display
Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by entering correct contractor password expiration dates, per IRS's policy, in the system used for managing user access authorizations. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.
Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by documenting access authorizations for non-unique accounts. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.
Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by reviewing non-unique accounts at least annually, per IRS's policy. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.
Information Security: Control Deficiencies Continue to Limit IRS's Effectiveness in Protecting Sensitive Financial and Taxpayer Data
GAO-17-395, Jul 26, 2017
Director: Wilshusen, Gregory C
Phone: (202) 512-6244

5 open recommendations
Display
Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement the audit plans for the 12 systems and applications that we reviewed in the production computing environment.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, but the agency provided some evidence of its progress in implementing this recommendation. When IRS fully implements this recommendation, we will review relevant IRS actions.
Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that system administrators and security operations analysts are alerted in the event of audit processing failures.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.
Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should regularly update configuration standards and guidelines for network devices to incorporate recommendations from industry leaders, security agencies, and key practices from IRS partners to address known vulnerabilities applicable to IRS's environment.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.
Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement a compliance verification application, or other appropriate process, to ensure configuration policies are comprehensively tested on the mainframe.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.
Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should identify and review service organizations' listing of user controls that are deemed relevant and test those controls to appropriately draw conclusions about the operating effectiveness of controls.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.
Critical Infrastructure Protection: Additional Actions by DHS Could Help Identify Opportunities to Harmonize Access Control Efforts
GAO-17-182, Feb 7, 2017
Director: Chris P. Currie
Phone: (404) 679-1875

1 open recommendations
Display
Recommendation: To enhance its ability to fulfill its role as the facilitator of cross-sector collaboration and best-practices sharing, the Secretary of Homeland Security should direct the Assistant Secretary of Infrastructure Protection, Office of Infrastructure Protection, to explore with key critical infrastructure partners, whether and what opportunities exist to harmonize federally-administered screening and credentialing access control efforts across critical infrastructure sectors.

Agency: Department of Homeland Security
Status: Open

Comments: As of 2/12/2020, awaiting additional evidence/clarification from DHS.