Recommendation: The Director of OMB should comply with its statutory requirement to issue implementation guidance to agencies to develop and maintain comprehensive data inventories. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should comply with the statutory requirement to electronically publish a report on agencies' performance and compliance with the OPEN Government Data Act. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB, in collaboration with the Administrator of GSA, should establish policy to ensure the routine identification and correction of errors in electronically published performance information. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Congress should consider legislation to require each CFO at a CFO Act agency to oversee and provide leadership for all of the responsibilities necessary to effectively carry out federal financial management activities, including the formulation and financial execution of the budget, planning and performance, risk management, internal control, financial systems, and accounting. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: A bill (S. 3287) introduced in February 2020 proposed changes to the CFO Act. Among the proposed changes was language to clarify the duties and responsibilities of the CFO, including the formulation and financial execution of the budget, planning and performance, risk management, internal control, financial systems, and accounting. We will continue to monitor the status of this bill.

Recommendation: Congress should consider legislation to require deputy CFOs in CFO Act agencies to have defined responsibilities consistent with the breadth of those of the agency CFOs. (Matter for Consideration 2)

Agency: Congress
Status: Open

Comments: A bill (S. 3287) introduced in February 2020 proposed changes to the CFO Act. Among the proposed changes was language to specify that the deputy CFO shall assist the agency CFO in the performance of each of the duties of the agency CFO. We will continue to monitor the status of this bill.

Recommendation: Congress should consider legislation to require the Director of OMB to prepare and submit to the appropriate committees of Congress a government-wide 4-year financial management plan (with timing to match the GPRA reporting requirements) and an annual financial management status report.

a. The plan should include actions for improving financial management systems, strengthening the federal financial management workforce, and better linking performance and cost information for decision-making.

b. The plan should be developed in consultation with the CFO Council, the Chief Information Officers Council, the Chief Data Officer Council, the Chief Acquisition Officers Council, CIGIE, GAO, and other appropriate financial management experts. (Matter for Consideration 3)

Agency: Congress
Status: Open

Comments: A bill (S. 3287) introduced in February 2020 proposed changes to the CFO Act. Among the proposed changes was language that calls for a government-wide 4-year financial management plan and an annual financial management status report. The plan is to address actions for improving financial management systems, strengthening the federal financial management workforce, and better linking performance and cost information for decision-making. The plan is to be developed in consultation with the CFO Council, the Chief Information Officers Council, the Chief Data Officer Council, the Chief Acquisition Officers Council, CIGIE, GAO, and other appropriate financial management experts. We will continue to monitor the status of this bill.

Recommendation: Congress should consider legislation to require each CFO at a CFO Act agency, in consultation with financial management and other appropriate experts, to prepare an agency plan to implement the 4-year government-wide financial management plan prepared by OMB. (Matter for Consideration 4)

Agency: Congress
Status: Open

Comments: A bill (S. 3287) introduced in February 2020 proposed changes to the CFO Act. Among the proposed changes was language that calls for the CFO of each CFO Act agency to prepare, in consultation with financial management and other appropriate experts, an agency plan to implement the 4-year financial management plan prepared by the Director of the Office of Management and Budget and to achieve and sustain effective financial management in the agency. We will continue to monitor the status of this bill.

Recommendation: Congress should consider legislation to require the Director of OMB to prepare comprehensive financial management performance-based metrics and use these metrics to evaluate the financial management performance of executive agencies. The metrics should be included in the government-wide and agency-level financial management plans, and agencies' performance against the metrics should be reported in the annual financial management status reports. (Matter for Consideration 5)

Agency: Congress
Status: Open

Comments: A bill (S. 3287) introduced in February 2020 proposed changes to the CFO Act. Among the proposed changes was language that calls for the Director of OMB to prepare comprehensive financial management performance-based metrics, which are to be used to evaluate the financial management performance of executive agencies. These metrics are to be included in the government-wide and agency-level financial management plans, and agencies' performance against the metrics are to be reported in annual financial management status reports. We will continue to monitor the status of this bill.

Recommendation: Congress should consider legislation to require the head of each executive agency to identify, and if necessary develop, the key financial management information, in addition to financial statements, needed for effective financial management and decision-making. (Matter for Consideration 6)

Agency: Congress
Status: Open

Comments: A bill (S. 3287) introduced in February 2020 proposed changes to the CFO Act. Among the proposed changes was language that calls for the head of each CFO Act agency to identify key financial management information needed for effective financial management decision-making. We will continue to monitor the status of this bill.

Recommendation: Congress should consider legislation to require the head of each executive agency to annually assess and separately report their conclusion on the effectiveness of internal controls of the agency over financial reporting and other key financial management information. (Matter for Consideration 7)

Agency: Congress
Status: Open

Comments: A bill (S. 3287) introduced in February 2020 proposed changes to the CFO Act. Among the proposed changes was language that calls for the head of each CFO Act agency to annually assess and separately report on the effectiveness of internal controls of the agency over financial reporting and other key financial management information. We will continue to monitor the status of this bill.

Recommendation: Congress should consider legislation to require auditors, as part of each financial statement audit of an executive agency, to test and report on internal control over financial reporting and other key financial management information. (Matter for Consideration 8)

Agency: Congress
Status: Open

Comments: A bill (S. 3287) introduced in February 2020 proposed changes to the CFO Act. Among the proposed changes was language that calls for the financial statement auditors of each CFO Act agency to report on their evaluation of internal control over financial reporting and other key financial management information. We will continue to monitor the status of this bill.

Recommendation: The Director of the Office of Personnel Management should assist the 24 CFO Act agencies by using OPM FEVS data to analyze the key drivers of retention for veterans in the agencies' workforces to identify strategies for improving veteran retention. OPM should also be available to non-CFO Act agencies that request assistance with the veteran retention analysis.

Agency: Office of Personnel Management
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Deputy Director for Management of OMB, in conjunction with the PMPC, should develop program and project management standards to include (1) a minimum threshold for determining the extent to which agencies have met the standards, (2) how standards apply differently at the program and project levels, (3) how standards are interrelated to work in a synchronized way, and (4) how standards should be applied across the life cycle of a program or project. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget: Deputy Director for Management
Status: Open

Comments: Awaiting 180-day letter.

Recommendation: The Deputy Director for Management of OMB, in conjunction with the PMPC, should create a governance structure to further develop and maintain program and project management standards that fully aligns with key practices for governance structures. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget: Deputy Director for Management
Status: Open

Comments: Awaiting 180-day letter.

Recommendation: The Deputy Director for Management of OMB should, when expanding PMIAA to additional program types, design pilot efforts to follow leading practices so that OMB can optimize its efforts to improve and broaden portfolio reviews across a full range of program types. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget: Deputy Director for Management
Status: Open

Comments: Awaiting 180-day letter.

Recommendation: The Deputy Director for Management of OMB should communicate program areas and timeframes, and expectations pertinent to annual program portfolio reviews, to be reviewed in future program portfolio reviews. (Recommendation 4)

Agency: Executive Office of the President: Office of Management and Budget: Deputy Director for Management
Status: Open

Comments: Awaiting 180-day letter.

Recommendation: The Deputy Director for Management of OMB should clarify for agencies how the different definitions of a "program" relate to each other in OMB guidance. (Recommendation 5)

Agency: Executive Office of the President: Office of Management and Budget: Deputy Director for Management
Status: Open
Priority recommendation

Comments: We added this recommendation as a priority in our OMB priority recommendation letter in April 2020. We recommended that OMB clarify for agencies how different definitions of a "program" relate to each other in OMB guidance. Clarifying the definitions could help agencies and OMB increase transparency and identify synergies across related laws, such as GPRAMA and the Program Management Improvement Accountability Act of 2016.

Recommendation: The Deputy Director for Management of OMB should convene trilateral meetings between OMB, relevant agencies, and us for addressing all high-risk areas during each two-year high-risk cycle (Recommendation 6).

Agency: Executive Office of the President: Office of Management and Budget: Deputy Director for Management
Status: Open
Priority recommendation

Comments: We added this recommendation as a priority in our OMB priority recommendation letter in April 2020. OMB should convene trilateral meetings between OMB, relevant agencies, and us for addressing all areas on our High Risk List during each two-year high-risk cycle. Doing so would better position OMB to enhance the leadership commitment needed to make greater progress on high-risk areas. Meetings with senior OMB and agency officials on individual high-risk areas have proven in the past to be helpful to making progress. These meetings would also help OMB meet statutory requirements to conduct portfolio reviews of programs on GAO's high-risk list.

Recommendation: The Deputy Director for Management of OMB, in conjunction with PMPC, should ensure PMPC meeting agendas include time for discussing high-risk areas during meetings and provide time for the PMPC to make recommendations to OMB about addressing high-risk areas. (Recommendation 7)

Agency: Executive Office of the President: Office of Management and Budget: Deputy Director for Management
Status: Open

Comments: Awaiting 180-day letter.

Recommendation: The Deputy Director for Management of OMB, in conjunction with PMPC, should establish measures to assess outcomes of PMIAA, such as establishing a baseline of information on programs or collecting trend data. (Recommendation 8)

Agency: Executive Office of the President: Office of Management and Budget: Deputy Director for Management
Status: Open

Comments: Awaiting 180-day letter.

Recommendation: The Administrator of the General Services Administration (GSA), in coordination with the Director of the Office of Management and Budget, should ensure that the average cost per square foot performance measure for GSA-managed space is calculated using actual cost information. (Recommendation 1)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: GSA concurred with this recommendation and has developed an action plan to implement it. In January 2020, GSA officials told us that GSA will change the method for calculating the average cost per square foot performance measure by now using the actual rent agencies paid to GSA in the calculation. GSA officials also stated that GSA will post this information annually to performance.gov. We will continue to monitor GSA's implementation of these efforts.

Recommendation: The Secretary of the Treasury should ensure that information about the 90-day delay for displaying DOD procurement data on USAspending.gov is transparently communicated to users of the site. Approaches for doing this could include prominently displaying this information on the DOD agency profile page, in the unreported data section, and in search results that include DOD data. (Recommendation 1)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that information regarding how the Primary Place of Performance Address for Medicare payment data are reported is transparently communicated to the users of USAspending.gov. (Recommendation 2)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Agriculture should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 2)

Agency: Department of Education
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Energy should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 3)

Agency: Department of Energy
Status: Open

Comments: In July 2020, the department reported actions it had taken to fully implement the activities associated with assessing competencies and needs regularly; assessing gaps in competencies and staffing; monitoring the agency's progress in addressing competency and staffing gaps; and reporting to agency leadership on progress in addressing competency and staffing gaps. The department also reported actions it had taken to address the remaining four activities and provided estimated time frames for fully implementing them. As of August 2020, we were following up with the department to obtain supporting documentation for the activities it claimed it had fully implemented and status updates for the remaining activities.

Recommendation: The Secretary of Homeland Security should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 5)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Interior should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 6)

Agency: Department of the Interior
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 7)

Agency: Department of Justice
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Labor should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 8)

Agency: Department of Labor
Status: Open

Comments: In December 2019, Labor officials provided additional documentation on actions taken to address the recommendation. We plan to review the documentation, and when we confirm what actions the agency has taken, we will provide updated information.

Recommendation: The Secretary of State should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 9)

Agency: Department of State
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency fully implements each of the five key IT workforce planning activities it did not fully implement. (Recommendation 10)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Environmental Protection Agency should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 11)

Agency: Environmental Protection Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the General Services Administration should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 12)

Agency: General Services Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the National Science Foundation should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 13)

Agency: National Science Foundation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 14)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Office of Personnel Management should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 15)

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: In December 2019, OPM stated that it had partnered with the General Services Administration's IT Modernization Center of Excellence to assess the current state of its IT workforce planning activities, but had not yet implemented any of the eight key planning activities we recommended. We will continue to monitor OPM's efforts to implement the recommendation.

Recommendation: The Administrator of the Small Business Administration should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 16)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of the Social Security Administration should ensure that the agency fully implements each of the five key IT workforce planning activities it did not fully implement. (Recommendation 17)

Agency: Social Security Administration
Status: Open

Comments: In November 2019, Social Security Administration officials provided the agency's recently issued IT workforce strategy for fiscal year 2019 to fiscal year 2022. We plan to review the strategy, and when we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the U.S. Agency for International Development should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 18)

Agency: United States Agency for International Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should expand its coordination of CyberStat review meetings for those agencies with a demonstrated need for assistance in implementing information security. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open
Priority recommendation

Comments: In January 2020, OMB officials stated that they have incorporated agency feedback for enhancing the CyberStat program into an updated concept of operations document that is currently in draft. To consider this recommendation fully implemented, OMB needs to provide us with an updated concept of operations document for the CyberStat program, and demonstrate the expansion of CyberStat review meetings to agencies that require additional assistance due to persistent information security deficiencies. As of September 2020, OMB has not provided sufficient evidence to close this recommendation.

Recommendation: The Director of OMB should collaborate with CIGIE to ensure that the inspector general reporting metrics include the FISMA-required information security program element for system security plans. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of September 2020, we were still waiting to receive OMB's 180-day letter detailing the actions it plans to take to address the recommendation.

Recommendation: The Director of OMB should, in coordination with the Secretary of Homeland Security, establish guidance or other means to facilitate the sharing of successful approaches for agencies to address challenges in the areas of (1) managing competing priorities between cybersecurity and operations, such as when operational needs appear to conflict with cybersecurity requirements; (2) implementing consistent cybersecurity risk management policies and procedures across an agency; (3) incorporating cyber risks into enterprise risk management, and (4) establishing agencies' cybersecurity risk management strategies. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget did not say whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once OMB has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 2)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it is developing a Risk Management Framework implementation plan, which is to include a comprehensive Cybersecurity Strategy. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should update the department's policies to require (1) the use of risk assessments to inform security control tailoring and (2) the use of risk assessments to inform plan of actions and milestones (POA&M) prioritization. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it is developing a Risk Management Framework implementation plan which will include updates to USDA's process guide to ensure informed security control tailoring and updates to USDA's Plan of Actions and Milestones (POA&M) Standard Operation Procedure to inform prioritized POA&M mitigation strategies, through a consistent and repeatable security risk assessment process. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 4)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it plans to establish a governance framework for USDA Enterprise Risk Management (ERM), which will provide a platform to increase coordination between stakeholders within the cybersecurity and enterprise risk management functions. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Commerce should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to planned actions for this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Commerce should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 6)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: The Department of Commerce did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that its intends to evaluate whether there are any gaps in its cybersecurity policy pertaining to the establishment of an organization-wide cybersecurity risk assessment and will establish a plan to fill in gaps as necessary. The department added that it is making strides in the implementation of a tool that can aggregate data into a dashboard for a unified visibility across the department. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Energy should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 8)

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: The Department of Energy concurred with this recommendation. As of January 2020, the department stated that it was developing a department-wide risk management plan, to include a risk management strategy, and this would be completed by May 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 10)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services concurred with this recommendation. As of January 2020, HHS stated that it is drafting a cybersecurity risk management memo that will detail its risk management strategy, including how the department will assess, respond to, and monitor risk. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform security control tailoring. (Recommendation 11)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services partially concurred with this recommendation. As of January 2020, HHS stated that it is in the process of updating its policies to address the missing elements and plans to finalize the revisions by March 2021. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 12)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services concurred with this recommendation. As of January 2020, HHS stated that it is drafting a cybersecurity risk management memo and capability model that will include a process for an organization-wide assessment of cybersecurity risk. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Homeland Security should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 14)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that it was in the process of developing an enterprise-wide Cybersecurity Risk Management Strategy that will define cybersecurity risk tolerance thresholds and promote inclusion of cybersecurity risk management into the Department's overall risk management capabilities. The estimated completion date for this effort is July 31, 2020. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Homeland Security should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 15)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that, once developed, its Cybersecurity Risk Management Strategy will incorporate clarifications of the cybersecurity risk executive's role and will be coordinated with the DHS Office of the Chief Financial Officer, other offices within the DHS Management Directorate, and Department Components, as appropriate. The department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Housing and Urban Developing should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 16)

Agency: Department of Housing and Urban Development
Status: Open
Priority recommendation

Comments: The Department of Housing and Urban Development concurred with this recommendation. As of January 2020, the department said it planned to develop a cybersecurity risk management strategy that will determine how cybersecurity risks will be identified, framed, assessed, respond to, and monitored. The Department estimated completing this effort by August 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Interior should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 20)

Agency: Department of the Interior
Status: Open
Priority recommendation

Comments: The Department of the Interior concurred with this recommendation. As of January 2020, the department stated that it cybersecurity and enterprise risk management teams would establish a process for bi-directional communication and status reporting. The Department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Attorney General should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 21)

Agency: Department of Justice
Status: Open
Priority recommendation

Comments: In its comments on our draft report, the Department of Justice did not state whether it concurred with this recommendation. As of January 2020, . the department reported that it had an integrated strategy for identifying, prioritizing, assessing, responding to, monitoring, and reporting on cybersecurity risks. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Attorney General should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 22)

Agency: Department of Justice
Status: Open
Priority recommendation

Comments: In its comments on our draft report, the Department of Justice did not state whether or not it concurred with this recommendation. As of January 2020, the department stated that it is developing an ongoing mechanism to institutionalize coordination between its cybersecurity and ERM functions in fiscal year 2020. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Labor should update the department's policies to require (1) the use of risk assessments to inform control tailoring and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 23)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of State should update the department's policies to require (1) an organization-wide risk assessment, (2) an organization-wide strategy for monitoring control effectiveness, (3) system-level risk assessments, (4) the use of risk assessments to inform security control tailoring, and (5) the use of risk assessments to inform POA&M prioritization. (Recommendation 24)

Agency: Department of State
Status: Open

Comments: The Department of State concurred with this recommendation. As of January 2020, the department stated that it is actively working to update the applicable policies and procedures. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of State should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 25)

Agency: Department of State
Status: Open
Priority recommendation

Comments: The Department of State concurred with this recommendation. As of January 2020, the department stated that it is actively working to update the applicable policies and procedures. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Transportation should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 26)

Agency: Department of Transportation
Status: Open
Priority recommendation

Comments: The Department of Transportation concurred with this recommendation. As of January 2020, the department stated that it would update its cybersecurity risk management strategy to include the identified missing elements. The Department estimated completing this effort by October 1, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Transportation should update the department's policies to require an organization-wide risk assessment. (Recommendation 27)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation concurred with this recommendation. As of January 2020, the department stated that it would update it policies and procedures to require an organization-wide cybersecurity risk assessment. The Department estimated completing this effort by July 1, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 29)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 30)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 31)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 32)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, the department stated that it plans to develop a comprehensive risk management strategy in accordance with its updated cybersecurity program directive and plans to finalize the strategy by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should update the department's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 33)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA stated that it plans to incorporate this requirement into its updated policies by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 34)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA stated that it plans to fully document its process for an organization-wide cybersecurity risk assessment by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 35)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA described efforts under way to institutionalize coordination between cybersecurity and enterprise risk management functions and stated that this coordination will be documented in detail by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of the Environmental Protection Agency (EPA) should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 38)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, EPA stated that its strategic plans are under review beginning in the fourth quarter of fiscal year 2020. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should update the agency's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 39)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, EPA stated that it is establishing a process to review, update, and reissue its policies. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 40)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 41)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of General Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 44)

Agency: General Services Administration
Status: Open
Priority recommendation

Comments: The General Services Administration concurred with this recommendation. As of January 2020, the agency stated that it would establish a process for conducting an organization-wide cybersecurity risk assessment. The administration estimated completing this effort by June 30, 2020. Once the administration has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of the National Aeronautics and Space Administration (NASA) should update the agency's policies to require (1) an organization-wide risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 46)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. As of January 2020, the agency stated that it is working to address gaps in its cybersecurity policy. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of NASA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 47)

Agency: National Aeronautics and Space Administration
Status: Open
Priority recommendation

Comments: NASA concurred with this recommendation. As of January 2020, NASA stated that the agency is in the process of documenting its process for conducting an organization-wide cybersecurity risk assessment. NASA's planned completion date for this effort is September 30, 2020. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Chairman of NRC should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 50)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the commission has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Chairman of NRC should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 52)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the commission has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Personnel Management (OPM) should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform control tailoring. (Recommendation 53)

Agency: Office of Personnel Management
Status: Open

Comments: OPM concurred with this recommendation. As of January 2020, OPM stated that it planned to update its policies to address the missing elements. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Director of OPM should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 54)

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with this recommendation. As of January 2020, the office stated that it planned to formalize its process for an organization-wide cybersecurity assessment. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of SBA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 57)

Agency: Small Business Administration
Status: Open
Priority recommendation

Comments: SBA concurred with this recommendation. As of January 2020, SBA stated that it intends to finalize its process for an agency-wide cybersecurity risk assessment by March 31, 2020. Once SBA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Commissioner of the Social Security Administration should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 58)

Agency: Social Security Administration
Status: Open
Priority recommendation

Comments: SSA concurred with this recommendation. As of January 2020, SSA stated that it has initiated a formal process for coordination between its cybersecurity risk management and enterprise risk management teams and that this process should be fully established by the third quarter of FY 2020. Once SSA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Director of OMB should take steps to update OMB guidance to specify other types of quality information that agencies with programs noncompliant for 3 or more consecutive years should include in their notifications to Congress, such as significant matters related to risks, issues, root causes, measurable milestones, designated senior officials, accountability mechanisms, and corrective actions or strategies planned or taken by agencies to achieve compliance. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open
Priority recommendation

Comments: The Office of Management and Budget (OMB) neither agreed or disagreed with the recommendation but stated that it had no comments. In January 2020, OMB informed us that it had no status updates to provide at this time. We will continue to monitor agency's actions to address this recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 1)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided documentation regarding its IT budget procedures. However, DOE has not yet developed procedures that explicitly require that all transactions with an IT component be included in the expenditure reporting to the CIO. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 2)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided documentation regarding its IT budget procedures. However, DOE has not yet documented procedures for ensuring the CIO is included in budget decisions for all programs with IT resources, including those within NNSA and the national laboratories. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 3)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided charters that included the CIO as a member of department-level governance boards that inform IT decisions. However, DOE has not provided charters that include the CIO as a member of component-level IT governance boards. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 4)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided IT governance board and budget procedures. However, DOE has not documented procedures by which the CIO is to work with program leadership in planning IT resources for all programs, including those within NNSA and the national laboratories. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 5)

Agency: Department of Energy
Status: Open

Comments: The department has provided IT budget procedures. However, DOE has not documented procedures by which the CIO is to review and approve all major IT investments, including those within NNSA and the national laboratories. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 6)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided IT budget procedures. However, DOE has not documented procedures for the CIO's review of IT resources that are to support major program objectives and significant increases and decreases in IT resources for department and component agency budget requests. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 7)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided IT budget procedures. However, DOE has not developed procedures for documenting steps the CIO is to take to ensure that the IT portfolio includes appropriate estimates of all IT resources. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 8)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 9)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation and is planning to take steps towards implementing it. Specifically, DOE plans to implement the Technology Business Management Framework by December 2021. Additionally, the department is coordinating internally to update its financial and procurement systems to better identify IT spending. DOE anticipates that its updates will allow the agency to compare actual IT spending against estimates in the portfolio. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that establish agency-wide policy for the level of detail with which planned expenditures for all transactions that include IT resources are to be reported to the CIO. (Recommendation 10)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 11)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources. (Recommendation 12)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 13)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 14)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 15)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 16)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with this recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT investment planning policy to include requirements for reporting expenditures that apply to all transactions with an IT component. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 17)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT investment planning policy to amplify the CIO's role in the planning and budgeting stages for all programs with IT resources. Also, HHS intends to document procedures for ensuring that all delegated authorities are carried out. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 18)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation. The department has provided charters that included the CIO as a member of department-level governance boards that inform IT decisions. However, HHS has not provided charters that include the CIO as a member of component-level IT governance boards. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 19)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. For example, HHS plans to develop an asset management policy and introduce a pilot program to manage inventories across the agency. However, the department has not developed policies and procedures that incorporate the processes by which the program leadership are planning the IT portfolio with the CIO for existing investments greater than or equal to $20 million annually and for investments delegated to components. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 20)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to update its IT investment planning policy to amplify the CIO's role in reviewing major investments. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 21)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with this recommendation and has taken steps towards implementing it. Specifically, HHS documented procedures that require the CIO to hold annual IT investment review meetings with components to review changes in IT resources. However, HHS has not documented procedures for the CIO's role in reviewing major program objectives. We will continue to monitor the department's progress toward implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 22)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to assess and update its existing policies and procedures to document the steps the CIO is to take to review the IT portfolio for appropriate estimates of all IT resources. We will continue to monitor the department's progress toward implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should direct the department CIO to establish, for any OMB common baseline requirements that are related to IT budgeting that have been delegated, a plan that specifies the requirement being delegated, demonstrates how the CIO intends to retain accountability for the requirement, and ensures through quality assurance processes that the delegated official will execute such responsibilities with the appropriate level of rigor. (Recommendation 23)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to develop an IT governance policy to define the accountability of the CIO over all IT projects and establish processes detailing quality reviews and the level of rigor that should be applied by its IT governance board. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 24)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT acquisition program policy and related processes. HHS also plans to document standard operating procedures for agency wide dissemination to ensure the effectiveness and efficiency of IT investment governance through transparent and repeatable procedures. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 25)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and are planning to take steps towards implementing it. Specifically, HHS established a working group and developed a roadmap for implementing the Technology Business Management Framework by fiscal year 2022. The agency anticipates that its strategy and approach will enable HHS to, among other things, link IT portfolio data, procurement system data, and financial system data. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 26)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 27)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 28)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 29)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 31)

Agency: Department of Justice
Status: Open

Comments: The department agreed with the recommendation and has taken steps towards implementing it. Specifically, in October 2019, the DOJ CIO issued a memorandum requiring component CIOs to establish a process for providing IT investment information to the DOJ CIO. The component CIO's process is to either include the DOJ CIO as a member of component investment review boards or provide an alternative mechanism for obtaining the DOJ CIO's input on component IT investments. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The FBI Director should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 34)

Agency: Department of Justice: Federal Bureau of Investigation
Status: Open

Comments: FBI agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 35)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 36)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 37)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 38)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 39)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should direct the department CIO to establish, for any OMB common baseline requirements that are related to IT budgeting that have been delegated, a plan that specifies the requirement being delegated, demonstrates how the CIO intends to retain accountability for the requirement, and ensures through quality assurance processes that the delegated official will execute such responsibilities with the appropriate level of rigor. (Recommendation 40)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 41)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 42)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of General Services should ensure that the appropriate GSA offices develop guidance including, but not limited to, how agencies can use telework as a strategic space-planning tool for reducing and optimizing office space efficiency and that the offices make the guidance readily available. (Recommendation 1)

Agency: General Services Administration
Status: Open

Comments: As of February 2020, GSA has provided GAO with some documents that indicate steps toward addressing this recommendation. For example, the documents cover topics on workplace and space design. GSA officials said that they are working on a document that focuses on the relationship between space planning and telework that will more directly address this recommendation. The estimated completion date for this document is the end of fiscal year 2020.

Recommendation: The IRS Commissioner should direct the appropriate IRS officials to strengthen the process for reasonably assuring that the Internal Revenue Manual (IRM) is reviewed annually to align with the current control procedures and guidance being implemented by agency personnel. This should include a mechanism for reasonably assuring that program owner directors (1) review their respective program control activities and related guidance annually and timely update the IRM as needed, (2) document their reviews, and (3) utilize interim guidance and supplemental guidance correctly for their intended purposes.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. During fiscal year 2018, IRS created an annual Internal Revenue Manual (IRM) review and certification requirement to reasonably assure that all IRM sections align with the current control procedures and guidance that IRS personnel are implementing. In addition, the Small Business/Self-Employed (SB/SE) and Tax Exempt & Government Entities (TE/GE) organizations developed action plans to achieve substantial compliance with this requirement. During fiscal year 2019, the SB/SE organization completed its action plan; however, IRS officials stated that the TE/GE organization will complete its action plan during fiscal year 2020. Further, in fiscal year 2019, the Large Business & International organization reviewed and analyzed the results of its involvement in the annual IRM certification process. Based on the results of its analysis, the organization developed an action plan to achieve substantial compliance with the IRM review and certification requirement, which IRS officials stated it will complete by December 2021.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Commerce
Status: Open

Comments: We reported that the Department of Commerce did not meet the following software application inventory practice: regularly updates the inventory with quality controls to ensure reliability. Specifically, the department did not provide evidence of a process to regularly update its inventory or quality controls to ensure the reliability of the data collected. In October 2017, the department reported that application inventory information will be captured through the Department of Commerce Capital Planning and Investment Control (CPIC) system, as part of its regular updating of investment information. Further, the department stated that it will update its CPIC handbook to provide guidance on quality control to ensure reliability of the data collected. In November 2018 and November 2019 we followed-up with Commerce on the status of their efforts; however, as of January 2020, we had not received an update. We plan to continue to follow up with Commerce to monitor the status of these planned actions.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Energy
Status: Open

Comments: We reported that the Department of Energy partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In May 2017, the department reported that it plans to implement automated monitoring and inventory tools by the end of fiscal year 2020, which it expects will address the key practices. In December 2019, the department reported that it anticipates completing a refresh of its application inventory by the end of February 2020. We plan to monitor the department's efforts to implement the tools and to develop a complete application inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Housing and Urban Development
Status: Open

Comments: We reported that the Department of Housing and Urban Development (HUD) partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In June 2017, the department reported that it is working to identify applications in field offices, and planned for this effort to be completed in fiscal year 2018. In addition, the department stated it planned to update the inventory to include business functions for each system by the end of fiscal year 2017. Further, department officials stated that to ensure the accuracy and reliability of the application inventory, the department planned to conduct quarterly portfolio reviews starting in fiscal year 2018. In October 2018, HUD officials reported that CTO performed a technical assessment of HUD's IT assets, which resulted in identifying systems in the inventory that had been decommissioned and will be decommissioned. In addition, the department provided its strategy for performing the assessment. In August 2019, HUD reported that it completed an assessment of its legacy applications and the current inventory system is outdated. However, as of January 2020, HUD had not yet provided an updated inventory. We plan to continue to monitor the department's efforts to address the recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Social Security Administration
Status: Open

Comments: We reported that the Social Security Administration (SSA) partially met the following two software application inventory practices, (1) includes systems from all organizational components, and (2) regularly updates the inventory with quality controls to ensure reliability. In March 2017, SSA officials reported that the agency's Office of Systems and Office of Operations continue to collaborate on integrating application information into the Enterprise Application Inventory. The officials reported that regionally developed applications that have been granted authority to operate have been imported into the enterprise application inventory. In addition, the officials stated that the Office of Operations was in the process of redesigning their repository to accommodate requirements to support the Enterprise Application Inventory, including the ability to update and maintain application information in the enterprise repository. Lastly, SSA officials reported that its Office of Information Security and Office of Systems were continuing to work to identify additional headquarters applications and develop process and automation to include applications in the inventory. In June 2019, SSA officials reported that they were continuing to make progress to update the inventory to include systems from all organizational components. However, as of January 2020, we had not received an updated inventory. We will continue to monitor SSA's efforts to develop a complete application inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Labor
Status: Open

Comments: We reported that the Department of Labor did not meet one software application inventory practice, and partially met three practices. Specifically, we reported that the department did not meet the practice to ensure that the inventory is regularly updated with quality controls to ensure reliability, and partially met the practices to (1) include business and enterprise IT systems, (2) include systems from all organizational components, and (3) specify basic application attributes. In March 2018, department officials provided an updated inventory, which included business and enterprise IT systems from all organizational components, and specified basic attributes, including the name, owner, and business function. In addition, officials stated that they plan to update the inventory on a periodic basis as necessary, at minimum annually, as part of the department's IT budgeting process. Further, in June 2019, officials reported that the department performs biannual reviews of all IT investments and associated systems and applications to verify reported data. The officials also reported that the department uses quality control processes and procedures to ensure consistent, standard, and complete reporting to align with all investment artifacts. However, the department did not provide evidence of these data quality efforts. In June 2019, officials also reported that the department is implementing a new system in order to maintain an ongoing comprehensive inventory of all IT assets, including applications, which it expects to have fully operational by the end of the second quarter of fiscal year 2020. We will continue to monitor the department's efforts.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of the Treasury
Status: Open

Comments: We reported that the Department of the Treasury had partially met the following two practices for establishing a complete software application inventory, (1) specifies basic application attributes, and (2) is regularly updated with quality controls to ensure reliability. In September 2017, the department provided evidence showing that it had taken steps to address these practices. Specifically, the department provided an export of its inventory, which showed that most of the systems listed contained a system description. According to department officials, some systems do not have a system description because the department's inventory policy allows bureaus to attach documents to the inventory, which include the system description, instead of populating the system description field. Further, the policy does not require a system description for systems in the disposal state. Moreover, the inventory did not include the business segment or function that the system supports. According to Treasury officials, the Bureau and Functional Unit fields within the inventory allow the department to map the systems to the business segments that they support. We followed up with the department to obtain this mapping. However, as of January 2020, the department had not provided it. We will continue to monitor the department's efforts to ensure that the inventory is regularly updated with quality controls to ensure its reliability.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of State
Status: Open

Comments: We reported that the Department of State partially met the following software application inventory practices: (1) specifies basic application attributes; and (2) is regularly updated with quality controls to ensure reliability. Specifically, we reported that while the inventory included basic application attributes (e.g. name, description), it did not include the business function for the majority of inventory entries. Further, we reported that the agency did not provide evidence that quality control processes were in place to ensure the reliability of the data in the inventory. In July 2017, department officials stated that the department recently began a department-wide data call to obtain information on all IT assets and applications from each bureau, including aligning the assets and applications to a business function. Further, officials stated that they plan to analyze the results against their current data to ensure the accuracy and reliability of the IT asset inventory. In June 2019, the department provided evidence demonstrating that its inventory includes the business function for IT assets. In addition, State officials stated that the IT asset inventory that is posted internally for review is a high-level summary to facilitate monthly validation. However, as of January 2020, the department has not provided documentation showing that it has implemented the quality control processes to ensure the reliability of the data. We plan to continue to monitor the department's efforts to address the recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Environmental Protection Agency
Status: Open

Comments: We reported that the Environmental Protection Agency had fully met three of the four practices to establish a complete application inventory, and partially met one. Specifically, the agency partially met the practice for including application attributes in the inventory, as although EPA did not identify the business function for every application. In December 2019, Environmental Protection Agency officials stated that the inventory now requires the business function to be included, and provided inventory update instructions that show the business function is to be included. In addition, agency officials provided instructions for senior information managers to update the inventory in fiscal year 2019. However, as of January 2020, agency officials had not provided an updated inventory, and thus we were not able to verify that the business function was added for all applications. We will follow up with the agency to obtain the updated inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Office of Personnel Management
Status: Open

Comments: We reported that the Office of Personnel Management (OPM) partially met the software application inventory practice to regularly update the inventory with quality controls to ensure reliability. In November 2016, OPM officials stated that they were validating the data in the application inventory. In addition, officials stated that they were making progress in using automated scanning tools to update the inventory, including coordinating with the General Services Administration's Software Management Group which is working to standardize the use of automated inventory tools across the government. In June 2017, November 2018, and November 2019, we followed up with OPM to obtain documentation of these reported actions; however, as of January 2020, the agency had not yet provided supporting documentation. We are continuing to follow up with OPM to obtain documentation of its reported actions.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Defense should direct the responsible official to modify the department's existing processes to collect and review cost, technical, and business information for the enterprise and business IT systems within the Enterprise Information Environment Mission Area applications which are currently not reviewed as part of the department's process for business systems.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense did not concur with our recommendation, noting, among other things, in its written response to our draft report, that a majority of the Enterprise Information Environment Mission Area systems are IT infrastructure, and not applications. However, we reported that the mission area nevertheless included a large number of enterprise and business IT applications which could benefit from rationalization, and we therefore believed our recommendation was still warranted. In March 2020, the department stated that it is formalizing a guide to assist components with implementing an application rationalization process, that will be used to rationalize the Enterprise Information Environment Mission Area systems. The department stated that it plans to perform annual reviews, and expects to start by the end of fiscal year 2020.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Homeland Security should direct the department's CIO to identify one high-cost function it could collect detailed cost, technical, and business information for and modify existing processes to collect and review this information.

Agency: Department of Homeland Security
Status: Open

Comments: In April 2018, DHS officials stated that they identified FOIA systems as a high cost function, and will modify existing processes to collect and review the cost, technical, and business information. In November 2019, DHS reported that it is continuing to make progress in acquiring a new enterprise-wide FOIA system by reviewing current capabilities. We plan to continue to monitor the department's efforts.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Labor should direct the department's CIO to consider a segmented approach to further rationalize and identify a function for which it would modify existing processes to collect and review application-specific cost, technical, and business value information.

Agency: Department of Labor
Status: Open

Comments: In February 2017, department officials stated that the department's portfolio of IT investments, which includes the systems, sub-systems, and applications in the IT asset inventory, are rationalized bi-annually as part of the Office of the Chief Information Officer's IT Capital Planning and Investment Control (CPIC) review processes. Further, officials stated that the systems and applications were also being rationalized as part of the process for updating the IT asset inventory. Officials stated that the department plans to review and update the department's CPIC guide to describe the IT asset inventory management process including the basic quality controls. In July 2019, officials reported that the department plans to have the updated guide completed by the end of fiscal year 2019. However, as of January 2020, the department had not provided documentation supporting these efforts. We plan to follow-up with the department to obtain documentation of its efforts to address the recommendation.