Reports & Testimonies

  1. Share with Facebook 
  2. Share with Twitter 
  3. Share with LinkedIn 
  4. Share with mail 

Recommendations Database

GAO’s recommendations database contains report recommendations that still need to be addressed. GAO’s priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. Below you can search only priority recommendations, or search all recommendations.

Our recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Moreover, when implemented, some of our priority recommendations can save large amounts of money, help Congress make decisions on major issues, and substantially improve or transform major government programs or agencies, among other benefits.

As of October 25, 2020, there are 4812 open recommendations, of which 473 are priority recommendations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented.

Browse or Search Open Recommendations

Search


Have a Question about a Recommendation?

  • For questions about a specific recommendation, contact the person or office listed with the recommendation.
  • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.

« Back to Results List Sort by   

Results:

Subject Term: "Control systems"

6 publications with a total of 12 open recommendations
Download these results in CSV format or XLSX format.
Critical Infrastructure Protection: Actions Needed to Enhance DHS Oversight of Cybersecurity at High-Risk Chemical Facilities
GAO-20-453, May 14, 2020
Director: Anderson, Nathan J
Phone: (206)287-4804

6 open recommendations
Display
Recommendation: The Assistant Director of the Infrastructure Security Division should implement a documented process for reviewing and, if deemed necessary, revising its guidance for implementing cybersecurity measures at regularly defined intervals. (Recommendation 1)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA's Infrastructure Security Division (ISD) will work to develop a documented process for reviewing CFATS cybersecurity guidance at regularly defined intervals. DHS stated in its comments that once the process is documented and implemented, ISD will revise or supplement existing guidance, as appropriate. We will continue to monitor DHS's actions to address the recommendation.
Recommendation: The Assistant Director of the Infrastructure Security Division should incorporate measures to assess the contribution that its cybersecurity training is making to program goals, such as inspector- or program-specific performance improvement goals. (Recommendation 2)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation stated that CISA agrees that it is important to ensure training supports program goals, whether relating to inspector-specific or program-specific performance maintenance or improvement goals. Regarding inspector performance maintenance or improvement, DHS stated that, among other things, management will ensure that each inspector's individual performance plan fully captures their expected performance goals in the area of cybersecurity. We will continue to monitor DHS's actions to address this recommendation.
Recommendation: The Assistant Director of the Infrastructure Security Division should track delivery and performance data for its cybersecurity training, such as the completion of courses, webinars, and refresher trainings. (Recommendation 3)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA agrees that process improvements to better document and evaluate the effectiveness of the training provided to CFATS staff are worthwhile. DHS stated in its comments that CISA will establish policies and procedures intended to ensure that all cybersecurity training provided to chemical security personnel is accounted for in a centralized mechanism. We will continue to monitor DHS's actions taken to address this recommendation.
Recommendation: The Assistant Director of the Infrastructure Security Division should develop a plan to evaluate the effectiveness of its cybersecurity training, such as collecting and analyzing course evaluation forms. (Recommendation 4)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that evaluating the effectiveness of training is beneficial and CISA will work to ensure that all cybersecurity courses provided to CISA chemical security staff are evaluated for effectiveness. DHS also stated that, among other things, CISA will require course evaluation forms from each attendee of any cybersecurity training provided by CISA to its chemical facility staff. We will continue to monitor DHS's actions to address this recommendation.
Recommendation: The Assistant Director of the Infrastructure Security Division should develop a workforce plan that addresses the program's cybersecurity-related needs, which should include an analysis of any gaps in the program's capacity and capability to perform its cybersecurity-related functions, and human capital strategies to address them. (Recommendation 5)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA will develop a concept of operations, which will include goals and requirements for a workforce review and planning effort to ensure the organization addresses the new program's capacity and capability to perform its regulatory, voluntary, and programmatic goals, to include its cybersecurity related functions. We will continue to monitor DHS's actions to address this recommendation.
Recommendation: The Assistant Director of the Infrastructure Security Division should maintain reliable, readily available information about the cyber integration levels of covered chemical facilities and inspector cybersecurity expertise. This could include updating the program's inspection database system to better track facilities' cyber integration levels. (Recommendation 6)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA retains information on cyber integration levels for regulated facilities but that it is not in a readily accessible format. DHS stated in its comments that ISD will execute a contract for new information technology development support for the CSAT system which, once executed, will work with the new support contractor to build a tool to automate the locating and reporting of a facility's cyber integration level data in a more accessible format. We will continue to monitor the status of DHS's actions to address this recommendation.
Passenger Rail Security: TSA Engages with Stakeholders but Could Better Identify and Share Standards and Key Practices
GAO-20-404, Apr 3, 2020
Director: Triana McNeil
Phone: (202) 512-8777

1 open recommendations
Display
Recommendation: The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it by updating the BASE Cybersecurity Security Action Item section to ensure it reflects the NIST Cybersecurity Framework Detect and Recover functions. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.
Satellite Communications: DOD Should Develop a Plan for Implementing Its Recommendations on a Future Wideband Architecture
GAO-20-80, Dec 19, 2019
Director: Cristina T. Chaplain
Phone: (202) 512-4841

1 open recommendations
Display
Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Acquisition and Sustainment develop and implement a plan to guide and coordinate efforts to implement the Wideband AOA recommendations to support timely, informed decisions on its next wideband satellite communications architecture. (Recommendation 1)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: DOD concurred with our recommendation, but as of July 2020 is still working to implement its corrective action plan.
Global Positioning System: Updated Schedule Assessment Could Help Decision Makers Address Likely Delays Related to New Ground Control System
GAO-19-250, May 21, 2019
Director: Cristina Chaplain
Phone: (202) 512-4841

1 open recommendations
Display
Recommendation: The Secretary of Defense should direct the Director, Office of Cost Assessment and Program Evaluation to conduct an independent schedule assessment of the full program schedule for the Global Positioning System's next generation operational control system based on progress made through the end of calendar year 2019. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: DOD did not concur with our recommendation to conduct an independent assessment of the full OCX program schedule based on progress made through the end of calendar year 2019, citing an independent cost and schedule estimate conducted in September 2018 and other ongoing program assessment and monitoring efforts. GAO continues to affirm that the recommendation is necessary given that DOD has not conducted an assessment of the full schedule since June 2018, since which time program risks have evolved. Additionally, ongoing oversight efforts are limited in scope and do not include the developmental test period after product delivery. As of August 2020, the Air Force position remains a non-concur, based on the same rationale previously noted.
U.S. Postal Service: Enhancing Procedures Could Improve Product Scanning
GAO-18-638, Sep 28, 2018
Director: Lori Rectanus
Phone: (202) 512-2834

1 open recommendations
Display
Recommendation: The Postmaster General should identify and adopt a set of internal control standards that can be used as the basis for operational internal-control activities, such as those for scanning competitive products. (Recommendation 1)

Agency: United States Postal Service
Status: Open

Comments: USPS has completed a cost study to adopt an operational internal control framework. USPS has targeted December 31, 2020, for completion and implementation of this new internal control framework.
Internet of Things: Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD
GAO-17-668, Jul 27, 2017
Director: Kirschbaum, Joseph W
Phone: (202) 512-9971

2 open recommendations
Display
Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
Status: Open

Comments: DOD concurred with this recommendation. We reached out to DOD in August 2018 on this recommendation and are awaiting their response.
Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
Status: Open

Comments: DOD concurred with this recommendation. DOD has implemented one geo-location policy in 2018 relating to operations security that addresses a portion of this recommendation.