GAO’s recommendations database contains report recommendations that still need to be addressed.
GAO’s priority recommendations are those that we believe warrant priority attention.
We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues.
Below you can search only priority recommendations, or search all recommendations.
Our recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations.
Moreover, when implemented, some of our priority recommendations can save large amounts of money, help Congress make decisions on major issues, and substantially improve or transform major government programs or agencies, among other benefits.
As of June 17, 2020, there are 4969 open recommendations, of which 518 are priority recommendations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented.
Browse or Search Open Recommendations
Have a Question about a Recommendation?
For questions about a specific recommendation, contact the person or office listed with the recommendation.
For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or firstname.lastname@example.org.
Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.
Agency: Department of Homeland Security Status: Open Priority recommendation
Comments: For all eleven functions, DHS has measures that evaluate compliance with five (1, 2, 5, 6, 7) of the nine principles and considered whether measures and applicability were appropriate for the other four principles. In February 2020, DHS stated that it does not measure any functions' adherence with principle #8 related to safeguarding against unauthorized access or #9 regarding compliance with policies, regulations, and laws related to privacy and civil liberties. Specifically, the agency stated these two principles are a steady state consideration across all mission areas and functions and have no associated identified measure. For the remaining two principles, DHS did not provide measures that were related to prioritizing activities based on level of risk (#3) or ensuring that appropriate consideration of coordination with subject matter experts from industry, academia, and national labs (#4). As such, DHS does not have appropriate means for assessing the eleven functions against those two principles. However, in March 2020, DHS stated that the metrics for 2020 were different than those in 2019. Officials are in the process of creating a mapping between the previously provided metrics and those for 2020. We will review this mapping and determine if the aforementioned is still applicable with the new metrics.
Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.
Agency: Department of Homeland Security Status: Open Priority recommendation
Comments: For all 11 functions, DHS stated they have a means of evaluating compliance with five (1, 2, 5, 6, 7) of the nine principles. Once DHS provides specific evidence of data tracked in support of the aforementioned compliance measures, we will review to determine if they have closed this recommendation.
Recommendation: To help improve DOD's planning and processes for supporting civil authorities in a cyber incident, the Secretary of Defense should direct the Under Secretary of Defense for Policy in coordination with the Chairman of the Joint Chiefs of Staff to issue or update guidance that clarifies roles and responsibilities for relevant entities and officials--including the DOD components, supported and supporting commands, and dual-status commander--to support civil authorities as needed in a cyber incident.
Agency: Department of Defense Status: Open Priority recommendation
Comments: The Department of Defense concurred with the recommendation and indicated that, in response, it would update existing agency guidance (e.g., doctrine, directives, instructions) or develop new guidance as appropriate. Since we issued our report, DOD has issued several guidance documents-including Directive Type Memorandum 17-007, Interim Policy and Guidance for Defense Support to Cyber Incident Response (June 2017); and Joint Publication 3-12, Cyberspace Operations (June 2018)-to prepare the department to provide support to civil authorities for a cyber incident. However, the Directive Type Memorandum did not identify or clarify which DOD combatant command (i.e. NORTHCOM and PACOM versus CYBERCOM) would serve as the supported versus supporting command or the roles and responsibilities of a dual-status commander when DOD is providing support to civil authorities for a cyber incident. Rather, the memorandum tasked Joint Staff to designate the command responsibilities. Also, this Directive Type Memorandum was effective for one year and expired in June 2018. DOD has drafted a DOD Instruction that will replace this memorandum. Similarly, DOD has drafted another DOD Instruction that will supposedly provide policy and guidance on the use of dual-status commanders when providing support to civil authorities in a cyber incident. Joint Publication 3-12 similarly does not clarify roles and responsibilities of combatant commands and the dual-status commander. Specifically, the joint publication states that when DHS requests support, the fundamental principles of DSCA used to respond to domestic emergencies in the physical domains also apply to cyberspace operations support. Per DOD's Unified Command Plan, NORTHCOM and PACOM are the supported commands for DSCA missions in the physical domain. However, Joint Publication 3-12 does not re-iterate those roles and responsibilities. Instead, when describing CYBERCOM's roles and responsibilities, it states that CYBERCOM could assume either supported or supporting command responsibilities based on the military order that is issued. When describing NORTHCOM and PACOM's roles and responsibilities, it states that those commands fulfill specific cyberspace operations responsibilities related to DSCA and homeland defense with CYBERCOM others, as required. While the publication re-iterates a basic DOD concept - DOD components should work together - the publication does not provide any clarification on which command will take lead in planning, coordination, and execution (i.e. supported command). In summer 2019 we followed-up with DOD. While DOD has issued a supplemental DSCA execute order, neither this document--nor any other documents provided to us to date--clarifies roles and responsibilities for relevant entities and officials--including the DOD components, supported and supporting commands, and dual-status commander--to support civil authorities as needed in a cyber incident. Until DOD clarifies the roles and responsibilities of its key entities for cyber incidents, as we recommended, DOD will continue to experience uncertainty about the roles and responsibilities of different DOD components and commands with regard to providing support to civil authorities in the event of a significant cyber incident.