GAO’s recommendations database contains report recommendations that still need to be addressed.
GAO’s priority recommendations are those that we believe warrant priority attention.
We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues.
Below you can search only priority recommendations, or search all recommendations.
Our recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations.
Moreover, when implemented, some of our priority recommendations can save large amounts of money, help Congress make decisions on major issues, and substantially improve or transform major government programs or agencies, among other benefits.
As of February 9, 2020, there are 4958 open recommendations, of which 422 are priority recommendations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented.
Browse or Search Open Recommendations
Have a Question about a Recommendation?
For questions about a specific recommendation, contact the person or office listed with the recommendation.
For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or email@example.com.
Recommendation: To help improve DOD's planning and processes for supporting civil authorities in a cyber incident, the Secretary of Defense should direct the Under Secretary of Defense for Policy in coordination with the Chairman of the Joint Chiefs of Staff to issue or update guidance that clarifies roles and responsibilities for relevant entities and officials--including the DOD components, supported and supporting commands, and dual-status commander--to support civil authorities as needed in a cyber incident.
Agency: Department of Defense Status: Open Priority recommendation
Comments: The Department of Defense concurred with the recommendation and indicated that, in response, it would update existing agency guidance (e.g., doctrine, directives, instructions) or develop new guidance as appropriate. Since we issued our report, DOD has issued several guidance documents-including Directive Type Memorandum 17-007, Interim Policy and Guidance for Defense Support to Cyber Incident Response (June 2017); and Joint Publication 3-12, Cyberspace Operations (June 2018)-to prepare the department to provide support to civil authorities for a cyber incident. However, the Directive Type Memorandum did not identify or clarify which DOD combatant command (i.e. NORTHCOM and PACOM versus CYBERCOM) would serve as the supported versus supporting command or the roles and responsibilities of a dual-status commander when DOD is providing support to civil authorities for a cyber incident. Rather, the memorandum tasked Joint Staff to designate the command responsibilities. Also, this Directive Type Memorandum was effective for one year and expired in June 2018. DOD has drafted a DOD Instruction that will replace this memorandum. Similarly, DOD has drafted another DOD Instruction that will supposedly provide policy and guidance on the use of dual-status commanders when providing support to civil authorities in a cyber incident. Joint Publication 3-12 similarly does not clarify roles and responsibilities of combatant commands and the dual-status commander. Specifically, the joint publication states that when DHS requests support, the fundamental principles of DSCA used to respond to domestic emergencies in the physical domains also apply to cyberspace operations support. Per DOD's Unified Command Plan, NORTHCOM and PACOM are the supported commands for DSCA missions in the physical domain. However, Joint Publication 3-12 does not re-iterate those roles and responsibilities. Instead, when describing CYBERCOM's roles and responsibilities, it states that CYBERCOM could assume either supported or supporting command responsibilities based on the military order that is issued. When describing NORTHCOM and PACOM's roles and responsibilities, it states that those commands fulfill specific cyberspace operations responsibilities related to DSCA and homeland defense with CYBERCOM others, as required. While the publication re-iterates a basic DOD concept - DOD components should work together - the publication does not provide any clarification on which command will take lead in planning, coordination, and execution (i.e. supported command). In summer 2019 we followed-up with DOD. While DOD has issued a supplemental DSCA execute order, neither this document--nor any other documents provided to us to date--clarifies roles and responsibilities for relevant entities and officials--including the DOD components, supported and supporting commands, and dual-status commander--to support civil authorities as needed in a cyber incident. Until DOD clarifies the roles and responsibilities of its key entities for cyber incidents, as we recommended, DOD will continue to experience uncertainty about the roles and responsibilities of different DOD components and commands with regard to providing support to civil authorities in the event of a significant cyber incident.