Recommendation: The Under Secretary for Management should ensure that the Office of Program Accountability and Risk Management and component heads execute the Component Acquisition Executive nomination and designation process consistently, as described in its guidance. This should include nominating and designating Component Acquisition Executives to oversee all acquisition programs. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Under Secretary for Management should ensure that the Component Acquisition Executives that are responsible for oversight of acquisition programs comply with Department of Homeland Security direction to complete Component Acquisition Executive support staffing plans. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Under Secretary for Management should identify, in policy or guidance, the expertise that constitutes critical acquisition positions for effective Component Acquisition Executive oversight. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Under Secretary for Management should direct the Office of Program Accountability and Risk Management to establish a time frame for completing its assessment of the Investment Evaluation, Submission, and Tracking (INVEST) system data fields for which the Component Acquisition Executive certification is necessary, based on current use and reporting requirements, and take appropriate actions based on the results. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of DHS's Cybersecurity and Infrastructure Agency should assess EPA data when planning outreach to public water system and wastewater treatment works facilities (Recommendation 1).

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Under Secretary for Management should develop and implement a mechanism to compare component marine operating costs across components and locations, including a cost per vessel underway (float) hour methodology (Recommendation 1).

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security, in coordination with the Secretary of Defense, should (1) revise the criteria in the 2019 National Interest Action code memorandum of agreement to clearly identify steps they will take to obtain input from key federal agencies prior to extending or closing a National Interest Action code, (2) establish timelines for evaluating the need to extend a National Interest Action code, and (3) define what constitutes a consistent decrease in contract actions and routine contract activity to ensure the criteria for extending or closing the National Interest Action code reflect government-wide needs for tracking contract actions in longer term emergencies, such as a pandemic. (Recommendation 13)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that integrators' solutions provide unique identifiers for hardware on selected agencies' networks. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that SBA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 6)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the Director of Strategic Technology Management (STM), in collaboration with other members of the Information Technology Program Management Center of Excellence (ITPM COE), identifies the skills and resources needed to complete the work intended for the upcoming fiscal year, including the availability of supplementary staff, such as subject matter experts. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the Executive Steering Committee overseeing the activities of the ITPM COE establishes target measures for the department's desired outcomes of its transition to Agile development. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the DHS Chief Information Officer (CIO) defines a process and associated set of controls to ensure that Agile programs and projects are reporting a set of core required performance metrics for monitoring and measuring Agile adoption. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the ITPM COE, in coordination with the CIO, begins measuring results associated with the transition to Agile and the success of the transition based on its impact on the department. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, in collaboration with the Chief Procurement Officer, through the Homeland Security Acquisition Institute, establish Agile training requirements for senior stakeholders. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the Chief Human Capital Officer, in collaboration with the CIO, consider modifications to the current employee recognition and performance management governance to ensure that teamwork and team performance of Agile programs and projects are incentivized. (Recommendation 6)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, in collaboration with the Chief Procurement Officer, through the Homeland Security Acquisition Institute, establish Agile training requirements for staff outside of the acquisition workforce but assigned to Agile programs. (Recommendation 7)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, upon establishing a set of core performance metrics, tracks and monitors the pace of Agile team development. (Recommendation 8)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, in collaboration with the Executive Director of the Office of Program Accountability and Risk Management (PARM), update or develop new guidance on Agile methodologies to describe how Agile teams can estimate the relative complexity of user stories. (Recommendation 9)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, upon establishing a set of core performance metrics, sets expectations for automated testing and code quality, and tracks and monitors against those expectations. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should align the agency's contingency plan with OMB guidance by including (1) plans for a potential prolonged shutdown; (2) flexibilities available to supervisors if furloughed employees were unable to return to work after the end of the shutdown; and (3) procedures for resuming program activities, including steps to ensure appropriate oversight and disbursement of funds upon the end of a shutdown. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security agreed with the recommendation and and stated that it has begun to take steps to better address OMB guidance on contingency plans. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should direct the DHS Chief Procurement Officer to, in coordination with the Office of Program Accountability and Risk Management, develop a risk-based approach for reviewing service requirements—through the Procurement Strategy Roadmap or other means—to ensure proposed service requirements are clearly defined and reviewed before planning how they are to be procured. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: DHS disagreed with our recommendation, preferring to maintain the status quo in its policy and procedures. However, by doing so, DHS is missing important opportunities to prevent negative acquisition outcomes and the potential for wasted resources. In its response, DHS noted its processes for major acquisitions, however, DHS service programs and contracts did not rise to the level of being classified a major service acquisition.

Recommendation: The Secretary of Homeland Security should direct the DHS Chief Procurement Officer to document the factors the Office of the Chief Procurement Officer considers when waiving procurement actions from its Procurement Strategy Roadmap to ensure it is consistently considering potential acquisition risks in its planning—including those specific to services. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: DHS did not concur with this recommendation, maintaining that the factors considered when waiving a Procurement Strategy Roadmap are not static. We believe, however, that documenting the factors considered will help ensure that the decisions to waive the Procurement Strategy Roadmaps are made consistently, transparently, and help maintain institutional knowledge.

Recommendation: The Secretary of Homeland Security should direct the DHS Chief Procurement Officer to update the Inherently Governmental and Critical Functions Analysis to require the identification of special interest functions. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and stated that it will update the Inherently Governmental and Critical Functions Analysis job aid to require the identification of a special interest function when applicable.

Recommendation: The Secretary of Homeland Security should direct the DHS Chief Procurement Officer to update the Inherently Governmental and Critical Functions Analysis to provide guidance for analyzing, documenting, and updating the federal workforce needed to perform or oversee service contracts requiring heightened management attention. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: DHS did not concur with this recommendation maintaining that the components are certifying that they have sufficient internal capacity or federal employees available for oversight within the Inherently Governmental and Critical Functions Analysis. We continue to believe, however, that without guidance, each component is making its own determination about which factors to consider, and DHS does not know how or whether the components are considering the federal workforce available to oversee service contracts in need of heightened management attention, or what steps, if any, the components are taking to mitigate risks if there are not enough federal personnel available to oversee the contracts after award.

Recommendation: The Secretary of Homeland Security should direct the DHS Chief Procurement Officer to develop guidance identifying oversight tasks or safeguards personnel can perform, when needed, to mitigate the risk associated with contracts containing closely associated with inherently governmental functions, special interest functions, or critical functions. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and stated that it will develop guidance that identifies oversight tasks or safeguards that personnel can perform, when needed, to mitigate the risk associated with contracts containing closely associated with inherently governmental, special interest, or critical functions.

Recommendation: The Secretary of Homeland Security should direct the DHS Chief Financial Officer to work with Congress to identify information to include in its annual congressional budget justifications to provide greater transparency into requested and actual service requirement costs, particularly for those services requiring heightened management attention. (Recommendation 6)

Agency: Department of Homeland Security
Status: Open

Comments: DHS did not concur with this recommendation stating that its annual Congressional Budget Justification already contains substantial service contract information. We maintain, however, that the service contract information currently included limits visibility for both DHS and Congress into requested and actual service requirements costs.

Recommendation: The Secretary of Homeland Security, jointly with the Secretary of Health and Human Services, should collaborate to address information sharing gaps identified in this report to ensure that ORR receives information needed to make decisions for UAC, including those apprehended with an adult. (Recommendation 8)

Agency: Department of Homeland Security
Status: Open

Comments: In commenting on a draft of our report, DHS reported that the Office of Strategy, Policy, and Plans will work with relevant components and HHS to document current information-sharing practices to validate the remaining gaps and draft a joint plan between DHS and HHS to ensure that HHS receives information needed to make decisions for unaccompanied children, including those apprehended with an adult. DHS estimated that these actions will be completed by December 31, 2020. Further DHS and HHS collaboration about information sharing methods and ways to enhance interagency agreements would better position HHS to make informed and timely decisions for unaccompanied children.

Recommendation: The Secretary of Homeland Security should identify the information about family members apprehended together that its components collectively need to process those family members and communicate that information to its components. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: According to DHS, in June 2020, DHS's Office of Immigration Statistics launched a Family Status Data Standards Community of Interest (COI) under the purview of the DHS Immigration Data Integration Initiative. In August 2020, DHS reported that the Family Status COI includes subject matter experts and data system managers from DHS components, the Department of Health and Human Services, and the Executive Office for Immigration Review. The COI's mandate includes drafting common DHS-wide and interagency data standards (common codes, common definitions, common formats) for all topics related to family status, including codes to identify the reasons for family separation, members apprehended together, and unaccompanied children. DHS expects to complete these actions by September 30, 2020. Identifying and communicating department-wide information needs with respect to family members who have been apprehended together should help provide DHS with greater assurance that its components are identifying all individuals who may be eligible for relief from removal from the United States based on their family relationships.

Recommendation: The Secretary of Homeland Security should ensure that, at the time of apprehension, CBP collects the information that DHS components collectively need to process family members apprehended together. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In commenting on a draft of our report, DHS reported that its Office of Immigration Statistics (OIS) will work with relevant components and offices to ensure all required information is collected at the time of apprehension on the Form I-213 when processing family members apprehended together. As of August 2020, DHS reported that DHS OIS continues to work with relevant components and offices to ensure all required information is collected at the time of apprehension on Form I-213 when processing family members apprehended together. DHS expects to complete these actions by September 30, 2020. Collecting information about the relationships between family members apprehended together and documenting that information on the Form I-213 could help address fragmentation among DHS components and improve the information available to other agencies.

Recommendation: The Secretary of Homeland Security should ensure that CBP documents the information that DHS components collectively need to process family members apprehended together on the Form I-213. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: In commenting on a draft of our report, DHS reported that, upon implementation of the steps the department plans to take in response to our second recommendation, CBP will issue guidance to the field to ensure that CBP agents and officers document the information that DHS components collectively need to process family members. In August 2020, DHS reported that component agencies continue to collaborate to define the process of family members apprehended together, as will be reflected on CBP Form I-213. DHS estimates issuing this guidance by March 31, 2021. Collecting information about the relationships between family members apprehended together and documenting that information on the Form I-213 could help address fragmentation among DHS components and improve the information available to other agencies.immigration or other proceedings.

Recommendation: The Secretary of Homeland Security should evaluate options for developing a unique identifier shared across DHS components' data systems to link family members apprehended together. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: In commenting on a draft of our report, DHS reported that its Office of Immigration Statistics (OIS) plans to work with relevant components to develop a unique shared identifier linking family members apprehended together. According to DHS, DHS OIS launched the Family Status Community of Interest (COI) in June 2020, and the COI has since established a bi-weekly meeting schedule. The COI's initial focus is on standard codes describing the reasons for family separations. Upon completing the family separation reason standard, DHS reported that the COI will prioritize developing common codes to identify family members apprehended together. DHS estimates completing these actions by March 31, 2021. Evaluating options for developing a shared unique family member identifier across components that would allow each component access to certain information about family members apprehended together would help bridge the information gaps about family relationships between components caused by DHS's fragmented data systems.

Recommendation: The Secretary of Homeland Security should take steps to ensure appropriate agency-funded research data are readily findable and accessible to the public. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security concurred with this recommendation and noted that it was in the process of establishing a portal on its website to increase public access to agency-funded research. The department estimated these efforts would be completed by June 30, 2020. When we confirm what actions the agency has taken in response to the recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should complete development of data management plan requirements. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security concurred with this recommendation, stating that it would develop a departmentwide management directive for research and development data as well as data management plan guidance and a template to document requirements. The department estimated that these efforts would be completed by June 30, 2020. When we confirm what actions the agency has taken in response to the recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should evaluate training needs for agency officials or others involved in reviewing the merits of researchers' data management plans and, if additional training is found to be warranted, develop and provide such training. (Recommendation 15)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security concurred with this recommendation, and indicated it would evaluate training needs for data management plan reviews and develop plans to fulfill any additional training needs identified. The department estimated these efforts would be completed by September 30, 2020. When we confirm what actions the agency has taken in response to the recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should develop and implement a mechanism to ensure researcher compliance with the public access plan and associated requirements. (Recommendation 26)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security concurred with this recommendation and stated it would develop a mechanism to ensure researcher compliance with the department's public access plan and data management plan requirements. The department estimated these efforts would be completed by September 30, 2020. When we confirm what actions the agency has taken in response to the recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should direct the Administrator of FEMA to identify and develop controls, such as methods to more easily identify transit expenses within applications submitted by larger entities such as a city, county, or state government, to address the risk of duplicate funding. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE to revise T&E policy or guidance as necessary to fully meet the key practice for programs to test that components and subsystems work together as a system in a controlled setting before finalizing a system's design. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report DHS concurred with our recommendation and stated that it planned to update its T&E policy to specify that acquisition programs demonstrate that components and subsystems work together before finalizing a system's design. In July 2020, DHS Test and Evaluation Division (TED) officials said they were in the process of updating the policy and that it was undergoing management review with an anticipated completion in fall 2020. Once finalized, GAO will evaluate the revised policy to determine whether DHS has met the intent of this recommendation.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE, in coordination with OCPO, to develop an assessment process-including establishing performance measures-to help ensure T&E training achieves desired results. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to assess the knowledge and skill requirements for the T&E workforce and establish performance goals for the training. DHS Test and Evaluation Division (TED), in coordination with OCPO, also plan to develop strategies to address any deficiencies with the current training that do not meet the identified requirements. In April 2020, TED officials said that they developed a new survey process to obtain recurring feedback from participants on the training's impact on their ability to perform T&E duties as assigned over time to inform the annual review of the T&E curriculum. However, this effort is still in a piloting stage so the extent to which this information is used to assess the training is still unknown at this time. As of July 2020, TED was still in the process of executing these efforts.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE to revise T&E policy or guidance as necessary to specify when in the acquisition life cycle a major acquisition program manager should designate a level III certified T&E manager. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report DHS concurred with our recommendation and stated that it planned to update its T&E policy to specify when in the acquisition lifecycle acquisition program managers should designate a qualified T&E manager. In July 2020, DHS Test and Evaluation Division (TED) officials said they were in the process of revising the policy to include this specification and that it was undergoing management review with an anticipated completion in fall 2020. Once finalized, GAO will evaluate the revised policy to determine whether DHS has met the intent of this recommendation.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE to establish an internal control process to ensure that data collected and maintained on major acquisition programs' T&E managers are reliable. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to establish an internal control process to reliably collect and maintain data on acquisition programs' assigned test and evaluation managers. In April 2020, DHS Test and Evaluation Division (TED) reported taking steps to ensure the validity of this data including establishing points of contacts within each component to cross-check collected information for accuracy and having the Director review collected data on a quarterly basis beginning in third quarter fiscal year 2020. As of July 2020, TED was still in the process of improving its internal collection process, but had not completed these efforts.

Recommendation: The Secretary for Homeland Security should direct the Under Secretary for Science and Technology to assess OTE's workforce to ascertain the extent to which it has the appropriate number of staff with the necessary skills to fulfill its responsibilities. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to assess the Test and Evaluation Division's (TED) workforce by reviewing current staffing levels and vacancies against the division's roles and responsibilities. The Senior Official Performing the Duties of the Under Secretary for Science and Technology plans to use the results of this review to inform strategic hiring in future years, if needed. In February 2020, DHS released its fiscal year 2020 strategic guidance memorandum for the Science and Technology (S&T) Directorate which included a statement pertaining to resourcing S&T's test and evaluation capabilities. However, as of July 2020, S&T had not yet conducted its review of TED's workforce.

Recommendation: To strengthen the mass care response to future disasters, the Secretary of Homeland Security should direct FEMA to periodically review the current structure of ESF-6 leadership roles andresponsibilities for coordinating mass care. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation. The department considers this issue to be resolved because FEMA established a working group in 2018 that reports on performance metrics and corrective actions and improvement plans. As part of that mission they are establishing a reporting system for emergency support function (ESF) coordinators to provide monthly updates on implementing corrective actions and validating improvements through exercises. We agree that these actions are important parts of effectively overseeing and evaluating ESF activities and results. However, while these efforts may address the responsibilities of ESF agencies, they may overlook the overall leadership roles of ESF agencies. To fully implement this recommendation, DHS and FEMA would need to demonstrate there is a process for reviewing the structure of ESF leadership roles on a regular basis.

Recommendation: The Secretary of Homeland Security should update the department's environmental justice strategic plan. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: In comments on our report, the department agreed with this recommendation. We will continue to review the department's actions and update this information.

Recommendation: The Deputy Secretary of Homeland Security should ensure that S&T take steps to more fully incorporate practices for developing milestones within DHS's budget preparation guidance, into the Surface Transportation Explosive Threat Detection program. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: In September 2019, GAO reported on a Department of Homeland Security's (DHS) Science and Technology Directorate (S&T) research and development (R&D) program to develop technologies to secure mass transit systems. DHS budget guidance requires S&T to develop results-oriented milestones to track program progress. GAO found that the S&T program's milestones did not clearly link to key activities described in program plans, and thus, were not results oriented. Therefore, we recommended that DHS develop milestones to track its progress developing the technologies that fully adhered to guidance. DHS concurred with our recommendation, and in February 2020, reported that S&T's Finance and Budget Division validated that milestones for the program were compliant with DHS guidance. GAO is currently working with DHS S&T to review documentation related to the validation process in order to close the recommendation..

Recommendation: The Secretary of Homeland Security should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 14)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that it was in the process of developing an enterprise-wide Cybersecurity Risk Management Strategy that will define cybersecurity risk tolerance thresholds and promote inclusion of cybersecurity risk management into the Department's overall risk management capabilities. The estimated completion date for this effort is July 31, 2020. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Homeland Security should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 15)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that, once developed, its Cybersecurity Risk Management Strategy will incorporate clarifications of the cybersecurity risk executive's role and will be coordinated with the DHS Office of the Chief Financial Officer, other offices within the DHS Management Directorate, and Department Components, as appropriate. The department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Homeland Security should develop performance metrics for the department's EEO program including a mechanism for tracking progress towards eliminating barriers. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: On August 18, 2020, DHS informed us that the work it is undertaking to respond to this recommendation is ongoing.

Recommendation: DHS component EEO Directors, in consultation with the Deputy Officer for EEO and Diversity, should develop policies and procedures to help ensure that their component EEO programs have action plans for addressing deficiencies in their Management Directive 715 (MD-715) reports. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: On May 11, 2020, DHS provided GAO with copies of standard operating procedures for addressing EEO program deficiencies for seven out of eight operational components as well as DHS headquarters. Each of the components' standard operating procedures require that action plans are in place to address any outstanding EEO program deficiencies.

Recommendation: The Deputy Officer for EEO and Diversity should develop a formal staffing model for its EEO program. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: On August 18, 2020, DHS informed us that the work it is undertaking to respond to this recommendation is ongoing.

Recommendation: DHS component EEO Directors, in collaboration with the Deputy Officer for EEO and Diversity, should develop component formal staffing models. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: On August 18, 2020, DHS informed us that the work it is undertaking to respond to this recommendation is ongoing.

Recommendation: The Secretary of Homeland Security—in consultation with the Office for Civil Rights and Civil Liberties (CRCL) and EEOC, and other agencies and components, as relevant—should analyze options for granting additional authorities to the Deputy Officer for EEO and Diversity to ensure DHS components comply with MD-715 guidance, including the authority of the Deputy Officer for EEO and Diversity to certify components' MD-715 reports. (Recommendation 6)

Agency: Department of Homeland Security
Status: Open

Comments: On August 18, 2020, DHS informed us that the work it is undertaking to respond to this recommendation is ongoing.

Recommendation: The Secretary of Homeland Security should ensure that the fiscal year 2019 plan includes the statutorily required elements or discloses why any element was not included in the plan. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: DHS agreed with our recommendation and in August 2020, DHS issued the Fiscal Year 2019-2020 Border Security Improvement Plan. The plan includes a description and the status for satisfying of each of the 11 statutorily required elements. GAO has on-going work to review the plan.

Recommendation: The Secretary of Homeland Security should develop outcome-based performance measures for the DHS JTFs that are consistent. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: DHS stated it concurred with the GAO recommendation. In December 2019, DHS officials stated it is overseeing the implementation of measures that contain outcome-based direction for assessing counter drug operations effects, which requires a phased approach, and added that DHS hopes to achieve two consecutive years of consistent reporting of performance measures. The estimated completion date for addressing this recommendation is June 2020. GAO will continue to follow-up with DHS on its progress towards implementing the recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the Commandant of the Coast Guard develops the capability to present servicemembers' race and ethnicity data in its investigations and personnel databases using the same categories of race and ethnicity established in the December 2018 uniform standards for the military justice databases, either by (1) modifying the Coast Guard's investigations and personnel databases to collect and maintain the data in accordance with the uniform standards, (2) developing the capability to aggregate the data into the race and ethnicity categories included in the uniform standards, or (3) implementing another method identified by the Coast Guard. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation. In May 2019, the Coast Guard stated that it would implement modifications to the Coast Guard's military justice database to support the tracking of race, ethnicity and gender information as part of a longer term initiative to capture all of the data elements required by the uniform standard adopted by the Department of Defense. They estimated this would be completed in September 2020.

Recommendation: The Secretary of Homeland Security should ensure that the Commandant of the Coast Guard considers the feasibility, to include the benefits and drawbacks, of collecting and maintaining complete information for all nonjudicial punishment cases in one of the Coast Guard's databases, such as information on the servicemembers' race, ethnicity, gender, offense, and punishment imposed. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation. In May 2019, the Coast Guard stated that it would consider the feasibility of collecting and maintain complete information for all nonjudicial punishments cases through a military justice and personnel work group. The estimated completion date for this action was not yet determined.

Recommendation: The Secretary of the Department of Homeland Security (DHS) should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: In comments on our report, the Department of Homeland Security (DHS) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. Subsequently, the department reported meeting its closure target for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor DHS's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of DHS should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 11)

Agency: Department of Homeland Security
Status: Open

Comments: In comments on our report, The Department of Homeland Security (DHS) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor DHS's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Homeland Security should ensure that the CIO of the Department of Homeland Security (DHS) completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 16)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the department was taking steps to implement it. Specifically, in October 2019, DHS officials reported that the department was in the process of accessing its remaining systems to determine whether a cloud computing assessment should be completed but did not provide a date when this effort would be finished. As of May 2020, we have not received a more recent update from DHS regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the CIO of DHS establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 17)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the department was taking steps to implement it. Specifically, in October 2019, DHS officials reported that the department was working on a plan to define the resources and processes needed to implement a mechanism to track savings that would be completed by October 2020. As of May 2020, we have not received a more recent update from DHS regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Homeland Security should develop and implement a process to systematically review the reliability of the data used in its Border Security Metrics Report and comprehensively identify any limitations with the data and methodologies that underlie its metrics. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with the recommendation and in a May 2020 update stated that it plans to address this recommendation in its FY2019 Border Security Metrics Report scheduled to be issued in the summer of 2020. We will continue to monitor DHS's ongoing efforts to do so.

Recommendation: The Secretary of Homeland Security should ensure the communication of the limitations of the metrics identified through the systematic review in the department's annual Border Security Metrics Report. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In its comment letter, DHS concurred with the recommendation and requested that we consider it closed as implemented because the department already detailed some of the limitations in its fiscal year 2017 report, and plans to continue to identify known limitations and the progress made to mitigate previously identified limitations in future reports. As discussed in the report, we agree that DHS identified and disclosed limitations for some metrics in its fiscal year 2017 Border Security Metrics Report; however, we identified at least one additional limitation for 21 of the 35 metrics on which DHS reported that DHS did not disclose or about which it could have been more transparent. To address the intent of this recommendation, once DHS has implemented a process to systematically review the reliability of the data used in its report and comprehensively identified related limitations, it should disclose those limitations in its annual Border Security Metrics Report. In a May 2020 update, DHS stated that it plans to address this recommendation in its FY2019 Border Security Metrics Report scheduled to be issued in the summer of 2020. We will continue to monitor DHS's ongoing efforts to do so.

Recommendation: The Under Secretary for the Office of Strategy, Policy, and Plans should include the results of sensitivity analyses to key assumptions in its statistical models of unlawful entry estimates in its annual Border Security Metrics Report. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with the recommendation and in a May 2020 update stated that it plans to address this recommendation in its FY2019 Border Security Metrics Report scheduled to be issued in the summer of 2020. We will continue to monitor DHS's ongoing efforts to do so.

Recommendation: The Under Secretary for the Office of Strategy, Policy, and Plans should include measures of statistical uncertainty for all metrics based on estimates derived from statistical models in its annual Border Security Metrics Report. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with the recommendation and in a May 2020 update stated that it plans to address this recommendation in its FY2019 Border Security Metrics Report scheduled to be issued in the summer of 2020. We will continue to monitor DHS's ongoing efforts to do so.

Recommendation: The Secretary of Homeland Security should establish a time frame for developing or updating policy to implement the statutory requirement to consult with ANCs on the same basis as Indian tribes under Executive Order 13175. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: In February 2019, the Department of Homeland Security provided GAO documentation supporting a planned time frame of March 2020 for developing and updating its consultation policy to implement the statutory requirement to consult with ANCs in response to this recommendation. We plan to close the recommendation after reviewing documentation that the policy has been updated.

Recommendation: The Secretary of Homeland Security should document in the agency's tribal consultation policy how agency officials are to communicate with tribes about how tribal input from consultation was considered in agency decisions on infrastructure projects. (Recommendation 16)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Homeland Security should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 9)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security (DHS) concurred with our recommendation. DHS conducted an audit of its components' cybersecurity coding efforts in fiscal year 2018 and identified actions that components needed to take to complete the assignment of appropriate NICE framework work role codes and assess the accuracy of position descriptions; a second audit for fiscal year 2019 is underway, and the department expects to complete its coding efforts by December 2020. As of January 2020, DHS has not yet provided sufficient evidence to demonstrate that it has implemented this recommendation. To fully implement this recommendation, DHS will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series and assessed the accuracy of position descriptions.

Recommendation: The Secretary of Homeland Security should direct the ISC, in collaboration with member agencies, to assess the extent of, and develop strategies to address, government-wide challenges to implementing physical access control systems. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In August 2019, GAO learned that DHS has recently completed the "Physical Access Control System (PACS) Modernization Working Group Charter." This charter was created under the direction of the Co-Chairs of the Federal Chief Information Security Officer Council, Identity, Credentialing and Access Management Subcommittee, and the Program Director of the DHS Interagency Security Committee. The purpose of the PACS Modernization Working Group is to facilitate the implementation and use of the technology and processes related to modernizing electronic-PACS within the federal government, thereby increasing security, coordination, and compliance with national-level policies and standards. GAO is following up with DHS to obtain additional information about this effort and to determine whether it addresses this recommendation.

Recommendation: The Secretary of DHS should direct the appropriate staff to work with OMB to follow up with agencies to identify obstacles and impediments affecting their abilities to implement intrusion detection and prevention capabilities. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: DHS provided evidence in December 2019 but it was insufficient to close this recommendation. We will continue to follow-up with DHS.

Recommendation: The Secretary of Homeland Security should create corresponding processes and procedures to help implement the mission, roles, and responsibilities defined in the delegation of authority or similar document to help ensure predictability, repeatability, and accountability in departmentwide and crosscutting strategy and policy efforts. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security agreed with GAO's recommendation, and finalized a delegation of authority, which is a requisite step in being able to complete this action, in December 2019. As of February 2020, however, the agency had not taken action that addresses GAO's September 2018 recommendation to create processes and procedures corresponding to the mission, roles, and responsibilities defined in the delegation of authority. To close this recommendation, PLCY will need to create such processes and procedures to help ensure predictability, repeatability, and accountability in department-wide and crosscutting strategy and policy efforts. Until DHS creates these processes and procedures, the Office of Strategy, Policy, and Plans' ability to lead and coordinate policy will continue to be limited. Taking this recommended action would enhance the department's efficiency and reduce risks associated with fragmentation in the development of department-wide and crosscutting strategies, policies, and plans

Recommendation: The Under Secretary for Strategy, Policy, and Plans should use the DHS Workforce Planning Guide to help identify and analyze any gaps in PLCY's workforce, design strategies to address any gaps, and communicate this information to DHS leadership. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: On December 3, 2019, PLCY restated its concerns with this recommendation--specifically, that due to changes in administration and secretarial priorities, PLCY has to recalibrate and base budget and staffing projections on what officials expect will be needed, rather than current needs due to changing priorities. PLCY's ability to properly align resources with current needs must remain flexible and the workforce planning guidance that GAO references does not allow for that in whole. GAO maintains that utilizing the workforce planning guidance can be done while still maintaining the desired flexibility.

Recommendation: The Under Secretary for Strategy, Policy, and Plans should enhance the use of collaboration and communication mechanisms to connect with staff in the components with responsibilities for policy and strategy to better identify and address emerging needs. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: On March 5, 2019, PLCY officials told us PLCY has instituted many cross-component efforts to more clearly define its roles and responsibilities. For example, PLCY convenes frequent engagements with components via the Immigration Policy Council, the Strategy and Policy Executive Steering Committee, the Deputies Management Action Group, and the Threat Prevention and Security Policy Council. On December 3, 2019, PLCY officials told us that the pending delegation of authority will help address this recommendation, and the delegation of authority is expected to be completed in calendar year 2020. To close this recommendation, PLCY must provide documentary evidence of collaboration and communication mechanisms to connect staff and better identify emerging needs.

Recommendation: The DHS Under Secretary for Management should require the Coast Guard to update the HPIB acquisition program baselines prior to authorizing lead ship construction, after completion of the preliminary design review, and after it has gained the requisite knowledge on its technologies, cost, and schedule, as recommended above. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it will require the Coast Guard to update the HPIB program's acquisition program baselines prior to authorizing lead ship construction. As of August 2020, Coast Guard officials anticipate updating the acquisition program baselines by no later than February 2021. We will review the updated HPIB acquisition program baselines at that time and determine if the actions taken meet the intent of this recommendation.

Recommendation: The Secretary of DHS should ensure that the Commissioner of Customs and Border Protection through the Executive Assistant Commissioner for Operations Support updates the 2013 workforce assessment to account for the independent requirements organization's current workforce needs. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation. Customs and Border Protection provided an estimated completion date for their workforce assessment of September 30, 2020.

Recommendation: The Secretary of DHS should ensure that the Administrator of the Federal Emergency Management Agency establishes a policy for requirements development. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation. The Federal Emergency Management Agency plans to establish a policy for requirements development by September 30, 2020, about one year after it completes changes to its governance processes.

Recommendation: The Secretary of DHS should ensure that the Director of Immigration and Customs Enforcement establishes a policy for requirements development. (Recommendation 8)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation but has not yet taken action to implement it as of August 2020.

Recommendation: The Secretary of DHS should ensure that the Director of Immigration and Customs Enforcement establishes the planned independent requirements development organization within Immigration and Customs Enforcement. (Recommendation 9)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation but has not yet taken action to implement it as of August 2020.

Recommendation: The Secretary of DHS should ensure that the Director of Immigration and Customs Enforcement conducts a workforce assessment to account for an independent requirements organization's workforce needs. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation but has not yet taken action to implement it as of August 2020.

Recommendation: The Secretary of DHS should ensure that the Director of Immigration and Customs Enforcement establishes component specific training for requirements development. (Recommendation 11)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation but has not yet taken action to implement it as of August 2020.

Recommendation: The Secretary of DHS should ensure that the Under Secretary of Homeland Security for the National Protection and Programs Directorate finalizes and promulgates the National Protection and Programs Directorate's draft policy for requirements development. (Recommendation 12)

Agency: Department of Homeland Security
Status: Open

Comments: The National Protection and Programs Directorate changed its name to the Cybersecurity and Infrastructure Security Agency in January 2018. DHS concurred with this recommendation. The Cybersecurity and Infrastructure Security Agency estimates that it will have a final policy by September 30, 2020.

Recommendation: The Secretary of DHS should ensure that the Under Secretary of Homeland Security for the National Protection and Programs Directorate establishes the planned independent requirements development organization within the National Protection and Programs Directorate. (Recommendation 13)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation. In January 2018, the National Protection and Programs Directorate changed its name to the Cybersecurity and Infrastructure Security Agency. The Cybersecurity and Infrastructure Security Agency estimates that it will establish an independent requirements organization by September 30, 2020.

Recommendation: The Secretary of DHS should ensure that the Under Secretary of Homeland Security for the National Protection and Programs Directorate conducts a workforce assessment to account for an independent requirements organization's workforce needs. (Recommendation 14)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation. In January 2018, the National Protection and Programs Directorate changed its name to the Cybersecurity and Infrastructure Security Agency. The Cybersecurity and Infrastructure Security Agency estimates it will complete an assessment to account for an independent requirements organization's workforce needs by September 30, 2020.

Recommendation: The Secretary of DHS should ensure that the Director of the U.S. Citizenship and Immigration Services establishes the planned independent requirements development organization within U.S. Citizenship and Immigration Services. (Recommendation 21)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation. The U.S. Citizenship and Immigration Services estimates that it will establish an independent requirements development organization by September 30, 2020.

Recommendation: The Director of DHS's National Protection and Programs Directorate's Infrastructure Security Compliance Division (ISCD) should incorporate vulnerability into the CFATS site security scoring methodology to help measure the reduction in the vulnerability of high-risk facilities to a terrorist attack, and use that data in assessing the CFATS program's performance in lowering risk and enhancing national security. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and has taken steps to implement and monitor two new performance metrics intended to better demonstrate the CFATS program's effectiveness in enhancing national security and reducing national risk. Specifically, according to DHS, these new performance metrics allow for the (1) evaluation of the progress individual facilities have made in enhancing their security while part of the CFATS program, and (2) comparison of the security measures employed by CFATS-covered chemical facilities upon first entering the program against the improved and enhanced security measures contained in their approved CFATS security plans. DHS began reporting the two measures, "Average score of approved Site Security Plans" and "Average score of initial Site Security Plans", for the first quarter of fiscal year 2019. DHS stated that these measures will be used to demonstrate the percent increase in security score of facilities' security plans, resulting in a representation of the increase in the security posture across the facility population, which will be used internally to assess progress. GAO continues to monitor the results of these two new performance metrics.

Recommendation: The Secretary of Homeland Security should direct Homeland Security's members of the interagency working group for protection of Native American cultural property to implement selected leading collaboration practices, such as taking steps to agree on outcomes and objectives, clarify roles and responsibilities, and document these decisions. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2019, we have reached out to the Department of Homeland Security and are awaiting a response on actions they may have taken in response to this recommendation.

Recommendation: The Secretary of Homeland Security should direct Homeland Security's members of the interagency working group for protection of Native American cultural property to identify and externally communicate to tribes points of contact within the agency that are responsible for responding to tribes' requests for assistance with repatriating cultural items from overseas auctions. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2019, we have reached out to the Department of Homeland Security and are awaiting a response on actions they may have taken in response to this recommendation.

Recommendation: The Secretary of Homeland Security should direct Homeland Security's members of the interagency working group for protection of Native American cultural property to collaborate with the interagency working group members from other agencies to assess, in consultation with Indian tribes, whether and how amending the U.S. legal framework governing the export, theft, and trafficking of Native American cultural items would facilitate the repatriation of these items from auctions overseas and report its findings to Congress. (Recommendation 9)

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2019, we have reached out to the Department of Homeland Security and are awaiting a response on actions they may have taken in response to this recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: The agency agreed with the recommendation, and revised and provided additional departmental directives and delegations to address 19 of the 21 responsibility gaps identified in the report. The remaining responsibilities are for the Chief Information Officer (CIO) to 1) review and approve IT contracts, acquisition plans, or strategies; and 2) ensure that all personnel are held accountable for complying with the agency-wide information security program. In particular, while the DHS CIO has the authority to coordinate with the Chief Acquisition Officer on acquisition strategies, coordination is not the same as reviewing and approving. Regarding holding agency personnel accountable for information security, DHS's Sensitive Systems Policy Directive gives that authority to the heads of DHS's components, rather than the DHS CIO. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Commissioner of CBP should analyze the costs associated with future barrier segments and include cost as a factor in the Impedance and Denial Prioritization Strategy. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: In July 2018, we reported on U.S. Customs and Border Protection's (CBP) efforts to construct new physical barriers along the southwest border. We found that the Impedance and Denial Prioritization Strategy--CBP's decision support tool for prioritizing locations for barrier construction projects--did not include analysis of the costs of deploying barriers in each location, which can vary depending on topography, land ownership, and other factors. We recommended that CBP analyze the costs associated with future barrier segments and include cost as a factor in the Impedance and Denial Prioritization Strategy. CBP agreed with this recommendation. CBP officials stated that, after prioritizing locations, CBP conducts detailed cost estimates as part of the acquisitions process. As of January 2020, CBP officials stated that this cost information may affect how the construction projects are executed, but that it would not influence how CBP prioritizes barrier construction projects across various locations. As we have previously reported, organizations should use an integrated approach to the requirements, acquisitions, and budget processes to prioritize needs and allocate resources, so they can optimize return on investment, and maintain program affordability. To fully address our recommendation, Border Patrol needs to incorporate its analysis of the costs of barrier projects into its process for prioritizing locations for construction of barriers.

Recommendation: The Secretary of DHS should take steps to develop and document a plan that fully addresses best practices with regards to reduction of backlogged FOIA requests. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: In April 2018, the Department of Homeland Security initiated a department-wide compliance assessment and stated that it plans to use the results of the assessment to help guide the department in identifying best practices and areas of improvement. The department does not have an estimate for when the plan will be complete.

Recommendation: The Under Secretary for Management should require the Office of Program Accountability and Risk Management to assess the results of major acquisition programs' post-implementation reviews and identify opportunities to improve performance across the acquisition portfolio. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to update its policy to require more formal reporting requirements and execution criteria for post-implementation reviews. PARM also plans to initiate a study focused on assessing lessons learned and developing a tool to share them across components to improve performance of the acquisition portfolio. In February 2020, PARM approved guidance intended to standardize analysis elements for post-implementation reviews. As of July 2020, PARM was still in the process of developing a tool to share results across components, but in the interim, results from some post-implementation reviews have been shared during meetings with Component Acquisition Executives. GAO will review post-implementation reviews conducted under the new guidance and will monitor DHS's implementation of the tool to ensure the department's actions meet the intent of this recommendation.

Recommendation: The Secretary of Homeland Security should work with Congress to include O&S data in monthly execution reports at a major acquisition program level within current program/project activity accounts. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: DHS agreed with this recommendation and has indicated the OCFO budget division will develop a display that provides major acquisition program level data at the program project activity level by March 30, 2019. As of March 2020, DHS has developed these displays and is working to populate them with all components' data.

Recommendation: The Secretary of Homeland Security, in cooperation with the co-SSAs as necessary, should take steps to consult with respective sector partner(s), such as the SCC, and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sectors. (Recommendation 7)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: In written comments, the Department of Homeland Security (DHS) concurred with the recommendation in our report and stated that its National Protection and Programs Directorate, as the sector-specific agency for 9 of the 16 critical infrastructure sectors, will continue to work closely with its private sector partners to ensure framework adoption is a priority. Additionally, the department stated that the directorate will work closely with its private sector partners to better understand the extent of framework adoption and barriers to adoption by entities across their respective sectors. As of January 2020, the department had begun taking steps to develop methods to determine the level and type of framework adoption in the respective sectors. Specifically, in October 2019, DHS, in coordination with its Information Technology (IT) sector partner, administered a survey to all small and midsized IT sector organizations to gather information on, among other things, framework use and plans to report on the results in 2020. DHS officials stated that any small or mid-sized business across all critical infrastructure sectors could complete the survey and that the department had promoted the survey to all sectors.

Recommendation: The Secretary of Homeland Security, in collaboration with other agencies, through the planned interagency working group or another mechanism, should identify further opportunities to more effectively publicize resources to reach additional colleges. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In early 2020, the federal government created the schoolsafety.gov clearinghouse website to compile and publicize emergency preparedness resources from across multiple agencies including the Departments of Education, Homeland Security, and Justice. The website houses key emergency preparedness resources we identified during our work as well as newer information that was not part of our review, such as guidance related to the Coronavirus Pandemic. DHS issued a press release when the website was launched, but does not prominently publicize it on it website, including on its webpages that are specifically focused on colleges and universities. We will monitor the agency's efforts to publicize these resources and consider closing it at that time.

Recommendation: The DHS Under Secretary for Management should develop and implement effective processes and improve guidance to reasonably assure that future AAs fully follow AOA process best practices and reflect the four characteristics of a reliable, high-quality AOA process. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: DHS stated that it remains committed to its financial system modernization program and agrees that effective processes and guidance are necessary to assure best practices. In September 2020, DHS officials informed us that they did not have any updates to report on efforts to address this recommendation. We will continue to follow-up with DHS on actions to address this recommendation.

Recommendation: The DHS Under Secretary for Management should improve the Risk Management Planning Handbook and other relevant guidance for managing risks associated with financial management system modernization projects to fully incorporate risk management best practices, including (1) defining thresholds to facilitate review of performance metrics to determine when risks become unacceptable; (2) identifying and analyzing risks to include periodically reconsidering risk sources, documenting risks specifically related to the lack of sufficient, reliable cost and schedule information needed to help properly manage and oversee the project, and timely disposition of IV&V contractor-identified risks; (3) developing risk mitigation plans with specific risk-handling activities, the costs and benefits of implementing them, and contingency plans for selected critical risks; and (4) implementing risk mitigation plans to include establishing periods of performance for risk-handling activities and defining time intervals for updating and certifying the accuracy and completeness of information on risks in DHS's risk register. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: DHS stated that it is committed to its financial system modernization program and agrees that effective processes and guidance are necessary to assure best practices. In September 2019, DHS provided documentation that cross walked DHS' Risk Management Training Aide to the Capability Maturity Model Integration (CMMI) for acquisition risk management best practices. However, the optional nature of the language used in the Training Aide does not reasonably assure that program offices will follow the suggested guidance. Also, the Training Aide does not specifically require the linking of thresholds to cost, schedule, and performance elements of identified risks. Based on our review of the information provided, DHS's corrective actions were not sufficient for addressing the intent of our recommendation. We will continue to evaluate DHS actions to address this recommendation.

Recommendation: To provide reasonable assurance that USRAP applicant fraud prevention and detection controls are adequate and effectively implemented, the Secretaries of Homeland Security and State should conduct regular joint assessments of applicant fraud risk across USRAP.

Agency: Department of Homeland Security
Status: Open

Comments: We reported that the Department of State and DHS's U.S. Citizenship and Immigration Services (USCIS) have not jointly assessed applicant fraud risks across the U.S. Refugee Admissions Program (USRAP), consistent with federal internal control standards and leading practices for fraud risk management. Specifically, we reported that although State and USCIS perform a number of fraud risk management activities and have responded to individual instances of applicant fraud in the program, these efforts do not position State and USCIS to assess fraud risks program-wide for USRAP or know if their controls are appropriately targeted to the areas of highest risk in the program. Therefore, we recommended that the Secretaries of Homeland Security and State conduct regular joint assessments of applicant fraud risk across USRAP. USCIS concurred with our recommendation. In response, State reported that it will work together with USCIS to conduct joint risk assessments by jointly developing a risk assessment framework. According to DHS and State documentation, the departments finalized a joint framework in January 2018. In February 2019, DHS and State provided us with the interim progress report on their efforts to conduct an assessment of applicant fraud risk across USRAP. In June 2019, USCIS reported that DHS and State have completed the planned analysis and the draft report is being prepared for leadership review and clearance. DHS estimated that the report will be completed by September 30, 2020. To fully address the recommendation, State and USCIS should jointly conduct regular fraud risk assessments across USRAP.

Recommendation: In order to improve employee misconduct policies and procedures, the Secretary of Homeland Security should direct the FEMA Administrator to document policies and procedures to address potential Surge Capacity Force misconduct.

Agency: Department of Homeland Security
Status: Open

Comments: We found that the Federal Emergency Management Agency (FEMA) had developed and documented misconduct policies and procedures for most employees, but not its entire workforce. Specifically, FEMA had not documented misconduct policies and procedures for Surge Capacity Force members, who may augment FEMA's workforce in the event of a catastrophic disaster. As a result, we recommended that FEMA document policies and procedures to address potential Surge Capacity Force misconduct. In September 2017, FEMA officials reported taking action to address this recommendation. Specifically, FEMA distributed a memorandum to Federal Coordinating Officers and Federal Disaster Recovery Coordinators providing guidance on how and to whom to report allegations of misconduct by Surge Capacity Force members, coordination efforts regarding investigations, and how to address the member's duty status during the course of an investigation. FEMA stated that it will further address this recommendation by updating the FEMA Human Capital Plan for the Surge Capacity Force. As of August 2020, FEMA was finalizing a comprehensive Human Capital Guide based on lessons learned during the 2017 disaster season, which will address the Surge Capacity Force. This recommendation will remain open until the Human Capital Guide is completed.

Recommendation: In order to improve employee misconduct policies and procedures, the Secretary of Homeland Security should direct the FEMA Administrator to document Reservist disciplinary options and appeals policies and procedures that are currently in practice at the agency.

Agency: Department of Homeland Security
Status: Open

Comments: We found that the Federal Emergency Management Agency's (FEMA) policies and procedures for Reservist employees did not outline disciplinary options to address misconduct or address the appeals process available for Reservists. As a result, we recommended that FEMA document Reservist disciplinary options and appeals policies and procedures that are currently in practice at the agency. In September 2017, FEMA reported that the Office of Response and Recovery was drafting an addendum to the FEMA Reservist program manual. As of August 2020, FEMA was finalizing a FEMA Reservist Performance Management Directive which will provide agency-wide guidance for Reservist management and discipline. FEMA expects the directive to be completed by November 2020. This recommendation will remain open until the directive is complete.

Recommendation: In order to better identify and address trends in employee misconduct, the Secretary of Homeland Security should direct the FEMA Administrator to, once the quality of the data is improved, conduct routine reporting on employee misconduct trends.

Agency: Department of Homeland Security
Status: Open

Comments: We found that the Federal Emergency Management Agency (FEMA) did not regularly conduct trend analysis on misconduct cases, and that the quality of the data restricted the agency's ability to identify and address trends. As a result, we recommended that, once steps were taken to improve the quality of the data, FEMA should conduct routine reporting on employee misconduct trends. As of July 2020, FEMA's Office of Professional Responsibility (OPR) changed plans on which information system to use for reporting purposes due to cyber security concerns. According to FEMA officials, OPR will be using a DHS enterprise system and the system will be able to generate regular reporting. FEMA anticipates reporting functionality by October 2020. We will continue to monitor FEMA's efforts to address the recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.

Agency: Department of Homeland Security
Status: Open

Comments: In 2018 and 2019, the DHS Office of the Chief Information Officer implemented a Strategic Workforce Planning initiative that included (1) identifying the department's future IT skillset needs, and (2) conducting a skills gap analysis related to these needs. The department is currently working to resolve the skills gaps identified during the initiative. We will continue to monitor and evaluate the Department's efforts to resolve these skills gaps.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.

Agency: Department of Homeland Security
Status: Open

Comments: In response to our recommendation, DHS updated its agile development policy to specify that the DHS CIO is responsible for certifying investments' incremental development activities, which is consistent with the Department's Acquisition Management Instruction. However, DHS has not yet updated its Systems Engineering Life Cycle Instruction and Guidebook to be consistent in specifying that this certification is the responsibility of the DHS CIO. We will continue to monitor the Department's progress in implementing this recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).

Agency: Department of Homeland Security
Status: Open

Comments: In response to our recommendation, Customs and Border Protection implemented a process to track the IT investments associated with each contract and agreement. The U.S. Coast Guard also implemented a process to track the IT investments associated with its contracts; however, it has not yet demonstrated that it has implemented such a process for tracking the IT investments associated with its agreements. Further, DHS headquarters is still working to establish a process for tracking the IT investments associated with its contracts and agreements. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with our recommendation. In May 2020, DHS officials stated that the Office of the CIO began piloting a new program health assessment process in the second quarter of fiscal year 2020, and DHS intends to report the program ratings resulting from that process to the IT Dashboard. We will continue to monitor and evaluate the Department's efforts to implement this new process.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP to assess and document how the alternative technological solutions being considered will fully meet operational needs related to ultralight aircraft.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and stated that it plans to assess and document requirements related to ultralight aircraft threats and how technological solutions will address these requirements as part of U.S. Customs and Border Protection (CBP) Air and Marine Operations (AMO) air domain awareness efforts. In March 2018, CBP completed an Air Domain Awareness Capability Analysis Report that identifies current capability gaps, including those related to ultralight aircraft. CBP stated that it plans to build upon the Capability Analysis Report to identify mission needs, a concept of operations, and operational requirements to address ultralight aircraft and other threats in the air domain. In February 2020, AMO reported that, in 2019, it conducted a technical assessment of one technology and plans to assess other systems in 2020 and 2021 to help determine if they fit into AMO's larger strategic vision for persistent wide area surveillance to address ultralight aircraft and other threats in the air domain. To fully address our recommendation, CBP should assess and document how alternative solutions will meet operational requirements related to ultralight aircraft.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP and the Director of ICE to jointly establish and monitor performance measures and targets related to cross-border tunnels.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and stated that U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement will review available information and develop performance measures and targets as deemed appropriate. As of March 2020, CBP and ICE have not reported taking any actions to develop performance measures and targets. To fully address our recommendation, CBP and ICE should establish and monitor performance measures and targets related to cross-border tunnels.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP to establish and monitor performance targets related to ultralight aircraft.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred and stated that within U.S. Customs and Border Protection (CBP), Air and Marine Operations and the U.S. Border Patrol are developing a joint performance measure and targets for interdicting ultralight aircraft. However, in December 2019, CBP reported that it will no longer pursue establishing a performance measure because it found that the ultralight aircraft interdiction rate fluctuated year to year, and that the number of ultralight aircraft incidents had been trending downward. Subsequently, in September 2020, CBP officials stated that they had reinitiated efforts to develop a performance measure and target in response to our continued belief that they can be set and would help CBP monitor performance to ensure that technology investments and operational responses to address ultralight aircraft are effective. To fully address our recommendation, CBP should establish a measure and monitor performance related to ultralight aircraft.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the U.S. Customs and Border Protection (CBP)-U.S. Immigration and Customs Enforcement (ICE) tunnel committee to convene and establish standard operating procedures for addressing cross-border tunnels, including procedures for sharing information.

Agency: Department of Homeland Security
Status: Open

Comments: DHS did not concur with this recommendation. However, CBP and ICE agreed that strengthening operational procedures may be beneficial and stated that they will jointly review procedures and discuss revising and/or consolidating the procedures. In May 2018, CBP stated that it is looking for opportunities to standardize procedures for the detection, interdiction, mapping, and remediation of cross-border tunnels. To this end, CBP has plans to develop a standardized training on tunnel identification and tactics, techniques, and procedures for different types of tunnels. In addition, CBP is working to develop a consistent process that will facilitate coordination and collaboration with ICE. In March 2019, CBP reported that CBP and ICE have begun to routinely meet to collectively develop processes for using tunnel robotics, including processes to enhance communication between CBP and ICE. In September 2020, CBP and ICE reported that they do not plan to take any additional steps to address this recommendation. To fully address our recommendation, CBP and ICE should establish standardized procedures for addressing tunnels, including procedures for sharing information with one another.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commandant of the Coast Guard, Commissioner of CBP, and the Director of ICE to establish and monitor Regional Coordinating Mechanisms performance measures and targets related to panga boat and recreational vessel smuggling.

Agency: Department of Homeland Security
Status: Open

Comments: DHS did not concur with this recommendation. DHS stated that that it believes that by establishing common terminology to address our first recommendation, the RECOMs will have more reliable, usable analyses to inform their maritime interdiction efforts. However, DHS did not believe that performance measures and targets related to smuggling by panga boats would provide the most useful strategic assessment of operations to prevent all illicit trafficking, regardless of area of operations or mode of transportation. DHS also cited the recent creation of the DHS Office of Policy, Strategy, and Plans that is to work with U.S. Coast Guard, U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, and other components and offices to better evaluate the effectiveness of all operations that work to prevent the illegal entry of goods and people into the country, as appropriate. In February 2020, DHS reported that the department had not taken any further actions to implement this recommendation. We continue to believe that the recommendation is valid and will monitor any actions DHS takes that are responsive to it. For example, in response to a requirement in the National Defense Authorization Act for Fiscal Year 2017, DHS issued reports in May 2018, February 2019, and August 2020 that contain metrics and planned metrics to measure the effectiveness of border security in the maritime environment and other domains. Planned metrics that DHS does not yet have a methodology to measure across all components include situational awareness in the maritime environment, illicit drugs removal rate, and DHS maritime threat response rate. To fully address our recommendation, DHS should measure its performance related to smuggling across U.S. maritime borders.

Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to develop a cohesive strategy that includes measurable outcomes for CVE activities.

Agency: Department of Homeland Security
Status: Open

Comments: In April 2019, DHS provided the National Counterterrorism Strategy as evidence that the department is including terrorism prevention as a necessary tool to meet its missions. While the strategy discusses terrorism prevention, it does not include specific activities or efforts, identify the agencies that will lead these efforts, or describe measurable outcomes for these efforts. In June 2019, DHS indicated that CVE-style prevention work would fall under a newly formed Office for Targeted Violence and Terrorism Prevention under which it will be part of a broad counterterrorism strategy that DHS plans to have ready by this fall. We will continue to monitor DHS's progress in this area as it develops its plan.

Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to establish and implement a process to assess overall progress in CVE, including its effectiveness.

Agency: Department of Homeland Security
Status: Open

Comments: In April 2019, DHS provided a commissioned review of CVE programs and activities that was expected to help identify ways to measure their effectiveness. The report provides a broad assessment of past activities and suggestions for measures and metrics going forward, but does not establish a process for agencies to measure the success of their activities or overall progress of CVE efforts. In June 2019, DHS indicated that CVE-style prevention work would fall under a newly formed Office for Targeted Violence and Terrorism Prevention under which it will be part of a broad counterterrorism strategy that DHS plans to have ready by this fall. We will continue to monitor DHS's progress in this area as it develops its plan.

Recommendation: To mitigate the risk of poor acquisition outcomes and strengthen the department's investment decisions, the Secretary of Homeland Security should direct the Undersecretary for Management to update the acquisition policy to require that major acquisition programs' technical requirements are well defined and key technical reviews are conducted prior to approving programs to initiate product development and establishing Acquisition Program Baselines, in accordance with acquisition best practices.

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to initiate a study to assess how to better align its processes for technical reviews and acquisition decisions. Upon completion of the study, DHS updated its acquisition policy instruction in May 2019, which adjusted the acquisition life cycle. Specifically, the updated instruction requires programs to conduct key technical reviews--including a preliminary design review--prior to establishing the program's Acquisition Program Baseline. As of July 2020, DHS was in the process of updating the related policies and guidance for its Systems Engineering Life Cycle, which govern the department's technical reviews. GAO will review these policies and guidance once complete to confirm alignment with the changes made to the acquisition management instruction and will monitor DHS's implementation of its new acquisition life cycle to ensure the department's actions meet the intent of this recommendation.

Recommendation: To better ensure FEMA's regional activities effectively support individuals with disabilities, the Secretary of Homeland Security should direct the FEMA Administrator to take steps to establish written procedures for how regions should involve the Office of Disability Integration and Coordination in clarifying disability integration staff's roles, evaluating staff performance, and setting expectations for how staff communicate with headquarters and the regions.

Agency: Department of Homeland Security
Status: Open

Comments: FEMA agreed with this recommendation and FEMA's Office of Disability Integration and Coordination (ODIC) is in the process of establishing a working group that will clarify and codify the roles, responsibilities, and expectations among the various agency offices and personnel involved in carrying out the agency's disability integration mission. In January 2018, FEMA reported that it had created Regional Integration Teams in the regions to improve the efficiency and efficacy of mission delivery. In August 2018, ODIC reported its goal to meet with Regional Administrators and other senior leaders across the agency by the end of CY 2018 to refine the role for disability integration staff. The reported intent of refining the role is to better align it with the FEMA Administrator's goal of empowering emergency managers in states, localities, tribes, and territories. In June 2019, ODIC officials reported plans to convene a workgroup to examine the role of the Regional Disability Integration Specialist, including their reporting chain and their roles and responsibilities in each of FEMA's ten regions. The workgroup will meet over two months and develop recommendations to be considered by FEMA's Chief of Staff by August 23, 2019. GAO is encouraged by FEMA's efforts to engage Regional Administrators and other senior leaders in its refinement of the role of disability integration staff, and awaits evidence of FEMA establishing documentation of the agency's procedures for carrying out its disability integration mission.

Recommendation: To help ensure its key training on incorporating access and functional needs into emergency planning reaches a sufficiently wide audience, the Secretary should direct the FEMA Administrator to collect information about the potential pool of participants, set general goals for the number of state and local emergency managers that will take this course, and implement the delivery methods needed to meet these goals.

Agency: Department of Homeland Security
Status: Open

Comments: FEMA agreed with this recommendation and reported that it will work with its regional staff to map potential training participants in each state and set goals for delivery of the course to state and local emergency managers. The agency also reported that it may be able to use data in the State Preparedness Report and states' self-reporting on the need for training on integrating the needs of people with access and functional needs into emergency management. As of January 2018, the Office of Disability Integration and Coordination reported plans to hire a permanent staff person to review, assess, and recommend how FEMA should incorporate disability into all internal and external training. In August 2018, FEMA reported hiring a new Program and Policy Branch Chief in July 2018, and noted that this individual will formulate a plan to incorporate the needs of people with disabilities into internal and external training over several weeks. However, FEMA did not address whether this individual will seek information about the potential pool of external participants, or set goals for the number of state and local emergency managers who could participate in external training. FEMA also reported providing just-in-time training in the field to support field staff in providing services to people with disabilities. The agency anticipates completing these efforts by December 31, 2019 and we will consider closing this recommendation when the agency can document it has addressed the recommendation.

Recommendation: To enhance its ability to fulfill its role as the facilitator of cross-sector collaboration and best-practices sharing, the Secretary of Homeland Security should direct the Assistant Secretary of Infrastructure Protection, Office of Infrastructure Protection, to explore with key critical infrastructure partners, whether and what opportunities exist to harmonize federally-administered screening and credentialing access control efforts across critical infrastructure sectors.

Agency: Department of Homeland Security
Status: Open

Comments: As of 2/12/2020, awaiting additional evidence/clarification from DHS.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: For all eleven functions, DHS has measures that evaluate compliance with five (1, 2, 5, 6, 7) of the nine principles and considered whether measures and applicability were appropriate for the other four principles. In February 2020, DHS stated that it does not measure any functions' adherence with principle #8 related to safeguarding against unauthorized access or #9 regarding compliance with policies, regulations, and laws related to privacy and civil liberties. Specifically, the agency stated these two principles are a steady state consideration across all mission areas and functions and have no associated identified measure. For the remaining two principles, DHS did not provide measures that were related to prioritizing activities based on level of risk (#3) or ensuring that appropriate consideration of coordination with subject matter experts from industry, academia, and national labs (#4). As such, DHS does not have appropriate means for assessing the eleven functions against those two principles. However, in March 2020, DHS stated that the metrics for 2020 were different than those in 2019. Officials are in the process of creating a mapping between the previously provided metrics and those for 2020. We will review this mapping and determine if the aforementioned is still applicable with the new metrics.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: For all 11 functions, DHS stated they have a means of evaluating compliance with five (1, 2, 5, 6, 7) of the nine principles. Once DHS provides specific evidence of data tracked in support of the aforementioned compliance measures, we will review to determine if they have closed this recommendation.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should integrate information related to security incidents to provide management with more complete information about NCCIC operations.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2018, DHS invited GAO to observe a vendor's demonstration of the anticipated Unified Workflow Solution (UWS) that officials stated could support closure of this recommendation, when implemented. In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately.

Agency: Department of Homeland Security
Status: Open

Comments: In March 2019, DHS said that they will provide GAO with a list of the entry points into the NCCIC service desk as well as the standard operating procedures (SOP) and process for quality assurance and quality control. Additionally, the development of the NCCIC Unified Workflow Solution (UWS) could impact this recommendation as well. In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should take steps to ensure the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2019, DHS stated that while no alerts or advisories are sent only to Section 9 entities, they do have various forms and mechanisms that Section 9 entities receive cybersecurity information: through HSIN Communities of Interest, the CISCP program, the applicable Sector Specific Agencies, and the applicable Section Information Sharing and Analysis Centers. Further analysis of the membership of the aforementioned forums and mechanisms is needed to determine the extent of Section 9 representation.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2019 DHS stated that the legacy Help Desk and operational activity tracking tools continue to be assessed and requirements identified for configuration into the Unified Workflow Solution (UWS). In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: The Secretary of Homeland Security should direct the Assistant Secretary of Immigration and Customs Enforcement and Commissioner of Customs and Border Protection to collaborate on sharing immigration enforcement and removal data to help Border Patrol account for the removal status of apprehended aliens in its recidivism rate measure.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with the recommendation. In May 2017, U.S Immigration and Customs Enforcement's (ICE) Enforcement and Removal Operations directorate provided immigration enforcement and removal data on a one-time basis to U.S. Customs and Border Protection's U.S. Border Patrol. In March 2018, U.S. Border Patrol officials requested that ICE provide these data on a quarterly basis. As of July 2020, ICE stated that it had shared the data with U.S. Border Patrol on multiple occasions. To fully implement this recommendation, ICE and U.S. Border Patrol need to document and implement their plans to share the data on a recurring basis.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Homeland Security should direct the department's CIO to identify one high-cost function it could collect detailed cost, technical, and business information for and modify existing processes to collect and review this information.

Agency: Department of Homeland Security
Status: Open

Comments: In April 2018, DHS officials stated that they identified FOIA systems as a high cost function, and will modify existing processes to collect and review the cost, technical, and business information. In November 2019, DHS reported that it is continuing to make progress in acquiring a new enterprise-wide FOIA system by reviewing current capabilities. We plan to continue to monitor the department's efforts.

Recommendation: If DHS's proposed CBRNE program consolidation is approved by Congress, the Secretary of Homeland Security should direct the Assistant Secretary for the Office of Policy to use, where appropriate, the key mergers and organizational transformation practices identified in our previous work to help ensure that a CBRNE consolidated office benefits from lessons learned from other organizational transformations.

Agency: Department of Homeland Security
Status: Open

Comments: We found that key mergers and organizational transformation practices identified in previous GAO work could benefit the Department of Homeland Security (DHS) during implementation of the proposed CBRNE consolidation. As a result, we recommended that should Congress approve DHS's CBRNE consolidation plan, the department use these key mergers and organizational transformation practices. In December 2018, the Countering Weapons of Mass Destruction Act of 2018 was enacted into law (Public Law 115-387) authorizing the proposed consolidation of CBRNE functions into a new Countering Weapons of Mass Destruction Office (CWMD office). In a memo to Congress regarding the new CWMD office, DHS stated that it remained committed to evaluating GAO's identified practices when implementing the consolidation. In August 2019, DHS provided us with information outlining efforts to use the key mergers and organizational transformation practices during the CWMD implementation phase. However, we requested additional evidence that all practices were considered. For example, one of the key practices is to use the performance management system to define responsibility and assure accountability for change. DHS created position descriptions for CWMD office leadership but we did not receive evidentiary support to demonstrate that DHS has added CWMD office transition goals to relevant employee performance plans. In April 2020, DHS estimated June 2020 for completing steps responsive to this recommendation. We will update the status of this recommendation as additional information is made available.

Recommendation: To enable a more effective approach in working with states to adopt the NDRF, the Secretary of Homeland Security should direct the Administrator of FEMA to clarify with regional offices and Federal Disaster Recovery Coordinators (FDRCs) the role of the regional implementation plans in FDRC performance plans and how they will be used to assess NDRF regional implementation efforts.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and said it would take steps to implement it. According to FEMA, to achieve greater integration of FEMA's field leadership components, FEMA's Field Operations Directorate (FOD) convened a Field Leadership Working Group of senior subject matter experts to conduct a mission analysis of FEMA's Field Leadership function (which includes Federal Disaster Recovery Coordinators as well as Federal Coordinating Officers and Incident Management Assistance Teams team leads). According to FEMA, the Working Group was preparing a Field Leader Manual (FLM) for review by FOD leadership. FEMA officials told us that the 2018 Hurricane season led to the deployment of many of FEMA's FOD leaders. These deployments allowed FOD leaders to experience first-hand the connection between regional implementation plans and FDRC performance plans and FEMA said that this knowledge is being integrated into edits of the FLM. In February 2020, FEMA told us that the FOD leadership responsible for the oversight of FDRCs is still determining the timeline to update the FLM based on a realignment of the Field Leadership Cadre. This update will integrate the Federal Coordinating Officers (FCOs) and FDRCs into a single FCO title with professional development specializations in response or recovery. This integration will support all FCOs in having a common baseline of training and experience in both response and recovery. In an August 2020 update, FEMA stated that while they continue to work toward implementing this recommendation, the FOD is currently focused on COVID-19 response efforts and planning for a more severe than average hurricane season. We will continue to monitor FEMA's efforts to see what additional actions the agency takes in response to this recommendation.

Recommendation: To enable a more effective approach in working with states to adopt the NDRF, the Secretary of Homeland Security should direct the Administrator of FEMA to align the annual FDRC performance expectations with clearly defined organizational goals and priorities, consistent with key management practices.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and said it would take steps to implement it. According to FEMA, the Field Leadership Working Group will implement the elements of this recommendation alongside efforts to clarify the role of the regional National Disaster Recovery Framework implementation plans. FEMA told us that the 2018 Hurricane season led to the deployment of many of FEMA's field leaders and these deployments allowed leaders to experience first-hand the connection between FDRC performance expectations and FEMA's organizational goals. According to FEMA, this knowledge is being integrated into edits of the Field Leader Manual (FLM). In February 2020, FEMA told us the FOD leadership responsible for the oversight of FDRCs is working with their partners in FEMA's Recovery and Resilience sections, as well as with the Regions to define performance expectations for steady-state recovery planning and preparedness under the NDRF. This will include identifying who is functionally accountable for these activities, any gaps, and best practices across Regions. In an August 2020 update, FEMA stated that while they continue to work toward implementing this recommendation, the FOD is currently focused on COVID-19 response efforts and planning for a more severe than average hurricane season. We will continue to monitor FEMA's efforts to see what additional actions the agency takes in response to this recommendation.

Recommendation: To strengthen the transparency of the complaints process, the Secretary of Homeland Security should direct CBP and ICE to develop and issue guidance on how and which complaint mechanisms should be communicated to individuals in custody at holding facilities.

Agency: Department of Homeland Security
Status: Open

Comments: In May 2016, we reported on the Department of Homeland Security's management and oversight of short-term holding facilities. We found, for example, that only 4 of 17 Border Patrol holding facilities posted information on how individuals can contact the DHS OIG to file general complaints, and the remaining facilities did not have information posted on any complaint mechanisms, such as the Joint Intake Center or CBP INFO Center. In December 2016, ICE Enforcement and Removal Operations (ERO) sent a broadcast to ICE field offices stating that posters should be visible at all of ICE ERO temporary holding facilities. This broadcast directed ICE ERO Field Office staff to immediately post copies of the Detention Reporting and Information Line poster, both in English and in Spanish, in temporary confinement areas or other areas so that it is visible to individuals in custody at ICE ERO temporary holding facilities. With regard to CBP, in October 2019, officials informed us there is no current CBP guidance requiring signage in CBP holding facilities to communicate complaint mechanisms other than the Prison Rape Elimination Act poster, which relates to reporting mechanisms for any potential incidents of sexual abuse and assault. In September 2020, CBP told us it planned to implement the necessary corrective actions to close this recommendation by March 31, 2021. In order to be able to close the recommendation as implemented, we will need to see updated guidance to the field about the posters that should be displayed in CBP facilities.

Recommendation: To enable FEMA to and more effectively respond to disasters, the Secretary of Homeland Security should direct the FEMA Administrator to develop a workforce strategy to manage and improve retention that includes a process for systematically gathering attrition data and a plan to retain IMAT Cadre-of On-Call Response Employees.

Agency: Department of Homeland Security
Status: Open

Comments: In August 2019, FEMA provided an update on the status of actions taken in response to our report. As of April 2019, FEMA stated that they are continuing to work on two actions. One, the development of a new organizational structure. FEMA is still refining and assessing the impact of the new IMAT structure. Two, in April 2019, FEMA delivered a new IMAT Program Orientation to nineteen new IMAT members. FEMA plans to analyze the impact of these changes along with attrition information. It plans to develop a high-level blueprint of the actions taken by FEMA to better manage the IMAT program and retain staff. Until completion of the action items, this recommendation will remain open. FEMA officials plan to provide a status update and finalize their efforts by September 2019. As of July 2020, FEMA officials have not completed steps to implement a revised IMAT structure. FEMA anticipates completing several actions by September 2020 and finalizing their plan by December 2020. However, due to COVID-19, the agency may face additional delays in doing so.

Recommendation: To provide reasonable assurance that USCIS's fraud prevention controls are adequate and effectively implemented, and ensure that asylum officers and FDNS immigration officers have the capacity to detect and prevent fraud, the Secretary of Homeland Security should direct USCIS to conduct regular fraud risk assessments across the affirmative asylum application process.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: In October 2016, DHS indicated that USCIS had established a working group and collected fraud trend information from all eight asylum offices that will be used to inform the development of a risk assessment framework. According to USCIS officials, the Asylum Division, in cooperation with other relevant internal stakeholders such as USCIS's Fraud Detection and National Security Directorate (FDNS), completed a draft asylum fraud risk assessment in September 2017. In January 2019, Asylum Division officials told us that they had identified limitations in the data used in the draft assessment. Thus, USCIS was working to complete a revised qualitative risk assessment report for our review. Officials also told us that the report was undergoing additional revisions due to changes in 2019 to the affirmative asylum program, and to reflect updates to the resources dedicated to FDNS's functions. As of October 2020, USCIS anticipates finalizing the report by the end of December 2020. Regularly assessing fraud risks across the affirmative asylum process would provide USCIS more complete information on risks that may affect the integrity of the process and therefore help USCIS target its fraud prevention efforts to those areas that are of highest risk.

Recommendation: To help ensure that biosurveillance-related funding is directed to programs that can demonstrate their intended capabilities, and to help ensure sufficient information is known about the current Gen-2 system to make informed cost-benefit decisions about possible upgrades and enhancements to the system, the Secretary of Homeland Security should direct the Assistant Secretary for Health Affairs and other relevant officials within the Department to not pursue upgrades or enhancements to the current BioWatch system until the Office of Health Affairs (OHA): (1) establishes technical performance requirements, including limits of detection, necessary for a biodetection system to meet a clearly defined operational objective for the BioWatch program by detecting attacks of defined types and sizes with specified probabilities; (2) assesses the Gen-2 system against these performance requirements to reliably establish its capabilities; and (3) produces a full accounting of statistical and other uncertainties and limitations in what is known about the system's capability to meet its operational objectives.

Agency: Department of Homeland Security
Status: Open

Comments: DHS told us in June, 2019 that it terminated the Biodetection Technology Enhancements program to enhance BioWatch. Additionally, DHS is transitioning to a new acquisition program called BioDetection 21 intended to replace BioWatch. We will update the status of this recommendation as we obtain more information about DHS's BioDetection 21 acquisition efforts and the extent to which these efforts are consistent with our recommendation.

Recommendation: To help reduce the risk of acquiring immature detection technologies, the Secretary of Homeland Security should direct the Assistant Secretary for Health Affairs, in coordination with the Under Secretary for Science and Technology, to use the best practices outlined in this report to inform test and evaluation actions for any future upgrades or changes to technology for BioWatch.

Agency: Department of Homeland Security
Status: Open

Comments: DHS told us in June, 2019 that it terminated the Biodetection Technology Enhancements program to enhance BioWatch. Additionally, DHS is transitioning to a new acquisition program called BioDetection 21 intended to replace BioWatch. We will update the status of this recommendation as we obtain more information about DHS's BioDetection 21 acquisition efforts and the extent to which these efforts are consistent with our recommendation.

Recommendation: To increase the efficiency and improve the accuracy of the interagency UAC referral and placement process, the Secretaries of Homeland Security and Health and Human Services should jointly develop and implement a documented interagency process with clearly defined roles and responsibilities, as well as procedures to disseminate placement decisions, for all agencies involved in the referral and placement of UAC in HHS shelters.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: Since our 2015 report, DHS and HHS developed two documents to guide interagency procedures related to the processing of UAC. Specifically, in April 2018, HHS and DHS established a memorandum of agreement regarding information sharing for UAC. Subsequently, on July 31, 2018, DHS and HHS issued a Joint Concept of Operations to memorialize interagency policies, procedures, and guidelines related to the processing of UAC. However, in February 2020, we reported that DHS and HHS officials' indicated that, in practice, the agencies have not resolved long-standing differences in opinion about whether and how agencies are to share information, and what type of information is needed to inform decisions about the care and placement of UAC. In commenting on our draft report, DHS stated that its components are working with HHS to document current information sharing practices, to validate remaining information sharing gaps, and to draft a joint plan between DHS and HHS to ensure that HHS receives information needed to make decisions for UAC. In their comments, HHS officials stated that they intend to reach out to counterparts at DHS in June 2020 to discuss potential periodic updates to the Joint Concept of Operations. In August 2020, DHS informed us that the department is working with HHS to document current information sharing practices, validate gaps, and draft a joint plan between DHS and HHS, among other actions. DHS estimates that it will complete these actions by March 31, 2021. To fully address the recommendation, DHS and HHS should ensure that they have implemented procedures aimed at improving the efficiency and accuracy of the interagency UAC referral and placement process.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Homeland Security should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

Agency: Department of Homeland Security
Status: Open

Comments: In October 2019, the Department of Homeland Security developed an asset and inventory management plan for managing devices under its enterprise blanket purchase agreement. The plan includes procedures for assessing devices for zero usage; however, it does not include procedures for assessing over and under usage. The department also has not demonstrated that it has established procedures for devices not covered by its enterprise blanket purchase agreement.We will continue to monitor the department's efforts.

Recommendation: To more accurately communicate DHS's funding plans for USCG's major acquisition programs, the Secretary of Homeland Security should ensure the funding plans presented to Congress in fiscal year 2015 are comprehensive and clearly account for all operations and maintenance funding DHS plans to allocate to each of the USCG's major acquisition programs.

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with this recommendation and stated in their comments that the U.S. Coast Guard and the DHS Chief Financial Officer will develop a plan to address this recommendation by September 30, 2015, then work together to fully implement the plan. DHS estimated it would complete this effort March 31, 2016. However, the USCG encountered technical challenges during this process and was unable to implement the plan by that time. The U.S. Coast Guard has revised the estimated completion date and now anticipates it will be able to address this recommendation in fiscal year 2022. GAO will continue to assess the updated APBs as a part of its annual review of select DHS major acquisition programs to determine whether the department has addressed the recommendation.

Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to improve reporting of FOIA costs by including salaries, employee benefits, non-personnel direct costs, indirect costs, and costs for other offices.

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2020, we have followed up with the department to request documentation but have not yet received evidence of DHS's planned actions to address this recommendation.

Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to direct USCIS and Coast Guard to fully implement the recommended FOIA processing system capabilities and the section 508 requirement.

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2020, we have followed up with the department to request documentation but have not yet received evidence of DHS's planned actions to address this recommendation.

Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to determine the viability of re-establishing the service-level agreement between the U.S. Citizenship and Immigration Services (USCIS) and U.S. Immigration and Customs Enforcement to eliminate duplication in the processing of immigration files. If the benefits of doing so would exceed the costs, re-establish the agreement.

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2020, we have followed up with the department to request documentation but have not yet received evidence of DHS's planned actions to address this recommendation.

Recommendation: To promote forward-looking construction and rebuilding efforts while FEMA phases out most subsidies, the Secretary of the Department of Homeland Security should direct FEMA to consider amending NFIP minimum standards for floodplain management to incorporate, as appropriate, forward-looking standards, similar to the minimum standard adopted by the Hurricane Sandy Rebuilding Task Force.

Agency: Department of Homeland Security
Status: Open

Comments: In August 2019, a FEMA official stated that FEMA intends to implement the recommendation in full eventually, but it is unlikely that it will happen as a cohesive effort in 2020, given other ongoing flood insurance reforms. As of August 2020, the status of this recommendation remains unchanged.

Recommendation: In order to improve transparency and allow for more informed decision making by congressional leaders and DHS and GSA decision-makers, before requesting additional funding for the DHS headquarters consolidation project, the Secretary of Homeland Security and the Administrator of the General Services Administration should work jointly to conduct the following assessments and use the results to inform updated DHS headquarters consolidation plans: (1) a comprehensive needs assessment and gap analysis of current and needed capabilities that take into consideration changing conditions, and (2) an alternatives analysis that identifies the costs and benefits of leasing and construction alternatives for the remainder of the project and prioritizes options to account for funding instability.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security Headquarters Consolidation Accountability Act of 2015 (Pub. L. No. 114-150) was enacted on April 29, 2016. Among other things, the act requires DHS, in coordination with GSA, to submit information to Congress about DHS headquarters consolidation efforts not later than 120 days of enactment. As of April 2020, DHS and GSA had not submitted the information to Congress required by Pub. L. No. 114-150. Required information includes a comprehensive assessment of property and facilities utilized by DHS in the National Capital Region, and an analysis that identifies the costs and benefits of leasing and construction alternatives for the remainder of the consolidation project. DHS reported that DHS and GSA prepared a comprehensive response to P.L. No. 114-150, but that the consolidation plan and response needed to be revised based on changing budget circumstances, among other things. In April 2020, DHS estimated that the final consolidation plan will be completed and approved in 2020. GAO will review the latest information on DHS headquarters consolidation efforts when it is provided to Congress, and will assess the materials in the context of this recommendation at that time. Continued DHS and GSA attention to following leading capital planning practices is critical given the project's multi-billion dollar cost and impact on future departmental operations.

Recommendation: In order to improve transparency and allow for more informed decision making by congressional leaders and DHS and GSA decision-makers, before requesting additional funding for the DHS headquarters consolidation project, after revising the DHS headquarters consolidation plans, the Secretary of Homeland Security and the Administrator of the General Services Administration should work jointly to develop revised cost and schedule estimates for the remaining portions of the consolidation project that conform to GSA guidance and leading practices for cost and schedule estimation, including an independent evaluation of the estimates.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security Headquarters Consolidation Accountability Act of 2015 (Pub. L. No. 114-150) was enacted on April 29, 2016. Among other things, the act requires DHS, in coordination with GSA, to submit information to Congress about DHS headquarters consolidation efforts not later than 120 days of enactment. As of April 2020, DHS and GSA had not submitted the information to Congress required by Pub. L. No. 114-150. Required information includes updated cost and schedule estimates for the consolidation project that are consistent with GAO's recommendations in GAO-14-648. Furthermore, the act requires the Comptroller General to evaluate the cost and schedule estimates not later than 90 days after their submittal to Congress. DHS reported that DHS and GSA prepared a comprehensive response to P.L. No. 114-150, but that the consolidation plan and response needed to be revised based on changing budget circumstances, among other things. In April 2020, DHS estimated that the final consolidation plan will be completed and approved in 2020. GAO will review the latest DHS headquarters consolidation cost and schedule estimates when they are provided to Congress, and will assess the materials in the context of this recommendation at that time. Continued DHS and GSA attention to following leading cost and schedule estimation practices is critical given the project's multi-billion dollar cost and impact on future departmental operations.

Recommendation: To help ensure that all employees are treated fairly and receive the protections established in the executive order, the Secretary of Homeland Security should direct the Commandant, U.S. Coast Guard, to revise the Coast Guard instruction for military personnel to specify that military personnel may be represented by counsel or other representatives at their own expense.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with our recommendation. As of August 2018, the Commandant of the Coast Guard issued a policy message stating that individuals may have counsel or other representatives present at the service member's own expense. According to a Coast Guard official, this message serves as interim guidance until the personnel security manual can be finalized. Coast Guard officials stated that the manual will be undergoing revision, and is expected to be updated at the end of March 2019 . We are awaiting documentation from the Coast Guard that this manual is complete. This recommendation will remain open until the Coast Guard finalizes the update to its manual in accordance with our recommendation.

Recommendation: To ensure that the increasing risks of GPS disruptions to the nation's critical infrastructure are effectively managed, the Secretary of Homeland Security should increase the reliability and usefulness of the GPS risk assessment by developing a plan and time frame to collect relevant threat, vulnerability, and consequence data for the various critical infrastructure sectors, and periodically review the readiness of data to conduct a more data-driven risk assessment while ensuring that DHS's assessment approach is more consistent with the National Infrastructure Protection Plan (NIPP).

Agency: Department of Homeland Security
Status: Open

Comments: DHS officials had previously indicated that DHS's Office of Infrastructure Protection (IP) and Office of Cyber and Infrastructure Analysis (OCIA) have discussed an update of the GPS risk assessment. Additionally, information from DHS shows that DHS has continued other efforts to collect potentially relevant threat, vulnerability, and consequence data for various GPS equipment in use. For example, according to DHS officials, DHS has conducted visits to major maritime, finance, wireless communications, and electricity firms to gauge their understanding of GPS vulnerabilities and of technology- and strategy-based efforts to improve GPS resilience, and DHS documentation shows that DHS has held events to test GPS receivers as part of assessing vulnerabilities. In August 2020, DHS officials provided GAO with additional information regarding their progress on implementing the recommendation. We will update the status of this recommendation after we review the additional information from DHS.

Recommendation: To establish full-risk rates for properties with previously subsidized rates that reflect their risk for flooding, the Secretary of the Department of Homeland Security (DHS) should direct the FEMA Administrator to develop and implement a plan, including a timeline, to obtain needed elevation information as soon as practicable.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: As of January 2020, FEMA continues its multi-year effort to redesign its risk rating system to reflect industry best practices, such as providing credible, understandable rates based on graduated risk. As part of this redesign, FEMA plans to obtain multiple sources of data and information about a property's risk of flooding--from which it may be able to derive elevation information on some properties--to develop the insurance rate. FEMA has delayed implementation of the new risk rating system until 2021, pending further analysis. In addition, FEMA issued a Request for Information on obtaining structural elevation information from third party sources and is reviewing responses from potential vendors. The agency also encourages subsidized policyholders who seek to ensure the appropriateness of their NFIP rates to voluntarily submit elevation documentation. We will continue to monitor the extent to which FEMA is able to produce elevation information for all currently subsidized properties.

Recommendation: To provide transparency and accountability over the payments FEMA makes to WYOs for expenses and profits, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to determine in advance the amounts built into the payment rates for estimated expenses and profit.

Agency: Department of Homeland Security
Status: Open

Comments: According to FEMA officials, FEMA is responding to this recommendation as part of its development of a final rule on WYO compensation practices, required by the Biggert-Waters Act. FEMA's current payment rates do not explicitly consider WYO insurers' actual expenses and profit. FEMA issued an Advance Notice of Proposed Ruling on July 8, 2019 seeking comments by September 6, 2019 regarding possible approaches to incorporating actual flood insurance expense data into the WYO payment methodology. As of February 2020, FEMA officials said that they were reviewing comments received in response to the July 2019 notice.

Recommendation: To provide transparency and accountability over the payments FEMA makes to WYOs for expenses and profits, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to annually analyze the amounts of actual expenses and profit in relation to the estimated amounts used in setting payment rates.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: According to FEMA officials, FEMA is responding to this recommendation as part of its development of a final rule on WYO compensation practices, required by the Biggert-Waters Act. However, GAO has reported that an annual analysis of the WYO insurers' actual expenses and profit could be regularly performed in relation to FEMA's existing payment methodology. FEMA issued an Advance Notice of Proposed Ruling on July 8, 2019 seeking comments by September 6, 2019 regarding possible approaches to incorporating actual flood insurance expense data into the WYO payment methodology. As of February 2020, FEMA officials said that they would complete an annual analysis of WYO data by the end of fiscal year 2020 and that they were reviewing comments received in response to the July 2019 notice.

Recommendation: To provide transparency and accountability over the payments FEMA makes to WYOs for expenses and profits, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to consider the results of the analysis of payments, actual expenses, and profit in evaluating the methods for paying WYOs.

Agency: Department of Homeland Security
Status: Open

Comments: According to FEMA officials, FEMA is responding to this recommendation as part of its development of a final rule on WYO compensation practices, required by the Biggert-Waters Act. FEMA issued an Advance Notice of Proposed Ruling on July 8, 2019 seeking comments by September 6, 2019 regarding possible approaches to incorporating actual flood insurance expense data into the WYO payment methodology. As of February 2020, FEMA officials said that they were reviewing comments received in response to the July 2019 notice.

Recommendation: To increase the usefulness of the data reported by WYOs to the National Association of Insurance Commissioners (NAIC) and to institutionalize FEMA's use of such data, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to take actions to obtain reasonable assurance that NAIC flood insurance expense data can be considered in setting payment rates that are appropriate, including identifying affiliated company profits in reported flood insurance expenses.

Agency: Department of Homeland Security
Status: Open

Comments: According to FEMA officials, FEMA is responding to this recommendation as part of its development of a final rule on WYO compensation practices, required by the Biggert-Waters Act. FEMA can also take actions, in addition to any actions related to the rule, to develop method(s) for obtaining reasonable assurance that NAIC data is accurate and usable for setting payment rates before implementation of a new compensation methodology. FEMA issued an Advance Notice of Proposed Ruling on July 8, 2019 seeking comments by September 6, 2019 regarding possible approaches to incorporating actual flood insurance expense data into the WYO payment methodology. As of February 2020, FEMA officials said that they were reviewing comments received in response to the July 2019 notice.

Recommendation: To increase the usefulness of the data reported by WYOs to the National Association NAIC and to institutionalize FEMA's use of such data, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to develop comprehensive data analysis strategies to annually test the quality of flood insurance data that WYOs report to NAIC.

Agency: Department of Homeland Security
Status: Open

Comments: According to FEMA officials, FEMA is responding to this recommendation as part of its development of a final rule on WYO compensation practices, required by the Biggert-Waters Act. FEMA can also take actions, in addition to any actions related to the rule, to develop and implement data analysis strategies to annually test the quality of flood insurance data WYO insurers report to NAIC before implementation of a new compensation methodology. FEMA issued an Advance Notice of Proposed Ruling on July 8, 2019 seeking comments by September 6, 2019 regarding possible approaches to incorporating actual flood insurance expense data into the WYO payment methodology. As of February 2020, FEMA officials said that they were reviewing comments received in response to the July 2019 notice.

Recommendation: The Secretary of the Department of Homeland Security should direct FEMA to take steps to ensure that its rate-setting methods and the data it uses to set rates result in full-risk premiums rates that accurately reflect the risk of losses from flooding. These steps should include, for example, verifying the accuracy of flood probabilities, damage estimates, and flood maps; ensuring that the effects of long-term planned and ongoing development, as well as climate change, are reflected in the flood probabilities used; and reevaluating the practice of aggregating risks across zones.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: In April 2018, FEMA officials told us they had begun to redesign NFIP's risk rating system to help ensure policy rates better reflect the risk of flooding. The redesign, known as Risk Rating 2.0, includes efforts to use catastrophe models, stochastic approaches, and updated map information to better reflect the variation in flood risk. These reforms are also intended to improve how FEMA's rating process accounts for general and specific factors that affect flood probabilities and damage. While FEMA initially announced that new rates for all single-family homes would go into effect nationwide on October 1, 2020, it announced in November 2019 that it would defer implementation to October 1, 2021. FEMA said this would allow it to conduct a comprehensive analysis of the proposed rating structure so as to protect policyholders and minimize any unintentional negative effects of the transition, and that the new implementation date would cover all NFIP policies.

Recommendation: The Secretary of the Department of Homeland Security should direct FEMA to ensure that information is collected on the location, number, and losses associated with existing and newly created grandfathered properties in NFIP and to analyze the financial impact of these properties on the flood insurance program.

Agency: Department of Homeland Security
Status: Open

Comments: As of February 2020, FEMA officials said they had finished identifying properties with grandfathered premium rates and that they planned to analyze their economic implications as part of their efforts to update their premium rate setting approach, known as Risk Rating 2.0. FEMA plans to implement this redesign on October 1, 2021.