Recommendation: The Director of NIST should establish time frames for completing NIST's initiatives, to include the information security measurement program and the cybersecurity framework starter profile, to enable the identification of sector-wide improvements from using the framework in the protection of critical infrastructure from cyber threats. (Recommendation 1)

Agency: Department of Commerce: National Institute of Standards and Technology: Office of the Director
Status: Open

Comments: In written comments provided in July 2020, the Department of Commerce (Commerce) stated that it agreed with our recommendation. It noted that to further establish its Cybersecurity Measurement program, the National Institute of Standards and Technology (NIST) will document its Cybersecurity Measurement program's scope, objectives, and approach, including an inventory of existing measurement resources. Additionally, to further amplify small business awareness of cybersecurity, and of the Cybersecurity Framework, it noted that NIST will develop and publish two Cybersecurity Framework starter profiles tailored toward risk management of business processes important to small business owners. The expected completion date is September 2020.

Recommendation: The Secretary of Agriculture, in coordination with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 2)

Agency: Department of Agriculture
Status: Open

Comments: In written comments provided in April 2020, the United States Department of Agriculture (USDA) stated that it concurred with our recommendation. The department stated that it routinely shared framework guidance provided by the Department of Homeland Security and discussed the framework as part of its monthly Sector conference calls and biannual Sector Meetings. It also added that the department will continue to strengthen its coordination efforts.

Recommendation: The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 3)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: In written comments provided in July 2020, the Department of Defense concurred with our recommendation. The department noted that it had developed processes and resources to help determine the type of framework adoption across the Defense Industrial Base. These include conducting assessments on the implementation of NIST Special Publication (SP) 800-171 , "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations;" and releasing the Defense Industrial Base Implementation Guide for the NIST Cybersecurity Framework. However, the department has yet to report on sector-wide improvements using these processes and resources. Until it does so, its critical infrastructure sector may not fully understand the value of the framework to better protect its critical infrastructure from cyber threats. The expected completion dates are in September and November 2020.

Recommendation: The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 4)

Agency: Department of Energy: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Energy (DOE) stated that it partially agreed with our recommendation. It noted that DOE will coordinate with the Energy Sector to develop an understanding of sector-wide improvements from use of the framework. The expected completion date is December 2021.

Recommendation: The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 5)

Agency: Environmental Protection Agency
Status: Open

Comments: In written comments provided in July 2020, the Environmental Protection Agency (EPA) stated that it agreed with our recommendation. It noted that it will consult with the Water Sector Coordinating Council, the Department of Homeland Security, and the National Institute of Standards and Technology, as appropriate, to investigate options to collect and report sector-wide improvements, consistent with statutory requirements and the Sector's willingness to participate. However, the department did not provide a timeframe for completing these actions.

Recommendation: The Administrator of the General Services Administration, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 6)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: In April 2020, the General Services Administration (GSA), in coordination with its co-SSA, the Department of Homeland Security (DHS), provided documentation demonstrating that it had initiated steps to collect and report on sector-wide improvements from use of the NIST Cybersecurity Framework across its critical infrastructure sector. Specifically, the agencies from the government sector had submitted their risk management reports to DHS and OMB that described agencies' action plans to implement the framework, as required under Executive Order 13800 and evaluated the agencies against the five functions of the NIST Cybersecurity Framework: Identify, Detect, Protect, Respond, and Recover. The risk management reports are included as part of OMB's FISMA Annual Report to Congress. According to OMB's FISMA Annual Report to Congress, OMB and DHS determined that 71 of 96 agencies (74 percent) have cybersecurity programs that are either at risk or high risk. As a result, improvements were identified in the form of four core actions in the Federal Cybersecurity Risk Determination Report and Action Plan, which include: (1) Implementing the Cyber Threat Framework to increase cybersecurity threat awareness among Federal agencies, (2) Standardize IT and cybersecurity capabilities, (3) Consolidate agency SOCs to improve incident detection and response capabilities, and (4) Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB's engagements with agency leadership. We are waiting for additional information from GSA and DHS on the status of the four core actions.

Recommendation: The Secretary of Health and Human Services, in coordination with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 7)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of Health and Human Services (HHS) stated that it concurred with our recommendation. The department noted that it would work with the appropriate entities to refine and communicate best practices to the sector.

Recommendation: The Secretary of Homeland Security should take steps to consult with respective sector partner(s), such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sectors using existing initiatives. (Recommendation 8)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Homeland Security (DHS) stated that it agreed with our recommendation. It noted that in coordination with the IT Sector Coordinating Council, the department recently issued a survey to small and mid-sized IT sector partners to better understand framework adoption and use within the IT sector. Once the results of the survey are received, DHS's Cybersecurity and Infrastructure Security Agency will determine the feasibility of issuing similar surveys to other sectors, and the potential timelines for completing sector-specific survey modifications, issuing surveys, compiling responses, and developing white papers on the status of framework adoption for each sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of Transportation, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s) such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 9)

Agency: Department of Transportation: Office of the Secretary
Status: Open

Comments: In written comments provided in April 2020, the Department of Transportation (DOT) stated that it concurred with our recommendation. It noted that the department (through the Office of the Secretary, Office of Intelligence, Security, and Emergency Response) and the Department of Homeland Security (through the Transportation Security Administration and United States Coast Guard) will coordinate as Co-Sector-Specific Agencies for the Transportation Systems Sector to finalize the development and distribution of a survey instrument to determine the level and type of framework adoption in the Sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of the Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 10)

Agency: Department of the Treasury: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of the Treasury (Treasury) stated that it agreed with our recommendation. The department noted that it will assess using the identified initiatives and their viability for collecting and reporting sector-wide improvements from the use of the NIST Framework. The department did not provide a timeframe for completing these actions.

Recommendation: The Commissioner of the Social Security Administration should clarify policies and procedures to remind staff that a diagnosis of a substance use disorder is not necessary to conduct a Drug Addiction and Alcoholism evaluation. (Recommendation 1)

Agency: Social Security Administration
Status: Open

Comments: SSA agreed with this recommendation. The agency stated that it had revised related policies in February 2020, and had planned to issue guidance and video-on-demand training to further clarify policies and procedures in this area. However, SSA said its efforts to maintain mission critical activities amid the COVID-19 pandemic have delayed further implementation of this recommendation and a specific implementation date could not be provided at this time.

Recommendation: The Commissioner of the Social Security Administration should ensure that staff document their rationale for decisions involving the Drug Addiction and Alcoholism evaluation process. (Recommendation 2)

Agency: Social Security Administration
Status: Open

Comments: SSA agreed with this recommendation. The agency said it had planned to issue guidance reinforcing its policy on properly documenting decisions involving the Drug Addiction and Alcoholism evaluation process. However, SSA said its efforts to maintain mission critical activities amid the COVID-19 pandemic have delayed implementation of this recommendation and a specific implementation date could not be provided at this time.

Recommendation: The Secretary of Homeland Security should direct Homeland Security's members of the interagency working group for protection of Native American cultural property to implement selected leading collaboration practices, such as taking steps to agree on outcomes and objectives, clarify roles and responsibilities, and document these decisions. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2019, we have reached out to the Department of Homeland Security and are awaiting a response on actions they may have taken in response to this recommendation.

Recommendation: The Secretary of the Interior should direct Interior's members of the interagency working group for protection of Native American cultural property to implement selected leading collaboration practices, such as taking steps to agree on outcomes and objectives, clarify roles and responsibilities, and document these decisions. (Recommendation 2)

Agency: Department of the Interior
Status: Open

Comments: Since August 2018, Interior's Office of International Affairs has updated its contact list for international repatriation assistance with information on the Department's roles and responsibilities in support of international repatriation. In addition, Interior's interagency working group members have developed a description of the interagency working group. However, the statement does not include outcomes and objectives for the group's work. GAO made the same recommendation to each of the four agencies covered in the review because implementing leading collaboration practices will require the collective participation of group members. GAO will keep the recommendation open until further collaborative actions are taken.

Recommendation: The Attorney General should direct Justice's members of the interagency working group for protection of Native American cultural property to implement selected leading collaboration practices, such as taking steps to agree on outcomes and objectives, clarify roles and responsibilities, and document these decisions. (Recommendation 3)

Agency: Department of Justice
Status: Open

Comments: As of August 2019, we have reached out to the Department of Justice and are awaiting a response on actions they may have taken in response to this recommendation.

Recommendation: The Secretary of State should direct State's members of the interagency working group for protection of Native American cultural property to implement selected leading collaboration practices, such as taking steps to agree on outcomes and objectives, clarify roles and responsibilities, and document these decisions. (Recommendation 4)

Agency: Department of State
Status: Open

Comments: Since August 2018, the Department of State shared a statement of its roles and responsibilities with other working group members. However, the statement does not include outcomes and objectives for the group's work. GAO made the same recommendation to each of the four agencies covered in the review because implementing leading collaboration practices will require the collective participation of group members. GAO will keep the recommendation open until further collaborative actions are taken.

Recommendation: The Secretary of Homeland Security should direct Homeland Security's members of the interagency working group for protection of Native American cultural property to identify and externally communicate to tribes points of contact within the agency that are responsible for responding to tribes' requests for assistance with repatriating cultural items from overseas auctions. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2019, we have reached out to the Department of Homeland Security and are awaiting a response on actions they may have taken in response to this recommendation.

Recommendation: The Attorney General should direct Justice's members of the interagency working group for protection of Native American cultural property to identify and externally communicate to tribes points of contact within the agency that are responsible for responding to tribes' requests for assistance with repatriating cultural items from overseas auctions. (Recommendation 7)

Agency: Department of Justice
Status: Open

Comments: As of August 2019, we have reached out to the Department of Justice and are awaiting a response on actions they may have taken in response to this recommendation.

Recommendation: The Secretary of Homeland Security should direct Homeland Security's members of the interagency working group for protection of Native American cultural property to collaborate with the interagency working group members from other agencies to assess, in consultation with Indian tribes, whether and how amending the U.S. legal framework governing the export, theft, and trafficking of Native American cultural items would facilitate the repatriation of these items from auctions overseas and report its findings to Congress. (Recommendation 9)

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2019, we have reached out to the Department of Homeland Security and are awaiting a response on actions they may have taken in response to this recommendation.

Recommendation: The Secretary of the Interior should direct Interior's members of the interagency working group for protection of Native American cultural property to collaborate with the interagency working group members from other agencies to assess, in consultation with Indian tribes, whether and how amending the U.S. legal framework governing the export, theft, and trafficking of Native American cultural items would facilitate the repatriation of these items from auctions overseas and report its findings to Congress. (Recommendation 10)

Agency: Department of the Interior
Status: Open

Comments: As of September 2019, Interior is working to develop an assessment of legislative options for discussion with the interagency working group, and plans to meet with tribes later this fall to discuss the assessment. Interior anticipates a September 30, 2020, completion date for the assessment of these legislative options. Interior has also reviewed legislative proposals related to the export, theft, and trafficking of Native American cultural items and has prepared for Congressional hearings on this topic.

Recommendation: The Attorney General should direct Justice's members of the interagency working group for protection of Native American cultural property to collaborate with the interagency working group members from other agencies to assess, in consultation with Indian tribes, whether and how amending the U.S. legal framework governing the export, theft, and trafficking of Native American cultural items would facilitate the repatriation of these items from auctions overseas and report its findings to Congress. (Recommendation 11)

Agency: Department of Justice
Status: Open

Comments: As of August 2019, we have reached out to the Department of Justice and are awaiting a response on actions they may have taken in response to this recommendation.

Recommendation: The Secretary of State should direct State's members of the interagency working group for protection of Native American cultural property to collaborate with the interagency working group members from other agencies to assess, in consultation with Indian tribes, whether and how amending the U.S. legal framework governing the export, theft, and trafficking of Native American cultural items would facilitate the repatriation of these items from auctions overseas and report its findings to Congress. (Recommendation 12)

Agency: Department of State
Status: Open

Comments: In November 2019, the Department of State, in conjunction with other interagency working group members, circulated a draft legal assessment and draft legislative options. The interagency working group members conducted a listening session with tribal members in November 2019, and conducted a tribal consultation in January 2020. GAO will continue monitoring the agencies' efforts toward implementing this recommendation.

Recommendation: The Attorney General should study the implementation of federal accessibility requirements in the context of early in-person voting and make any changes to existing guidance that are determined to be necessary as a result of the study. (Recommendation 1)

Agency: Department of Justice
Status: Open

Comments: The Department of Justice (DOJ) agreed with this recommendation and stated it would make any changes to existing guidance that it determines to be necessary as a result of the study. DOJ also outlined its efforts to enforce the protections for voters with disabilities found in federal law. As of October 2019, DOJ indicated that the agency planned to study these issues and has not made any changes to its guidance. We will consider closing this recommendation when the agency has completed these efforts.

Recommendation: To determine how the use of RRCs and home confinement contribute to its goal of helping inmates successfully reenter society, and to better enable BOP to adjust its policies and procedures for the optimal use of these alternatives, as necessary and within statutory requirements, the Director of BOP should develop performance measures by which to help assess program outcomes.

Agency: Department of Justice: Bureau of Prisons
Status: Open

Comments: In November 2017, BOP reported that it developed a revised Statement of Work (SOW) for use with its RRC contractors that requires the contractors to track and report to BOP on, among other things, the number of placements into and releases from RRCs and home confinement; revocations from RRCs or home confinement; and RRC and home confinement residents that have secured full, part-time, or temporary employment. In a March 2019 update, BOP stated that it awarded nine contracts under the 2017 SOW and plans to use the data required under the SOW to conduct annual performance appraisals for RRCs after each performance period and intends to use this information in the future to track outcomes of the programs (e.g., employment, housing, individualized goals of offender). In a May 2020 update, BOP stated that that it had just received the first quarter of data from many of its RRC providers and that it continues to work with the providers to refine the data to determine if it can be utilized to develop performance measures. BOP stated that it anticipates being able to provide an update on this phase of their effort in September 2020. While the collection of this data is an important step, to fully implement this recommendation, BOP also needs to define and develop performance measures by which it can use such data to report and assess outcomes program-wide. We will continue to monitor BOP's ongoing efforts.

Recommendation: To improve its oversight of network adequacy in MA, the Administrator of CMS should augment MA network adequacy criteria to address provider availability.

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: HHS concurred with this recommendation, and noted in a February 2018 update that CMS requires MAOs to identify provider availability in certain circumstances, such as in granting exceptions to the agency's network adequacy criteria. CMS also stated that it would consider augmenting MA network adequacy criteria to address provider availability in future years. However, CMS's 2018 MA network adequacy guidance stated that the agency does not currently consider provider availability when reviewing an organization's network adequacy, and this guidance was not updated in 2019. As a result, as of September 2019, agency officials have not implemented this recommendation.

Recommendation: To improve its oversight of network adequacy in MA, the Administrator of CMS should verify provider information submitted by MAOs to ensure validity of the Health Services Delivery data.

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: HHS concurred with this recommendation, and noted in a February 2018 update that the agency has standardized existing protocols to ensure the validity of the Health Services Delivery data submitted by MAOs with regards to exceptions requests and partial county justifications. However, CMS's 2018 MA network adequacy guidance stated that MAOs remain responsible for conducting validation of Health Services Delivery data. Unless CMS verifies provider information submitted by MAOs, the agency cannot be confident that MAOs are meeting network adequacy criteria. As of September 2019, agency officials have not implemented this recommendation.

Recommendation: To improve its oversight of network adequacy in MA, the Administrator of CMS should set minimum requirements for MAO letters notifying enrollees of provider terminations and require MAOs to submit sample letters to CMS for review.

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: HHS concurred with this recommendation. In a September 2017 update, the agency stated that it had met the spirit of our recommendation by adding its best practice suggestions of what should be included in the written termination notice to the Medicare Managed Care Manual. However, as we noted in our report, those practices are not required, nor are the letters regularly reviewed. As of September 2019, agency officials have not yet implemented this recommendation.

Recommendation: To improve SSA's ability to detect, prevent, and recover potential DI benefit overpayments due to the concurrent receipt of FECA benefits, the Commissioner of Social Security should strengthen internal controls designed to prevent DI overpayments due to the concurrent receipt of FECA benefits by implementing the alternative that provides the greatest net benefits.

Agency: Social Security Administration
Status: Open
Priority recommendation

Comments: As of January 2020, SSA had taken steps to strengthen internal controls, as GAO recommended in July 2015, but it had not completed its efforts. In January 2020, SSA told GAO that it continues to work with DOL to establish a computer matching agreement to support the FECA data exchange and the agreement is pending at DOL for final review and signature. According to SSA, if the agreement is established, SSA will use the FECA benefit data to improve efficiencies in its ability to offset/reduce DI benefits when an individual is concurrently receiving FECA benefits. GAO will continue to monitor SSA's work in this area. SSA following through with these plans will help the agency identify and prevent potential DI overpayments.

Recommendation: To improve CMS's oversight of Medicaid payments, the Administrator of CMS should take steps to ensure that states report accurate provider-specific payment data that include accurate unique national provider identifiers (NPI).

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: In November 2019, CMS issued a proposed rule that the agency said would promote state accountability, improve federal oversight, and strengthen the fiscal integrity of the Medicaid program. Among other things, the proposed rule would require states to report supplemental payments made to individual providers; furthermore, it would require states to include the National Provider Identifier (NPI) number-a unique 10-digit identification number assigned to health care providers. GAO will continue to monitor the status of the proposed rule and will review a final rule, if one is issued, to determine the extent it addresses the recommendation.

Recommendation: To improve CMS's oversight of Medicaid payments, the Administrator of CMS should develop a policy establishing criteria for when such payments at the provider level are economical and efficient.

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open
Priority recommendation

Comments: In November 2019, CMS issued a proposed rule that the agency said would require states to demonstrate to CMS that supplemental payments to individual providers are economical and efficient and also require states to end and then seek CMS approval to renew supplemental payments every three years. GAO will monitor the status of the proposed rule and will review a final rule, if one is issued, to determine the extent to which it addresses the recommendation.

Recommendation: To improve CMS's oversight of Medicaid payments, the Administrator of CMS should, once criteria are developed, develop a process for identifying and reviewing payments to individual providers in order to determine whether they are economical and efficient.

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: In November 2019, CMS issued a proposed rule that the agency said would require states to demonstrate to CMS that supplemental payments to individual providers are economical and efficient and also require states to end and then seek CMS approval to renew supplemental payments every three years. GAO will monitor the status of the proposed rule and will review a final rule, if one is issued, to determine the extent to which it addresses the recommendation.

Recommendation: Congress should consider strengthening the current consumer privacy framework to reflect the effects of changes in technology and the marketplace--particularly in relation to consumer data used for marketing purposes--while also ensuring that any limitations on data collection and sharing do not unduly inhibit the economic and other benefits to industry and consumers that data sharing can accord. Among the issues that should be considered are: (1) the adequacy of consumers' ability to access, correct, and control their personal information in circumstances beyond those currently accorded under FCRA; (2) whether there should be additional controls on the types of personal or sensitive information that may or may not be collected and shared; (3) changes needed, if any, in the permitted sources and methods for data collection; and (4) privacy controls related to new technologies, such as web tracking and mobile devices.

Agency: Congress
Status: Open

Comments: As of July 2020, Congress has not taken action on this matter.