Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: For all eleven functions, DHS has measures that evaluate compliance with five (1, 2, 5, 6, 7) of the nine principles and considered whether measures and applicability were appropriate for the other four principles. In February 2020, DHS stated that it does not measure any functions' adherence with principle #8 related to safeguarding against unauthorized access or #9 regarding compliance with policies, regulations, and laws related to privacy and civil liberties. Specifically, the agency stated these two principles are a steady state consideration across all mission areas and functions and have no associated identified measure. For the remaining two principles, DHS did not provide measures that were related to prioritizing activities based on level of risk (#3) or ensuring that appropriate consideration of coordination with subject matter experts from industry, academia, and national labs (#4). As such, DHS does not have appropriate means for assessing the eleven functions against those two principles. However, in March 2020, DHS stated that the metrics for 2020 were different than those in 2019. Officials are in the process of creating a mapping between the previously provided metrics and those for 2020. We will review this mapping and determine if the aforementioned is still applicable with the new metrics.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: For all 11 functions, DHS stated they have a means of evaluating compliance with five (1, 2, 5, 6, 7) of the nine principles. Once DHS provides specific evidence of data tracked in support of the aforementioned compliance measures, we will review to determine if they have closed this recommendation.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should integrate information related to security incidents to provide management with more complete information about NCCIC operations.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2018, DHS invited GAO to observe a vendor's demonstration of the anticipated Unified Workflow Solution (UWS) that officials stated could support closure of this recommendation, when implemented. In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately.

Agency: Department of Homeland Security
Status: Open

Comments: In March 2019, DHS said that they will provide GAO with a list of the entry points into the NCCIC service desk as well as the standard operating procedures (SOP) and process for quality assurance and quality control. Additionally, the development of the NCCIC Unified Workflow Solution (UWS) could impact this recommendation as well. In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should take steps to ensure the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2019, DHS stated that while no alerts or advisories are sent only to Section 9 entities, they do have various forms and mechanisms that Section 9 entities receive cybersecurity information: through HSIN Communities of Interest, the CISCP program, the applicable Sector Specific Agencies, and the applicable Section Information Sharing and Analysis Centers. Further analysis of the membership of the aforementioned forums and mechanisms is needed to determine the extent of Section 9 representation.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2019 DHS stated that the legacy Help Desk and operational activity tracking tools continue to be assessed and requirements identified for configuration into the Unified Workflow Solution (UWS). In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: To help lessen confusion among the public and policy makers regarding federal data on sexual violence, the Director of OMB should establish a federal interagency forum on sexual violence statistics. The forum should consider the broad range of differences across the data collection efforts to assess which differences enhance or hinder the overall understanding of sexual violence in the United States.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open
Priority recommendation

Comments: At the time of our report, OMB neither agreed nor disagreed with this recommendation but stated that it did not believe convening a forum was the most strategic use of resources because agencies were not far enough along with their data collection efforts. We disagree with OMB's assertion because 7 of the 10 data collection efforts have been in place for more than 10 years, and several have been in place for multiple decades. As of December 2019, OMB has not provided information on any new efforts to establish a federal interagency forum on sexual violence statistics.

Recommendation: To better ensure agencies fulfill their requirements, including implementing IQA guidelines and helping to promote easier public access to IQA information on agency websites, the Director of OMB should consolidate and centralize on OMB's IQA guidance website a government-wide summary of requests for correction submitted under the IQA.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: According to OMB, during the last two years OIRA has significantly improved the ease of access to and findability of documents on OMB's information quality website. OMB says it has a number of additional improvements in progress. We have requested information on those additional improvements. We will continue to monitor OMB's efforts related to this recommendation.

Recommendation: To better ensure agencies fulfill their requirements, including implementing IQA guidelines and helping to promote easier public access to IQA information on agency websites, the Director of OMB should work with the Department of Defense and the Federal Housing Finance Agency to help ensure that they post their IQA administrative mechanisms and IQA guidance online.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: According to OMB, it worked with the Federal Housing Finance Agency (FHFA) to improve the accessibility of their Information Quality Act guidance. In addition, OMB stated that FHFA took it upon themselves to update their guidelines. OMB has not provided any information regarding its work with DOD in this area. We will continue to monitor OMB's efforts related to this recommendation.

Recommendation: To better ensure agencies fulfill their requirements, including implementing IQA guidelines and helping to promote easier public access to IQA information on agency websites, the Director of OMB should provide additional guidance for agencies to help improve the transparency and usability of their IQA websites to help ensure the public can easily find and access online information about agency IQA implementation. Such guidance should include (1) specific time frames for agencies to post information on the IQA correction requests they have received, including making it clear when agencies have not received IQA requests; (2) instructions for agencies to include a statement on their IQA websites that the agencies may address correction requests through other administrative processes; (3) instructions for agencies to include, when responding to correction requests, whether those agencies plan to address the request through another administrative processes, and if so, which process they will use; and (4) suggestions for improving usability of agencies' websites including fixing broken links.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: According to OMB, in conjunction with its annual data call, the agency has and will continue to provide guidance to agencies about improving the transparency and usability of their websites, including the need to update broken links. In addition OMB issued M-19-15, designed to address a number of related and additional implementation concerns, including transparency and procedural improvements. OMB's guidance to date has not included specific items as specified in the recommendation. We will continue to monitor OMB's efforts related to this recommendation.

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of the Treasury should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the financial services sector's cybersecurity progress.

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury, as the sector-specific agency for the financial services sector, continues to develop initiatives intended to enhance the sector's cybersecurity. In 2016, Treasury developed and promulgated a set of seven fundamental elements or critical building blocks for sector stakeholders' cybersecurity, disseminated a template for financial sector cyber exercises, and promoted the NIST Cybersecurity Framework throughout the sector. However, they have not provided evidence of metrics implemented, and the 2015 sector-specific plan does not include specific metrics to track and report on their effectiveness. We will continue to monitor Treasury's efforts to create specific metrics and related reports on the sector's cybersecurity progress.

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture (USDA), as the co-sector specific agency for the food and agriculture sector, with the Department of Health and Human Services (HHS) continues to implement cybersecurity-related activities for the sector. In particular, USDA, through the sector coordination council, routinely shares best practices and informational bulletins from the Department of Homeland Security on cybersecurity with sector stakeholders via the Homeland Security Information Network. In addition, at semi-annual council meetings, USDA has hosted roundtable discussions of cybersecurity challenges and best practices. No evidence of performance metrics to track and report on the SSAs' activities or the sector's cybersecurity progress has been provided. As USDA and HHS continue to carry out their sector-specific agency role, we will continue to monitor their efforts and associated performance metrics to be developed to demonstrate the effectiveness of these activities

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS), as the co-sector specific agency for the food and agriculture sector, with the Department of Agriculture (USDA) continues to implement cybersecurity-related activities for the sector. In particular, through the sector coordination council, they routinely share best practices and informational bulletins from the Department of Homeland Security on cybersecurity with sector stakeholders via the Homeland Security Information Network. In addition, at semi-annual council meetings, they have hosted roundtable discussions of cybersecurity challenges and best practices. No evidence of performance metrics to track and report on the SSAs' activities or the sector's cybersecurity progress has been provided. As HHS and USDA continue to carry out their sector-specific agency role, we will continue to monitor their efforts and associated performance metrics to be developed to demonstrate the effectiveness of these activities

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Administrator of the Environmental Protection Agency should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the water and wastewater systems sector's cybersecurity progress.

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) continues to develop and implement activities in support of the water and wastewater sector's cybersecurity such as a cyber-attack risk assessment tool and cybersecurity training for sector partners. The 2015 water and wastewater sector-specific plan calls for assessing performance and reporting on sector cybersecurity progress; however, the plan does not state specific measures. In 2017, agency officials stated that the development of performance metrics in collaboration with sector partners was underway; however, EPA has not provided evidence of the metrics or any tracking effort. As EPA continues to carry out its sector-specific agency role, we will continue to monitor its efforts and associated performance metrics to be developed to demonstrate the effectiveness of these activities.

Recommendation: To improve agencies' guidance development, review, evaluation, and dissemination processes for non-significant guidance, we recommend that the Secretaries of USDA, HHS, DOL, and Education should improve the usability of selected component websites to ensure that the public can easily find, access, and comment on online guidance. These improvements could be informed by the web and customer satisfaction metrics that components have collected on their websites. Some examples of changes that could facilitate public access to online guidance include (1) improving website usability by clarifying which links contain guidance; (2) highlighting new or important guidance; and (3) ensuring that posted guidance is current.

Agency: Department of Health and Human Services
Status: Open

Comments: In comments printed in the April 2015 final report, HHS concurred with the recommendation and stated that it would review current links to guidance documents and explore ways to enhance their visibility and usability. As of June 2020, GAO is working with HHS officials to obtain additional updates and documentation regarding the department's implementation of this recommendation.

Recommendation: To enhance the usefulness of NNSA's future reports to Congress describing the costs and benefits of its competition of M&O contracts under the requirements contained in Section 3121 of the National Defense Authorization Act for fiscal year 2013, as amended, the NNSA Administrator should take steps to ensure that future reports reflect DOE's information quality guidelines, federal cost accounting standards, and GAO's best practices guidance relevant to the clear and complete presentation of information on each of the required topics. In particular, future reports should clearly and completely describe costs and benefits, including the agency's expectations, as well as the associated analysis, assumptions, information sources, and key limitations and uncertainties about costs and benefits described. The description of uncertainties should include key excluded or unspecified costs and benefits, such as those that are anticipated but not fully known at the time of report writing.

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA believes it has met the requirements of the recommendation and considers it closed. In our March 2015 report--which examined NNSA's report on the contract to manage and operate the Pantex Plant and the Y-12 National Security Complex under a single management and operating (M&O) contract with Consolidated Nuclear Services (CNS)--we recommended that NNSA enhance the clarity and completeness of its future reports on the costs and benefits of M&O contract competitions. While NNSA demonstrated progress in implementing this recommendation in its September 2017, August 2018, and April 2019 reports to Congress on the costs and benefits of the contract competitions for the Sandia, Nevada, and Los Alamos sites respectively, NNSA did not provide clear and complete information on all required elements of these reports. Specifically, for the Sandia National Laboratories M&O contract, in our August 2018 report we found that NNSA addressed most but not all reporting requirements. For example, NNSA's report addressed all requirements pertaining to cost savings, other benefits, and disruptions or delays, but only partially addressed the reporting requirements on the limitations or uncertainties about cost savings and on the immediate costs of competition and over the life of the contract. NNSA issued a report in August 2018 on the costs and benefits of its competition of the M&O contract for the Nevada National Security Site. In our April 2019 report on NNSA's cost-benefit analysis of that contract competition, we found that, of the five required reporting elements, NNSA's report addressed one with detail but addressed the other four without detail. In April 2019 NNSA issued its cost-benefit analysis of the competition for the Los Alamos National Laboratory contract. In our January 2020 report on NNSA's cost-benefit report for that contract competition, we found that it addressed five reporting elements on costs and disruption during contract transition with detail, partially addressed two reporting elements on uncertainties and benefits, and did not address one reporting element on activities to be covered by the M&O contractor. Since our 2015 recommendation, NNSA's cost-benefit reports on M&O contract competitions have generally provided clearer and more complete information on most of the required reporting elements, but they have not provided clear and complete information on all required reporting elements. In June 2020, NNSA announced that it would end the current CNS contract for Pantex and Y-12 management and operations instead of awarding the contractor its final option term. This will result in a new contract competition and award by the end of the current contract's term on September 30, 2021. The NNSA report on the costs and benefits of that competition may give us another opportunity to assess the quality of NNSA's reports for clarity and completeness on the required reporting elements.

Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to improve reporting of FOIA costs by including salaries, employee benefits, non-personnel direct costs, indirect costs, and costs for other offices.

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2020, we have followed up with the department to request documentation but have not yet received evidence of DHS's planned actions to address this recommendation.

Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to direct USCIS and Coast Guard to fully implement the recommended FOIA processing system capabilities and the section 508 requirement.

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2020, we have followed up with the department to request documentation but have not yet received evidence of DHS's planned actions to address this recommendation.

Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to determine the viability of re-establishing the service-level agreement between the U.S. Citizenship and Immigration Services (USCIS) and U.S. Immigration and Customs Enforcement to eliminate duplication in the processing of immigration files. If the benefits of doing so would exceed the costs, re-establish the agreement.

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2020, we have followed up with the department to request documentation but have not yet received evidence of DHS's planned actions to address this recommendation.

Recommendation: In light of the agency's declining revenue associated with its basic statutory function and the charging for information that is often freely available elsewhere, Congress should consider examining the appropriateness and viability of the fee-based model under which NTIS currently operates for disseminating technical information to determine whether the use of this model should be continued.

Agency: Congress
Status: Open

Comments: Congress had taken a number of actions that affect the NTIS fee-based model for disseminating technical information. Specifically, for the past 5 fiscal years and in the current Consolidated Appropriations Act, 2020, NTIS is prohibited from charging customers for reports generated by legislative branch offices unless the agency tells the customer how an electronic copy of the report can be accessed or downloaded for free online. The act further states that, if a customer still requires such a report from NTIS, the agency should not charge more than what is needed to recover the cost of processing, reproducing, and delivering the document requested. It remains to be seen whether these requirements will be continued under the yet to be introduced House and Senate bills making appropriations for the Department of Commerce (Commerce) for fiscal year 2021. Congress again has the opportunity to consider legislation that would ensure the assessment of the appropriateness or viability of NTIS functions.

Recommendation: To better ensure that economically similar outcomes are taxed similarly and minimize opportunities for abuse, the Secretary of the Treasury should undertake a study that compares the current approach to alternative approaches for the taxation of financial derivatives. To determine if changes would be beneficial, such a study should weigh the tradeoffs to IRS and taxpayers that each alternative presents, including simplicity, administrability, and economic efficiency.

Agency: Department of the Treasury
Status: Open

Comments: Treasury disagreed with this recommendation based on the fact that many outside studies already exist and IRS did not comment. The Tax Cuts and Jobs Act enacted in December 2017 did not include any requirements that Treasury study alternative approaches for the taxation of financial derivatives. However members of Congress have released proposals for a mark-to-market tax system, which would include financial derivatives. GAO continues to maintain that further study is needed in coordination with IRS and will continue to monitor the climate for such a study.