Recommendation: The Under Secretary for Management should ensure that the Office of Program Accountability and Risk Management and component heads execute the Component Acquisition Executive nomination and designation process consistently, as described in its guidance. This should include nominating and designating Component Acquisition Executives to oversee all acquisition programs. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Under Secretary for Management should ensure that the Component Acquisition Executives that are responsible for oversight of acquisition programs comply with Department of Homeland Security direction to complete Component Acquisition Executive support staffing plans. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Under Secretary for Management should identify, in policy or guidance, the expertise that constitutes critical acquisition positions for effective Component Acquisition Executive oversight. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Under Secretary for Management should direct the Office of Program Accountability and Risk Management to establish a time frame for completing its assessment of the Investment Evaluation, Submission, and Tracking (INVEST) system data fields for which the Component Acquisition Executive certification is necessary, based on current use and reporting requirements, and take appropriate actions based on the results. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of DHS's Cybersecurity and Infrastructure Agency should assess EPA data when planning outreach to public water system and wastewater treatment works facilities (Recommendation 1).

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Under Secretary for Management should develop and implement a mechanism to compare component marine operating costs across components and locations, including a cost per vessel underway (float) hour methodology (Recommendation 1).

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of the National Security Council, or his designee, should work with relevant federal entities to update strategy documents related to the nation's cybersecurity to better reflect desirable characteristics of a national strategy, to include:

• an assessment of cyber-related risk, based on an analysis of the threats to, and vulnerabilities of, critical assets and operations;

• measures of performance and formal mechanism to track progress of the execution of activities; and

• an analysis of the cost and resources needed to implement the National Cyber Strategy. (Recommendation 1)

Agency: Executive Office of the President: National Security Council
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Congress should consider legislation to designate a leadership position in the White House with the commensurate authority—for example, over budgets and resources—to implement and encourage action in support of the nation's cyber critical infrastructure, including the implementation of the National Cyber Strategy. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: When we determine what steps the Congress has taken, we will provide updated information.

Recommendation: The TSA Administrator should establish quantifiable targets for the Surface Transportation Security Inspectors Program's activity-level performance measures. (Recommendation 1)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of CBP should develop and implement additional guidance for ensuring funds appropriated for specific purposes are obligated consistent with the purpose of the funds. (Recommendation 1)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: DHS concurred with this recommendation and said it would take steps to implement it. In July 2020, CBP's Office of Finance issued new guidance on how to execute the remaining funds CBP received in the 2019 Emergency Supplemental. In September 2020, the CBP Budget Directorate's Program Analysis Division also updated its standard operating procedures to describe how it will review samples of purchase requests for supplemental funds. To fully implement our recommendation, CBP should develop and implement guidance for ensuring all funds appropriated for specific purposes, including future appropriations CBP may receive, are obligated consistent with the purpose of the funds.

Recommendation: The Commissioner of CBP should establish and document oversight roles and responsibilities to ensure funds appropriated for specific purposes are obligated consistent with the purpose of the funds. (Recommendation 2)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: DHS concurred with this recommendation and said it would take steps to implement it. In September 2020, the CBP Budget Directorate's Program Analysis Division updated its standard operating procedures to describe how it will review samples of purchase requests for supplemental funds. To fully implement our recommendation, CBP should establish and document oversight roles and responsibilities to ensure all funds appropriated for specific purposes, including regular appropriations, are obligated consistent with the purpose of the funds.

Recommendation: The Commissioner of CBP should develop and implement oversight mechanisms for CBP's implementation of policies and procedures relating to medical care for individuals in its custody to include documentation of expected practices, metrics and corresponding performance targets, and roles and responsibilities for taking corrective action. (Recommendation 3)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: DHS concurred with this recommendation and said it would take steps to implement it. We will continue to monitor DHS' efforts to address this recommendation.

Recommendation: The Commissioner of CBP should document what information it is using to assess whether to offer the influenza vaccine to individuals in custody, including how it weighs costs and benefits. (Recommendation 4)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: DHS concurred with this recommendation and said it would take steps to implement it. We will continue to monitor DHS' efforts to address this recommendation.

Recommendation: The Commissioner of CBP should develop and implement training on recognizing medical distress in children for all CBP officers and Border Patrol agents who may come into contact with children in custody. (Recommendation 5)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: DHS concurred with this recommendation and said it would take steps to implement it. We will continue to monitor DHS' efforts to address this recommendation.

Recommendation: The Commissioner of CBP should provide additional guidance to field personnel to ensure they classify significant incident reports on deaths, serious injuries, and suicide attempts, in accordance with CBP policy. (Recommendation 7)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: DHS concurred with this recommendation and said it would take steps to implement it. We will continue to monitor DHS' efforts to address this recommendation.

Recommendation: The Commissioner of CBP should update the Significant Incident Reporting System to include categories that align with CBP's directive on the reporting of significant incidents. (Recommendation 8)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: DHS concurred with this recommendation and said it would take steps to implement it. We will continue to monitor DHS' efforts to address this recommendation.

Recommendation: The Commissioner of CBP should provide additional guidance to components on the procedures for reporting deaths in custody to OPR and other entities within CBP. (Recommendation 9)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: DHS concurred with this recommendation and said it would take steps to implement it. We will continue to monitor DHS' efforts to address this recommendation.

Recommendation: The Commissioner of CBP should ensure that timely, reliable information on deaths in custody is reported to Congress, as directed, and maintain documentation on those reports. (Recommendation 10)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: DHS concurred with this recommendation and said it would take steps to implement it. We will continue to monitor DHS' efforts to address this recommendation.

Recommendation: The Acting Commissioner of CBP should better communicate to stakeholders the types of information stakeholders could collect and submit to CBP to help the agency initiate and investigate forced labor cases related to seafood and, as appropriate, other goods. (Recommendation 1)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the Director of Strategic Technology Management (STM), in collaboration with other members of the Information Technology Program Management Center of Excellence (ITPM COE), identifies the skills and resources needed to complete the work intended for the upcoming fiscal year, including the availability of supplementary staff, such as subject matter experts. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the Executive Steering Committee overseeing the activities of the ITPM COE establishes target measures for the department's desired outcomes of its transition to Agile development. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the DHS Chief Information Officer (CIO) defines a process and associated set of controls to ensure that Agile programs and projects are reporting a set of core required performance metrics for monitoring and measuring Agile adoption. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the ITPM COE, in coordination with the CIO, begins measuring results associated with the transition to Agile and the success of the transition based on its impact on the department. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, in collaboration with the Chief Procurement Officer, through the Homeland Security Acquisition Institute, establish Agile training requirements for senior stakeholders. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the Chief Human Capital Officer, in collaboration with the CIO, consider modifications to the current employee recognition and performance management governance to ensure that teamwork and team performance of Agile programs and projects are incentivized. (Recommendation 6)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, in collaboration with the Chief Procurement Officer, through the Homeland Security Acquisition Institute, establish Agile training requirements for staff outside of the acquisition workforce but assigned to Agile programs. (Recommendation 7)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, upon establishing a set of core performance metrics, tracks and monitors the pace of Agile team development. (Recommendation 8)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, in collaboration with the Executive Director of the Office of Program Accountability and Risk Management (PARM), update or develop new guidance on Agile methodologies to describe how Agile teams can estimate the relative complexity of user stories. (Recommendation 9)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, upon establishing a set of core performance metrics, sets expectations for automated testing and code quality, and tracks and monitors against those expectations. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Commerce should align the agency's contingency plan with OMB guidance by including (1) plans for a potential prolonged shutdown; (2) flexibilities available to supervisors if furloughed employees were unable to return to work after the end of the shutdown; and (3) procedures for resuming program activities, including steps to ensure appropriate oversight and disbursement of funds upon the end of a shutdown. (Recommendation 1)

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce agreed with the recommendation and stated that it will develop an action plan to address the recommendation to better align its contingency plan with OMB guidance. When we confirm what actions Commerce has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should align the agency's contingency plan with OMB guidance by including (1) plans for a potential prolonged shutdown; (2) flexibilities available to supervisors if furloughed employees were unable to return to work after the end of the shutdown; and (3) procedures for resuming program activities, including steps to ensure appropriate oversight and disbursement of funds upon the end of a shutdown. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security agreed with the recommendation and and stated that it has begun to take steps to better address OMB guidance on contingency plans. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should align the agency's contingency plan with OMB guidance by including (1) plans for a potential prolonged shutdown; (2) flexibilities available to supervisors if furloughed employees were unable to return to work after the end of the shutdown; and (3) procedures for resuming program activities, including steps to ensure appropriate oversight and disbursement of funds upon the end of a shutdown. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: The Internal Revenue Service (IRS) partially agreed with the recommendation. IRS agreed with one element of our recommendation to include additional detail in its agency contingency plan and stated that it is in the process of adding procedures for resuming program activities following a government shutdown into its contingency plan. IRS did not agree with the other elements of the recommendation because it believes it has already addressed plans for a potential prolonged shutdown and flexibilities for supervisors if employees are unable to return to work at the end of a shutdown in its contingency plans. We agree that while IRS has included some details on these elements in its plans, we continue to believe that it should provide more detail, such as points in time when the furlough status of an employee may change, how many employees would be affected, and the legal basis for the changes, within its publically available contingency plan to fully address these elements. We will continue to monitor IRS's efforts in this area.

Recommendation: The U.S. Trade Representative, in consultation with EOP as appropriate, should align the component's contingency plan with OMB guidance. This could be accomplished through (1) revisions to the EOP contingency plan; or (2) by creating a separate USTR plan. (Recommendation 4)

Agency: Executive Office of the President: Office of the United States Trade Representative
Status: Open

Comments: The Office of the U.S. Trade Representative (USTR) neither agreed nor disagreed with the recommendation. USTR stated that it has already begun addressing our recommendations on aligning its contingency plan with OMB guidance. When we confirm what actions USTR has taken in response to this recommendation, we will provide updated information.

Recommendation: The Under Secretary for International Trade should document the component's shutdown processes, including roles and responsibilities, planning processes for potential shutdowns, and recall processes for furloughed employees during a shutdown. (Recommendation 5)

Agency: Department of Commerce: International Trade Administration
Status: Open

Comments: The Department of Commerce agreed with the recommendation and stated that the International Trade Administration (ITA) has documented its shutdown planning processes and recall processes for furloughed employees during a shutdown. When we confirm what actions ITA has taken in response to this recommendation, we will provide updated information.

Recommendation: The U.S. Trade Representative should document the component's shutdown processes, including roles and responsibilities, planning processes for potential shutdowns, and recall processes for furloughed employees during a shutdown. (Recommendation 6)

Agency: Executive Office of the President: Office of the United States Trade Representative
Status: Open

Comments: The Office of the U.S. Trade Representative (USTR) neither agreed nor disagreed with the recommendation. USTR stated that it has already begun addressing our recommendations on documenting its shutdown processes. When we confirm what actions USTR has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of CBP should develop internal controls to track and document which employees worked and what work was performed daily during a government shutdown. (Recommendation 7)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: The Department of Homeland Security agreed with the recommendation and stated that Customs and Border Protection plans to analyze existing systems to determine which is best suited to track and document employee work during a government shutdown and will ensure that the chosen system is available should a future shutdown occur. When we confirm what actions CBP has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of CBP should develop internal controls to limit access to physical workspaces to appropriate employees during a government shutdown. (Recommendation 8)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: The Department of Homeland Security (DHS) agreed with the recommendation but stated that because Customs and Border Protection (CBP) does not have systems capable of efficiently restoring physical access for furloughed employees, it would have to reinstate employee access individually and the cost would be substantial. DHS stated that CBP plans to update procedures to ensure more comprehensive workspace access guidance for furloughed employees. We continue to believe that physical access controls are important during shutdowns in order to prevent misuse of government resources. We encourage CBP to improve their systems to be able to efficiently implement such controls and will monitor CBP's efforts going forward.

Recommendation: The Commissioner of Internal Revenue should develop internal controls to limit access to physical workspaces to appropriate employees during a government shutdown. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: The Internal Revenue Service disagreed with this recommendation. IRS stated that it believes that it has effective controls in place to manage physical workspace access during a shutdown. In addition, IRS said that it believes that implementing additional access controls do not justify the corresponding resource investments. We continue to believe that IRS should improve its access controls, which currently rely on managers and furlough letters to communicate limits on workspace access. While we recognize the costs of increased access controls, government shutdowns are unique events that require additional access controls in order to prevent potential misuse of government resources and will monitor IRS's efforts to address it.

Recommendation: The U.S. Trade Representative should develop internal controls to limit access to physical workspaces to appropriate employees during a government shutdown. (Recommendation 10)

Agency: Executive Office of the President: Office of the United States Trade Representative
Status: Open

Comments: The Office of the U.S. Trade Representative (USTR) neither agreed nor disagreed with the recommendation. USTR stated that it has made the Executive Office of the President (EOP) aware of the recommendations on developing controls for physical workspace access during a shutdown. We will continue to monitor USTR's efforts to address this recommendation.

Recommendation: The Commissioner of CBP should develop internal controls to limit access to virtual workspaces to appropriate employees during a government shutdown. (Recommendation 11)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: The Department of Homeland Security (DHS) agreed with the recommendation. DHS stated that Customs and Border Protection (CBP) believes that furloughed employees must be able to passively monitor the status of the government shutdown and access important agency communications using DHS-issued electronic devices. Additionally, disabling and reactivating thousands of employee user accounts during a shutdown posed a significant burden. DHS said that CBP plans to update shutdown procedures to clarify allowed use of DHS-issued electronic devices by furloughed employees. We agree that CBP should update procedures on workspace access as suggested, and continue to believe that virtual access controls are important during shutdowns in order to prevent misuse of government resources. We encourage CBP to improve their systems to be able to efficiently implement such controls and will monitor CBP's progress going forward.

Recommendation: The Commissioner of Internal Revenue should develop internal controls to limit access to virtual workspaces to appropriate employees during a government shutdown. (Recommendation 12)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: The Internal Revenue Service disagreed with this recommendation. IRS stated that it believes that it has effective controls in place to manage virtual workspace access during a shutdown. In addition, IRS said that it believes that implementing additional access controls do not justify the corresponding resource investments. We continue to believe that IRS should improve its access controls, which currently rely on managers and furlough letters to communicate limits on workspace access. While we recognize the costs of increased access controls, government shutdowns are unique events that require additional access controls in order to prevent potential misuse of government resources and will monitor IRS's efforts to address it.

Recommendation: The Under Secretary for International Trade should develop internal controls to limit access to virtual workspaces to appropriate employees during a government shutdown. (Recommendation 13)

Agency: Department of Commerce: International Trade Administration
Status: Open

Comments: The Department of Commerce agreed with the recommendation and stated that the International Trade Administration (ITA) has established and documented internal controls to limit virtual workspace access to excepted or exempt employees during a government shutdown. When we confirm what actions ITA has taken in response to this recommendation, we will provide updated information.

Recommendation: The U.S. Trade Representative should, in consultation with EOP, develop internal controls to limit access to virtual workspaces to appropriate employees during a government shutdown. (Recommendation 14)

Agency: Executive Office of the President: Office of the United States Trade Representative
Status: Open

Comments: The Office of the U.S. Trade Representative (USTR) neither agreed nor disagreed with the recommendation. USTR stated that it has made the Executive Office of the President (EOP) aware of the recommendations on developing controls for virtual workspace access during a shutdown. We will continue to monitor USTR's efforts to address this recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should implement a documented process for reviewing and, if deemed necessary, revising its guidance for implementing cybersecurity measures at regularly defined intervals. (Recommendation 1)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA's Infrastructure Security Division (ISD) will work to develop a documented process for reviewing CFATS cybersecurity guidance at regularly defined intervals. DHS stated in its comments that once the process is documented and implemented, ISD will revise or supplement existing guidance, as appropriate. We will continue to monitor DHS's actions to address the recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should incorporate measures to assess the contribution that its cybersecurity training is making to program goals, such as inspector- or program-specific performance improvement goals. (Recommendation 2)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation stated that CISA agrees that it is important to ensure training supports program goals, whether relating to inspector-specific or program-specific performance maintenance or improvement goals. Regarding inspector performance maintenance or improvement, DHS stated that, among other things, management will ensure that each inspector's individual performance plan fully captures their expected performance goals in the area of cybersecurity. We will continue to monitor DHS's actions to address this recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should track delivery and performance data for its cybersecurity training, such as the completion of courses, webinars, and refresher trainings. (Recommendation 3)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA agrees that process improvements to better document and evaluate the effectiveness of the training provided to CFATS staff are worthwhile. DHS stated in its comments that CISA will establish policies and procedures intended to ensure that all cybersecurity training provided to chemical security personnel is accounted for in a centralized mechanism. We will continue to monitor DHS's actions taken to address this recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should develop a plan to evaluate the effectiveness of its cybersecurity training, such as collecting and analyzing course evaluation forms. (Recommendation 4)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that evaluating the effectiveness of training is beneficial and CISA will work to ensure that all cybersecurity courses provided to CISA chemical security staff are evaluated for effectiveness. DHS also stated that, among other things, CISA will require course evaluation forms from each attendee of any cybersecurity training provided by CISA to its chemical facility staff. We will continue to monitor DHS's actions to address this recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should develop a workforce plan that addresses the program's cybersecurity-related needs, which should include an analysis of any gaps in the program's capacity and capability to perform its cybersecurity-related functions, and human capital strategies to address them. (Recommendation 5)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA will develop a concept of operations, which will include goals and requirements for a workforce review and planning effort to ensure the organization addresses the new program's capacity and capability to perform its regulatory, voluntary, and programmatic goals, to include its cybersecurity related functions. We will continue to monitor DHS's actions to address this recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should maintain reliable, readily available information about the cyber integration levels of covered chemical facilities and inspector cybersecurity expertise. This could include updating the program's inspection database system to better track facilities' cyber integration levels. (Recommendation 6)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA retains information on cyber integration levels for regulated facilities but that it is not in a readily accessible format. DHS stated in its comments that ISD will execute a contract for new information technology development support for the CSAT system which, once executed, will work with the new support contractor to build a tool to automate the locating and reporting of a facility's cyber integration level data in a more accessible format. We will continue to monitor the status of DHS's actions to address this recommendation.

Recommendation: The Administrator of FEMA should assess different approaches, in addition to community assistance visits, for using existing resources to ensure communities' compliance with NFIP requirements. This should include analyzing alternatives to community assistance visits. (Recommendation 1)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should identify appropriate steps to ensure it has complete, up-to-date, and reliable records of community assistance visits, including information on why some visit records remain open for a significant period of time. (Recommendation 2)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should ensure that communities are consistently collecting data on their substantial damage assessments and that FEMA has a way to readily access those data to evaluate community compliance with NFIP requirements for rebuilding substantially damaged properties. (Recommendation 3)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should clarify with NFIP communities its policies on sharing data on NFIP claims and provide such information to those communities as needed. (Recommendation 4)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: FEMA should, following the completion of the 2021 National Preparedness Report, determine what steps are needed to address the nation's emergency management capability gaps across all levels of government and inform key stakeholders, such as the Office of Management and Budget and Congress, about what level of resources will be necessary to address the known gaps. (Recommendation 1)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: FEMA agreed with the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: FEMA should develop guidance to help determine which after-action reviews should be prioritized based on factors, such as the severity of disasters and availability of staff and resources to conduct the review, and implement time frames for following up on incomplete after-action reports. (Recommendation 2)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: FEMA agreed with the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: FEMA should develop a mechanism to consistently track best practices, lessons learned, and corrective actions that have been elevated to headquarters for resolution. (Recommendation 3)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: FEMA agreed with the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: FEMA should develop guidance on sharing after-action reports and their relevant findings with external stakeholders, when appropriate. (Recommendation 4)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: FEMA agreed with the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB, working with DHS, should develop a government-wide communications strategy to inform and, as appropriate, involve Congress, employees, and other stakeholders in implementation of the reform proposal to solve the cybersecurity workforce shortage. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB, working with DHS, should establish a dedicated government-wide leadership team with responsibility for implementing the reform proposal to solve the cybersecurity workforce shortage. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB, working with DHS, should develop a government-wide implementation plan with goals, timelines, key milestones, and deliverables to track and communicate implementation progress of the reform proposal to solve the cybersecurity workforce shortage. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB, working with DHS, should provide additional information to describe how the projects and activities associated with the reform proposal to solve the cybersecurity workforce shortage will address our high-risk issues related to ensuring the cybersecurity of the nation. (Recommendation 4)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB, working with DHS, should develop a government-wide workforce plan that assesses the effects of the reform proposal to solve the cybersecurity workforce shortage on the current and future federal workforce. (Recommendation 5)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should assess the costs and benefits of options for operating the GEAR Center. (Recommendation 6)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should develop an implementation plan that includes outcome-oriented goals, timelines, key milestones, and deliverables to track and communicate implementation progress of the reform proposal to establish the GEAR Center. (Recommendation 7)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Federal Insurance Office should publicly communicate information about when it is considering certifying an event as an act of terrorism under TRIA. (Recommendation 1)

Agency: Department of the Treasury: Office of the Under Secretary for Domestic Finance: Office of the Assistant Secretary for Financial Institutions: Office of Financial Institutions Policy: Federal Insurance Office
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Federal Insurance Office should document an agreement with DHS about DHS's role, and how the agencies share information, during the process of certifying an event as an act of terrorism under TRIA. (Recommendation 2)

Agency: Department of the Treasury: Office of the Under Secretary for Domestic Finance: Office of the Assistant Secretary for Financial Institutions: Office of Financial Institutions Policy: Federal Insurance Office
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Federal Insurance Office should document an agreement with DOJ about DOJ's role, and how the agencies share information, during the process of certifying an event as an act of terrorism under TRIA. (Recommendation 3)

Agency: Department of the Treasury: Office of the Under Secretary for Domestic Finance: Office of the Assistant Secretary for Financial Institutions: Office of Financial Institutions Policy: Federal Insurance Office
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of USCIS should update published guidance, such as Handbook for Employers: Guidance for Completing Form I-9 (M-274), to consistently identify each of the official mechanisms that USCIS may use to communicate automatic extensions of TPS employment authorization documents.

Agency: Department of Homeland Security: United States Citizenship and Immigration Services
Status: Open

Comments: In its written comments on our draft report, DHS agreed with our recommendation and noted planned actions to implement it, including updating guidance in DHS's M-274 handbook. DHS's planned actions will address the intent of our recommendation if they include updating guidance regarding each of the official mechanisms that USCIS may use to communicate automatic extensions of TPS employment authorization documents, including the use of individually mailed notifications. When we confirm actions that the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it by updating the BASE Cybersecurity Security Action Item section to ensure it reflects the NIST Cybersecurity Framework Detect and Recover functions. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.

Recommendation: The Archivist of the United States should require small and micro agencies that were determined to be at high risk of not complying with statutory and regulatory records management requirements to develop plans and timelines to address their records management weaknesses (Recommendation 1)

Agency: National Archives and Records Administration: Office of the Archivist
Status: Open

Comments: The National Archives and Records Administration concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Archivist of the United States should monitor the agencies' progress towards these efforts on a regular basis. (Recommendation 2)

Agency: National Archives and Records Administration: Office of the Archivist
Status: Open

Comments: The National Archives and Records Administration concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Chief Executive Officer of the Armed Forces Retirement Home should establish a time frame to develop an inventory of electronic information systems used to store agency records that includes all of the required elements. (Recommendation 3)

Agency: Armed Forces Retirement Home
Status: Open

Comments: The Armed Forces Retirement Home did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Chief Executive Officer of the Armed Forces Retirement Home establish a time frame to update its policies and procedures to include all of the required electronic information system functionalities for recordkeeping systems. (Recommendation 4)

Agency: Armed Forces Retirement Home
Status: Open

Comments: The Armed Forces Retirement Home did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Chief Executive Officer of the Armed Forces Retirement Home should establish a time frame to update the agency's policies and procedures to include the (1) following records management controls required for electronic information systems: usability, content, context, and structure and (2) required preservation mechanisms to ensure that records in its electronic recordkeeping system will be retrievable and useable. (Recommendation 5)

Agency: Armed Forces Retirement Home
Status: Open

Comments: The Armed Forces Retirement Home did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Chief Executive Officer of the Armed Forces Retirement Home should ensure existing policies and procedures describe the rules for using personal email accounts when conducting official agency business to include instructing the employee to (1) copy an official electronic messaging account of the employee in the original creation or transmission of the records and (2) forward a complete copy of the record to an official electronic messaging account of the employee no later than 20 days after the original creation or transmission of the record. (Recommendation 6)

Agency: Armed Forces Retirement Home
Status: Open

Comments: The Armed Forces Retirement Home did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Commerce should establish a time frame to ensure all records schedules are up-to-date and submitted to NARA. The schedules should include all required information, including when eligible temporary records must be destroyed or deleted and when permanent records are to be transferred to NARA. (Recommendation 7)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: The Department of Commerce concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Commerce should ensure the electronic system that manages email provides the capabilities to manage permanent and temporary email records and to identify, retrieve, and retain records. (Recommendation 8)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: The Department of Commerce concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Consumer Financial Protection Bureau should establish a time frame to develop an inventory of electronic information systems used to store agency records that includes all of the required elements. (Recommendation 9)

Agency: Consumer Financial Protection Bureau
Status: Open

Comments: The Consumer Financial Protection Bureau concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the bureau states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Executive Director of the Election Assistance Commission should establish a time frame to develop an inventory of electronic information systems used to store agency records that includes all of the required elements. (Recommendation 10)

Agency: Election Assistance Commission
Status: Open

Comments: The U.S. Election Assistance Commission did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the commission states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Executive Director of the Election Assistance Commission should establish a time frame to develop a plan on how the agency intends to manage permanent electronic records. (Recommendation 11)

Agency: Election Assistance Commission
Status: Open

Comments: The U.S. Election Assistance Commission did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the commission states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Executive Director of the Election Assistance Commission should establish a time frame to update its policies and procedures to include all of the required electronic information system functionalities for recordkeeping systems. (Recommendation 12)

Agency: Election Assistance Commission
Status: Open

Comments: The U.S. Election Assistance Commission did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the commission states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Executive Director of the Election Assistance Commission should establish a time frame to update its policies and procedures to include the (1) following records management controls required for electronic information systems: content, context, and structure and (2) required preservation mechanisms to ensure that records in its electronic recordkeeping system will be retrievable and useable. (Recommendation 13)

Agency: Election Assistance Commission
Status: Open

Comments: The U.S. Election Assistance Commission did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the commission states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Executive Director of the Election Assistance Commission should develop a written policy that describes the rules for using personal email accounts when conducting official agency business to include instructing the employee to (1) copy an official electronic messaging account of the employee in the original creation or transmission of the records and (2) forward a complete copy of the record to an official electronic messaging account of the employee no later than 20 days after the original creation or transmission of the record. (Recommendation 14)

Agency: Election Assistance Commission
Status: Open

Comments: The U.S. Election Assistance Commission did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the commission states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Chairman of the Federal Trade Commission should establish a time frame to update the agency's electronic information system inventory to include the following characteristics: reading and processing the records contained in the system, inputs and outputs, contents of the files and records, and cycle updates. (Recommendation 15)

Agency: Federal Trade Commission
Status: Open

Comments: The Federal Trade Commission did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the commission states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Chairman of the Marine Mammal Commission should use recently developed policies and procedures to implement and maintain an active, continuing agency records management program that includes policies and procedures to provide for effective controls over the creation, maintenance, and use of records in the conduct of current business. (Recommendation 16)

Agency: Marine Mammal Commission
Status: Open

Comments: The Marine Mammal Commission did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the commission states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of the National Aeronautics and Space Administration should establish a time frame to develop an inventory of electronic information systems used to store agency records that includes all of the required elements. (Recommendation 17)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the National Science Foundation should establish a time frame to ensure all records schedules are up-to-date and submitted to NARA. The schedules should include all required information, including when eligible temporary records must be destroyed or deleted and when permanent records are to be transferred to NARA. (Recommendation 18)

Agency: National Science Foundation
Status: Open

Comments: The National Science Foundation concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the foundation states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the National Science Foundation should establish a time frame to update the agency's electronic information system inventory to include the following characteristics: technical characteristics of the systems, identify inputs and outputs, and describe update cycles. (Recommendation 19)

Agency: National Science Foundation
Status: Open

Comments: The National Science Foundation concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the foundation states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the National Science Foundation should establish a time frame to update the agency's policies and procedures to include all of the records management controls required for electronic information systems and the required preservation mechanisms to ensure that records in its electronic recordkeeping system will be retrievable and useable. (Recommendation 20)

Agency: National Science Foundation
Status: Open

Comments: The National Science Foundation concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the foundation states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the National Science Foundation should develop policies and procedures for the required retention and management requirements for email, including instructions to staff to ensure that the names and addresses of the sender, date of message, attachments, calendars, and draft documents will be retained. (Recommendation 21)

Agency: National Science Foundation
Status: Open

Comments: The National Science Foundation concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the foundation states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Management and Budget should ensure, in conjunction with the Executive Office of the President's Office of Administration, that existing policies and procedures incorporate the management of electronic records into its overall records management program. (Recommendation 22)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: The Office of Management and Budget did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the office states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Management and Budget should establish a time frame to develop an inventory of electronic information systems used to store agency records that includes all of the required elements. (Recommendation 23)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: The Office of Management and Budget did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the office states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Management and Budget should establish a time frame to update its policies and procedures to include all of the required electronic information system functionalities for recordkeeping systems. (Recommendation 24)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: The Office of Management and Budget did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the office states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Management and Budget should establish a time frame to ensure, in conjunction with the Office of Administration, that policies and procedures include the (1) following records management controls required for electronic information systems: reliability, context, and structure and (2) required preservation mechanisms to ensure that records in its electronic recordkeeping system will be retrievable and useable. (Recommendation 25)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: The Office of Management and Budget did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the office states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Management and Budget should ensure, in conjunction with the Office of Administration, that existing policies and procedures include the required retention and management requirements for email. (Recommendation 26)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: The Office of Management and Budget did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the office states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of National Drug Control Policy should establish a time frame to develop an inventory of electronic information systems used to store agency records that includes all of the required elements. (Recommendation 27)

Agency: Executive Office of the President: Office of National Drug Control Policy
Status: Open

Comments: The Office of the National Drug Control Policy did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the office states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of National Drug Control Policy should establish a time frame to ensure, in conjunction with the Office of Administration, that policies and procedures include the (1) following records management controls required for electronic information systems: reliability, context, and structure; and (2) required preservation mechanisms to ensure that records in its electronic recordkeeping system will be retrievable and useable. (Recommendation 28)

Agency: Executive Office of the President: Office of National Drug Control Policy
Status: Open

Comments: The Office of the National Drug Control Policy did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the office states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of National Drug Control Policy should ensure, in conjunction with the Office of Administration, that existing policies and procedures include the required retention and management requirements for email. (Recommendation 29)

Agency: Executive Office of the President: Office of National Drug Control Policy
Status: Open

Comments: The Office of the National Drug Control Policy did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the office states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Personnel Management should establish a time frame to ensure that all records schedules are up-to-date and submitted to NARA. The schedules should include all required information, including when eligible temporary records must be destroyed or deleted and when permanent records are to be transferred to NARA. (Recommendation 30)

Agency: Office of Personnel Management: Office of the Director
Status: Open

Comments: The Office of Personnel Management concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Personnel Management should establish a time frame to develop an inventory of electronic information systems used to store agency records that includes all of the required elements. (Recommendation 31)

Agency: Office of Personnel Management: Office of the Director
Status: Open

Comments: The Office of Personnel Management concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Personnel Management should establish a time frame to develop a plan to manage permanent electronic records. (Recommendation 32)

Agency: Office of Personnel Management: Office of the Director
Status: Open

Comments: The Office of Personnel Management concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Personnel Management should establish a time frame to update its policies and procedures to include all of the required electronic information system functionalities for recordkeeping systems. (Recommendation 33)

Agency: Office of Personnel Management: Office of the Director
Status: Open

Comments: The Office of Personnel Management concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Personnel Management should establish a time frame to update the agency's policies and procedures on retention and management for email to include retaining electronic calendars and draft documents. (Recommendation 34)

Agency: Office of Personnel Management: Office of the Director
Status: Open

Comments: The Office of Personnel Management concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Chief Executive Officer of the Overseas Private Investment Corporation should establish a time frame to develop an inventory of electronic information systems used to store agency records that includes all of the required elements. (Recommendation 35)

Agency: Overseas Private Investment Corporation (OPIC)
Status: Open

Comments: The Overseas Private Investment Corporation did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Chief Executive Officer of the Overseas Private Investment Corporation should establish a time frame to develop policies and procedures that define required electronic information system functionalities for recordkeeping systems including declaring records and assigning unique identifiers, capturing records, maintaining security, and preserving records. (Recommendation 36)

Agency: Overseas Private Investment Corporation (OPIC)
Status: Open

Comments: The Overseas Private Investment Corporation did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Chief Executive Officer of the Overseas Private Investment Corporation should establish a time frame to update the agency's policies and procedures to include the (1) following records management controls required for electronic information systems: reliability, content, context, and structure; and (2) required preservation mechanisms to ensure that records in its electronic recordkeeping system will be retrievable and useable. (Recommendation 37)

Agency: Overseas Private Investment Corporation (OPIC)
Status: Open

Comments: The Overseas Private Investment Corporation did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Chief Executive Officer of the Overseas Private Investment Corporation should establish a time frame to update the agency's policies and procedures on retention and management for email to include policies for retaining electronic calendars. (Recommendation 38)

Agency: Overseas Private Investment Corporation (OPIC)
Status: Open

Comments: The Overseas Private Investment Corporation did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Peace Corps should establish a time frame to update the agency's electronic information systems inventory to (1) specify technical characteristics necessary for reading and processing the records contained in the system, (2) identify system inputs and outputs, (3) define the contents of the files and records, (4) determine restrictions on access and use, and (5) specify how the agency ensures the timely disposition of records. (Recommendation 39)

Agency: Peace Corps
Status: Open

Comments: The Peace Corps did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Peace Corps should establish a time frame to update its policies and procedures to include all of the required electronic information system functionalities for recordkeeping systems. (Recommendation 40)

Agency: Peace Corps
Status: Open

Comments: The Peace Corps did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Peace Corps should establish a time frame to update the agency's policies and procedures to include (1) following records management controls required for electronic information systems: usability, context, and structure and (2) required preservation mechanisms to ensure that records in its electronic recordkeeping system will be retrievable and useable. (Recommendation 41)

Agency: Peace Corps
Status: Open

Comments: The Peace Corps did not state whether or not it concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Executive Director of Udall Foundation should establish a time frame to develop and maintain an active, continuing agency records management program that includes policies and procedures to provide for effective controls over the creation, maintenance, and use of records in the conduct of current business. (Recommendation 42)

Agency: Morris K. Udall and Stewart L. Udall Foundation
Status: Open

Comments: The Udall Foundation concurred with this recommendation. As of June 2020, we had not received information pertaining to planned actions for this recommendation. Once the foundation states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Director of NIST should establish time frames for completing NIST's initiatives, to include the information security measurement program and the cybersecurity framework starter profile, to enable the identification of sector-wide improvements from using the framework in the protection of critical infrastructure from cyber threats. (Recommendation 1)

Agency: Department of Commerce: National Institute of Standards and Technology: Office of the Director
Status: Open

Comments: In written comments provided in July 2020, the Department of Commerce (Commerce) stated that it agreed with our recommendation. It noted that to further establish its Cybersecurity Measurement program, the National Institute of Standards and Technology (NIST) will document its Cybersecurity Measurement program's scope, objectives, and approach, including an inventory of existing measurement resources. Additionally, to further amplify small business awareness of cybersecurity, and of the Cybersecurity Framework, it noted that NIST will develop and publish two Cybersecurity Framework starter profiles tailored toward risk management of business processes important to small business owners. The expected completion date is September 2020.

Recommendation: The Secretary of Agriculture, in coordination with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 2)

Agency: Department of Agriculture
Status: Open

Comments: In written comments provided in April 2020, the United States Department of Agriculture (USDA) stated that it concurred with our recommendation. The department stated that it routinely shared framework guidance provided by the Department of Homeland Security and discussed the framework as part of its monthly Sector conference calls and biannual Sector Meetings. It also added that the department will continue to strengthen its coordination efforts.

Recommendation: The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 3)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: In written comments provided in July 2020, the Department of Defense concurred with our recommendation. The department noted that it had developed processes and resources to help determine the type of framework adoption across the Defense Industrial Base. These include conducting assessments on the implementation of NIST Special Publication (SP) 800-171 , "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations;" and releasing the Defense Industrial Base Implementation Guide for the NIST Cybersecurity Framework. However, the department has yet to report on sector-wide improvements using these processes and resources. Until it does so, its critical infrastructure sector may not fully understand the value of the framework to better protect its critical infrastructure from cyber threats. The expected completion dates are in September and November 2020.

Recommendation: The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 4)

Agency: Department of Energy: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Energy (DOE) stated that it partially agreed with our recommendation. It noted that DOE will coordinate with the Energy Sector to develop an understanding of sector-wide improvements from use of the framework. The expected completion date is December 2021.

Recommendation: The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 5)

Agency: Environmental Protection Agency
Status: Open

Comments: In written comments provided in July 2020, the Environmental Protection Agency (EPA) stated that it agreed with our recommendation. It noted that it will consult with the Water Sector Coordinating Council, the Department of Homeland Security, and the National Institute of Standards and Technology, as appropriate, to investigate options to collect and report sector-wide improvements, consistent with statutory requirements and the Sector's willingness to participate. However, the department did not provide a timeframe for completing these actions.

Recommendation: The Administrator of the General Services Administration, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 6)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: In April 2020, the General Services Administration (GSA), in coordination with its co-SSA, the Department of Homeland Security (DHS), provided documentation demonstrating that it had initiated steps to collect and report on sector-wide improvements from use of the NIST Cybersecurity Framework across its critical infrastructure sector. Specifically, the agencies from the government sector had submitted their risk management reports to DHS and OMB that described agencies' action plans to implement the framework, as required under Executive Order 13800 and evaluated the agencies against the five functions of the NIST Cybersecurity Framework: Identify, Detect, Protect, Respond, and Recover. The risk management reports are included as part of OMB's FISMA Annual Report to Congress. According to OMB's FISMA Annual Report to Congress, OMB and DHS determined that 71 of 96 agencies (74 percent) have cybersecurity programs that are either at risk or high risk. As a result, improvements were identified in the form of four core actions in the Federal Cybersecurity Risk Determination Report and Action Plan, which include: (1) Implementing the Cyber Threat Framework to increase cybersecurity threat awareness among Federal agencies, (2) Standardize IT and cybersecurity capabilities, (3) Consolidate agency SOCs to improve incident detection and response capabilities, and (4) Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB's engagements with agency leadership. We are waiting for additional information from GSA and DHS on the status of the four core actions.

Recommendation: The Secretary of Health and Human Services, in coordination with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 7)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of Health and Human Services (HHS) stated that it concurred with our recommendation. The department noted that it would work with the appropriate entities to refine and communicate best practices to the sector.

Recommendation: The Secretary of Homeland Security should take steps to consult with respective sector partner(s), such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sectors using existing initiatives. (Recommendation 8)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Homeland Security (DHS) stated that it agreed with our recommendation. It noted that in coordination with the IT Sector Coordinating Council, the department recently issued a survey to small and mid-sized IT sector partners to better understand framework adoption and use within the IT sector. Once the results of the survey are received, DHS's Cybersecurity and Infrastructure Security Agency will determine the feasibility of issuing similar surveys to other sectors, and the potential timelines for completing sector-specific survey modifications, issuing surveys, compiling responses, and developing white papers on the status of framework adoption for each sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of Transportation, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s) such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 9)

Agency: Department of Transportation: Office of the Secretary
Status: Open

Comments: In written comments provided in April 2020, the Department of Transportation (DOT) stated that it concurred with our recommendation. It noted that the department (through the Office of the Secretary, Office of Intelligence, Security, and Emergency Response) and the Department of Homeland Security (through the Transportation Security Administration and United States Coast Guard) will coordinate as Co-Sector-Specific Agencies for the Transportation Systems Sector to finalize the development and distribution of a survey instrument to determine the level and type of framework adoption in the Sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of the Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 10)

Agency: Department of the Treasury: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of the Treasury (Treasury) stated that it agreed with our recommendation. The department noted that it will assess using the identified initiatives and their viability for collecting and reporting sector-wide improvements from the use of the NIST Framework. The department did not provide a timeframe for completing these actions.

Recommendation: The Secretary of HHS should direct the Biodefense Coordination Team to establish a plan that includes change management practices—such as strategies for feedback, communication, and education—to reinforce collaborative behaviors and enterprise-wide approaches and to help prevent early implementation challenges from becoming institutionalized. (Recommendation 1)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open
Priority recommendation

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of HHS should direct the Biodefense Coordination Team to clearly document guidance and methods for analyzing the data collected from the agencies, including ensuring that nonfederal resources and capabilities are accounted for in the analysis. (Recommendation 2)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open
Priority recommendation

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of HHS should direct the Biodefense Coordination Team to establish a resource plan to staff, support, and sustain its ongoing efforts. (Recommendation 3)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open
Priority recommendation

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of HHS should direct the Biodefense Coordination Team to clearly document agreed upon processes, roles, and responsibilities for making and enforcing enterprise-wide decisions. (Recommendation 4)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open
Priority recommendation

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The CBP Commissioner should issue updated Border Patrol and OFO training materials that reflect the correct definition of a family unit and guidance for recording that information. (Recommendation 1)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: DHS concurred with this recommendation. When we confirm what actions the CBP has taken in response to this recommendation, we will provide updated information.

Recommendation: The CBP Commissioner should provide written guidance to Border Patrol agents and OFO officers about what narrative information should be recorded on the child's and the accompanying adult's Forms I-213 to document cases in which CBP determines that a parent–child relationship may be invalid. (Recommendation 2)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: DHS concurred with this recommendation. When we confirm what actions the CBP has taken in response to this recommendation, we will provide updated information.

Recommendation: The CBP Commissioner should develop and implement additional controls to ensure that Border Patrol agents accurately record family unit separations in its data system. (Recommendation 3)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: In commenting on a draft of this report, DHS reported that CBP plans to add enhancements to Border Patrol's processing system that will prompt agents to create family units within the system, when applicable. Upon completion of these enhancements, CBP plans to provide training to agents to describe the enhancements to help ensure that family units are recorded when necessary. DHS estimates these actions will be completed by September 30, 2020. To fully address our recommendations, CBP should develop and implement controls to ensure agents are accurately recording family unit separations in its data system.

Recommendation: The CBP Commissioner should update Border Patrol's and OFO's data systems to ensure data captured on family unit separation reasons clearly align with CBP policy. (Recommendation 4)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: DHS concurred with this recommendation and provided documentation of guidance that OFO and Border Patrol issued about data system updates. We are reviewing the information and documents DHS provided to assess the extent to which CBP fully addressed this recommendation.

Recommendation: The CBP Commissioner should develop and implement additional controls to ensure that Border Patrol agents include a narrative description of a family unit separation on the parent's / legal guardian's and child's Forms I-213, including the reason for the separation. (Recommendation 5)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: DHS concurred with this recommendation. When we confirm what actions the CBP has taken in response to this recommendation, we will provide updated information.

Recommendation: The CBP Commissioner should provide guidance to Border Patrol agents and OFO officers on the narrative information they are to include about family unit separation events on the parent's / legal guardian's and child's Forms I-213. (Recommendation 6)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: DHS concurred with this recommendation. When we confirm what actions the CBP has taken in response to this recommendation, we will provide updated information.

Recommendation: The ICE Director should develop and implement a mechanism to systematically track in its data system the family units ICE separates. (Recommendation 7)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: In commenting on a draft of our report, DHS reported that ICE is modifying its data system to track separations and reunification throughout the Office of Enforcement and Removal Operations' enforcement process. DHS estimates that this process will be complete by September 30, 2020. To fully address this recommendation, ICE should ensure that it has a mechanism in its data system to systematically track the family units it separates.

Recommendation: The Secretary of Homeland Security, jointly with the Secretary of Health and Human Services, should collaborate to address information sharing gaps identified in this report to ensure that ORR receives information needed to make decisions for UAC, including those apprehended with an adult. (Recommendation 8)

Agency: Department of Homeland Security
Status: Open

Comments: In commenting on a draft of our report, DHS reported that the Office of Strategy, Policy, and Plans will work with relevant components and HHS to document current information-sharing practices to validate the remaining gaps and draft a joint plan between DHS and HHS to ensure that HHS receives information needed to make decisions for unaccompanied children, including those apprehended with an adult. DHS estimated that these actions will be completed by December 31, 2020. Further DHS and HHS collaboration about information sharing methods and ways to enhance interagency agreements would better position HHS to make informed and timely decisions for unaccompanied children.

Recommendation: The Secretary of Health and Human Services, jointly with the Secretary of Homeland Security, should collaborate to address information sharing gaps identified in this report to ensure that ORR receives information needed to make decisions for UAC, including those apprehended with an adult. (Recommendation 9)

Agency: Department of Health and Human Services
Status: Open

Comments: In commenting on a draft of our report, HHS reported that the department plans to coordinate with DHS, beginning in June 2020, on periodic updates to the interagency Joint Concept of Operations. To fully address this recommendation, HHS and DHS should address the information sharing gaps identified in our report.

Recommendation: The Secretary of Homeland Security should identify the information about family members apprehended together that its components collectively need to process those family members and communicate that information to its components. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: According to DHS, in June 2020, DHS's Office of Immigration Statistics launched a Family Status Data Standards Community of Interest (COI) under the purview of the DHS Immigration Data Integration Initiative. In August 2020, DHS reported that the Family Status COI includes subject matter experts and data system managers from DHS components, the Department of Health and Human Services, and the Executive Office for Immigration Review. The COI's mandate includes drafting common DHS-wide and interagency data standards (common codes, common definitions, common formats) for all topics related to family status, including codes to identify the reasons for family separation, members apprehended together, and unaccompanied children. DHS expects to complete these actions by September 30, 2020. Identifying and communicating department-wide information needs with respect to family members who have been apprehended together should help provide DHS with greater assurance that its components are identifying all individuals who may be eligible for relief from removal from the United States based on their family relationships.

Recommendation: The Secretary of Homeland Security should ensure that, at the time of apprehension, CBP collects the information that DHS components collectively need to process family members apprehended together. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In commenting on a draft of our report, DHS reported that its Office of Immigration Statistics (OIS) will work with relevant components and offices to ensure all required information is collected at the time of apprehension on the Form I-213 when processing family members apprehended together. As of August 2020, DHS reported that DHS OIS continues to work with relevant components and offices to ensure all required information is collected at the time of apprehension on Form I-213 when processing family members apprehended together. DHS expects to complete these actions by September 30, 2020. Collecting information about the relationships between family members apprehended together and documenting that information on the Form I-213 could help address fragmentation among DHS components and improve the information available to other agencies.

Recommendation: The Secretary of Homeland Security should ensure that CBP documents the information that DHS components collectively need to process family members apprehended together on the Form I-213. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: In commenting on a draft of our report, DHS reported that, upon implementation of the steps the department plans to take in response to our second recommendation, CBP will issue guidance to the field to ensure that CBP agents and officers document the information that DHS components collectively need to process family members. In August 2020, DHS reported that component agencies continue to collaborate to define the process of family members apprehended together, as will be reflected on CBP Form I-213. DHS estimates issuing this guidance by March 31, 2021. Collecting information about the relationships between family members apprehended together and documenting that information on the Form I-213 could help address fragmentation among DHS components and improve the information available to other agencies.immigration or other proceedings.

Recommendation: The Secretary of Homeland Security should evaluate options for developing a unique identifier shared across DHS components' data systems to link family members apprehended together. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: In commenting on a draft of our report, DHS reported that its Office of Immigration Statistics (OIS) plans to work with relevant components to develop a unique shared identifier linking family members apprehended together. According to DHS, DHS OIS launched the Family Status Community of Interest (COI) in June 2020, and the COI has since established a bi-weekly meeting schedule. The COI's initial focus is on standard codes describing the reasons for family separations. Upon completing the family separation reason standard, DHS reported that the COI will prioritize developing common codes to identify family members apprehended together. DHS estimates completing these actions by March 31, 2021. Evaluating options for developing a shared unique family member identifier across components that would allow each component access to certain information about family members apprehended together would help bridge the information gaps about family relationships between components caused by DHS's fragmented data systems.

Recommendation: The Director of USCIS should ensure that, in addition to USCIS's basic asylum officer training, all asylum offices provide pre-departure training on the credible and reasonable fear processes before their officers begin screening cases at the family residential centers. (Recommendation 1)

Agency: Department of Homeland Security: United States Citizenship and Immigration Services
Status: Open

Comments: In commenting on a draft of our report, DHS reported that USCIS plans to develop a standardized pre-departure training and provide this training to all detailees prior to deployment to the family residential centers. DHS estimated that these actions would be completed by September 2020. As of August 2020, USCIS told GAO that the number of noncitizens processed under expedited removal has decreased dramatically as a result of Coronavirus Disease 2019. Therefore, details to the Family Residential Centers have largely been paused. USCIS noted that the Asylum Division is reviewing the credible fear and reasonable fear training requirements; working on an enhanced training module; and, developing a standardized pre-departure training by December 31, 2020. USCIS plans to provide the training to all detailees prior to deployment to the Family Residential Centers during calendar year 2021, should the details resume. Providing pre-departure training, in addition to USCIS's basic training for new asylum officers, would help USCIS ensure that officers from all asylum offices are conducting efficient and effective fear screenings of families.

Recommendation: The Director of USCIS should ensure asylum officers systematically record in USCIS's automated case management system if individuals receive credible fear determinations as principal applicants, dependents, or in the interest of family unity, pursuant to regulation or USCIS policy. (Recommendation 3)

Agency: Department of Homeland Security: United States Citizenship and Immigration Services
Status: Open

Comments: In commenting on a draft of our report, DHS reported that USCIS planned to explore ways to modify its case management system so that asylum officers can record whether an individual received a positive credible fear determination as a principal applicant, dependent, or in the interest of family unity. USCIS plans to make any appropriate changes to its case management system and train asylum officers on these changes by December 2020. As of August 2020, USCIS reported that the agency remains on track to complete this work as planned, provided staffing is not affected by USCIS budget issues. Having complete data in its case management system on all outcomes of credible fear screenings at family residential centers would better position USCIS to report on the scope of either the agency's policy for family members who are treated as dependents, pursuant to regulation, or USCIS's use of discretion in the interest of family unity.

Recommendation: The Director of USCIS should collect and analyze additional information on case delays, including specific reasons for delays and how long they last, that asylum officers may face when screening credible and reasonable fear cases. (Recommendation 4)

Agency: Department of Homeland Security: United States Citizenship and Immigration Services
Status: Open

Comments: In commenting on a draft of our report, DHS reported that USCIS will explore ways to collect additional information on credible and reasonable fear case delays in its case management system. USCIS plans to modify the system, as appropriate, to instruct users on the changes, and begin collecting and analyzing the information by December 31, 2020. As of August 2020, USCIS reported that the agency remains on track to accomplish this work by the end of calendar year 2020, provided staffing is not adversely affected by the on-going COVID-19 pandemic and USCIS budget issues. Collecting additional information in its automated case management system on case delays would provide USCIS with more readily available information and analyzing such data could help USCIS identify case delay reasons relevant in the current environment for officers conducting fear screenings and better position USCIS to mitigate the reasons for the delays and improve efficiency in case processing.

Recommendation: The TSA Administrator should direct T&D and Security Operations to monitor for instances of TSO non-compliance by individual commercial airports across fiscal years that could potentially warrant corrective action at the headquarters level. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: In January 2020, TSA's formal comment letter in response to our draft report stated that T&D will begin recording instances of noncompliance and work with Security Operations to monitor trends at individual airports and with specific courses. TSA also reported that T&D had developed a repository in its iShare database for this information at the end of 2019 and the agency is currently testing various options for reporting and pulling data. Once options are chosen and incorporated into its standard operating procedures, TSA reports that T&D will begin sharing the reports with Security Operations on a monthly basis. In July 2020, TSA officials told us that T&D had begun sharing training compliance reports from their database with Security Operations and discussing the results with them on a monthly basis. This database allows T&D to recognize trends at individual airports and specific courses throughout the fiscal year. Going forward, this process will enable T&D to identify noncompliance trends across fiscal years. We will continue to montior these efforts to verify that the T&D is montioring trends across fiscal years and work with TSA towards closure of this recommendation.

Recommendation: The Executive Assistant Administrator / Director of FAMS should identify and utilize a suitable system that provides information about air marshals' medical qualification status. (Recommendation 1)

Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
Status: Open

Comments: DHS concurred with this recommendation and in January 2020, DHS officials stated that FAMS is evaluating case management software to track this information and plans to pursue funding for this effort in fiscal year 2021.This action, if fully implemented, should address the intent of the recommendation. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.

Recommendation: The Executive Assistant Administrator / Director of FAMS should develop and implement a plan to assess the health and fitness of the FAMS workforce as a whole, including trends over time. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
Status: Open

Comments: DHS concurred with this recommendation and in January 2020, DHS officials stated that FAMS had established a team to develop a plan for assessing workforce health and wellness issues. Adopting and implementing a plan that assesses the health and fitness of the FAMS workforce as a whole, should address the intent of the recommendation. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.

Recommendation: The Executive Assistant Administrator / Director of FAMS should identify and implement a means to monitor the extent to which air marshals' actual shifts and rest hours are consistent with scheduling guidelines. (Recommendation 3)

Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
Status: Open

Comments: DHS concurred with this recommendation and in January 2020, DHS officials stated that FAMS will begin tracking air marshals' actual hours and examine the extent to which air marshals' actual and scheduled hours vary. This information could be helpful, for example, in assessing air marshals' schedule predictability. However, to address the intent of this recommendation, FAMS would need to monitor the extent that air marshals' actual work and rest hours are consistent with FAMS's scheduling guidelines. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.

Recommendation: The Executive Assistant Administrator / Director of FAMS should take steps to reaffirm and strengthen efforts to prevent discrimination by, for example, updating and following through on its 2012 action plan and renewing leadership commitment to the plan's goals. (Recommendation 6)

Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
Status: Open

Comments: DHS concurred with this recommendation and in January 2020, DHS officials stated that FAMS plans to review the goals of its 2012 action plan and develop steps to strengthen efforts to prevent discrimination. These actions, if fully implemented, should address the intent of the recommendation. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of FCC should develop specific, measurable goals and performance measures for its efforts to monitor the performance of new WEA capabilities, such as enhanced geo-targeting and expanded alert message length. (Recommendation 1)

Agency: Federal Communications Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the IPAWS program should document how it plans to address key actions needed to educate alerting authorities in their use of IPAWS and implement a mechanism that will allow FEMA to regularly and systematically obtain and analyze feedback on alerting authorities' educational needs. (Recommendation 2)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the IPAWS program should establish procedures to prioritize pending IPAWS applications and to follow up with applicants to address these applications. (Recommendation 3)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The CISA Director should ensure that the operations plan fully addresses all lines of effort in the strategic plan for securing election infrastructure for the upcoming elections. (Recommendation 2)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: The agency agreed with the recommendation and has taken steps towards implementing it. Specifically, in March 2020 CISA finalized its operations plan for the 2020 elections. CISA's operations plan addresses one of the 13 objectives and key actions from the strategic plan -- monitor threat activity. While CISA's operations plan is to supplement the agency's strategy, the plan does not fully address any of the four lines of effort and the other 12 objectives outlined in the strategic plan. When examining the key actions for the remaining 12 objectives in the strategic plan, we were only able to confirm that 10 of the 27 key actions called for in those strategic plan objectives were fully addressed. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The CISA Director should document how the agency intends to address challenges identified in its prior election assistance efforts and incorporate appropriate remedial actions into the agency's 2020 planning. (Recommendation 3)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: The agency agreed with the recommendation and has taken steps towards implementing it. We reported in February 2020 that CISA's strategic plan had only addressed three challenges from its external lessons learned review. Subsequently, CISA addressed two additional challenges in its operations plan, which was finalized in March 2020, and its election infrastructure subsector specific plan, which was updated in March 2020. CISA's plans addressed challenges regarding the agency's role in sharing and collecting intelligence across the election community and facilitating industry-wide vulnerability disclosures. However, CISA has not documented how the agency intends to address other identified challenges and how it will incorporate remedial actions into the agency's 2020 planning. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The Commandant of the Coast Guard should direct the Assistant Commandant for Engineering and Logistics and Assistant Commandant for Prevention Policy to update the Coast Guard's ATON-related initiatives to include the specific outcomes to be achieved and associated time frames. (Recommendation 1)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: DHS concurred with our recommendation and stated that the Coast Guard plans to review and update ATON-related initiatives to include specific outcomes with associated implementation milestones by December 31, 2020.

Recommendation: The FEMA administrator should revise FEMA's cost-estimating guidance for Public Assistance projects to fully align with all 12 steps in the GAO Cost Estimating and Assessment Guide. (Recommendation 1)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: The agency agreed with the recommendation and is working to address it.

Recommendation: The FEMA administrator should develop a repository for all current applicable Public Assistance policies and guidance for Puerto Rico and make it available to all recovery partners, including subrecipients. (Recommendation 2)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: The agency agreed with the recommendation and is working to address it.

Recommendation: The Secretary of Homeland Security should develop a strategy to independently validate selected agencies' self-reported actions on meeting binding operational directive requirements, where feasible, using a risk-based approach. (Recommendation 2)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: DHS has drafted a preliminary strategy to independently validate agencies' actions, using a risk-based approach. However, this strategy has not yet been finalized and needs to more clearly align to the existing directive development process, to which it serves as an addendum. The strategy should include when and how primary and secondary sources of information for independent validation are selected within the directive development process.

Recommendation: The Secretary of Homeland Security should develop a schedule and plan for completing the high value asset program reassessment and addressing the outstanding issues on completing the required high value asset assessments, identifying needed resources, and finalizing guidance for Tier 2 and 3 HVA systems. (Recommendation 4)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FEC, in consultation with DOJ, should review guidance addressing coordination with DOJ, to include the MOU, and once a quorum of commissioners is in place, update that guidance as appropriate based on the review. (Recommendation 1)

Agency: Federal Election Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General, in consultation with the FEC, should review guidance addressing coordination with the FEC, to include the MOU, and once a quorum of commissioners is in place, update that guidance as appropriate based on the review. (Recommendation 2)

Agency: Department of Justice: Office of the Attorney General
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Secret Service should identify which types of investigations and activities best prepare special agents for protective responsibilities. (Recommendation 1)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: The agency has submitted a 180-day letter describing actions it is planning to take in response to this recommendation.

Recommendation: The Director of the Secret Service should develop a framework to help ensure special agents have an opportunity to work, to the extent possible, investigations and activities that best prepare them for protection. (Recommendation 2)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: The agency has submitted a 180-day letter describing actions it is planning to take in response to this recommendation.

Recommendation: The Director of the Secret Service should establish a documented process to ensure that Office of Investigations resources are aligned with priority criminal threats. The process should outline key information to be included in plans for addressing priority threats. (Recommendation 3)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: The agency has submitted a 180-day letter describing actions it is planning to take in response to this recommendation.

Recommendation: The Director of the Secret Service should identify investigations that address priority criminal threats agencywide and collect data on the resources expended to investigate the threats. (Recommendation 4)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: The agency has submitted a 180-day letter describing actions it is planning to take in response to this recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the Undersecretary for Management develops an oversight process to confirm that programs' schedule goals are developed and updated in accordance with GAO's Schedule Assessment Guide, to include ensuring traceability between APB schedule goals and IMSs. (Recommendation 1)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that the Management Directorate's Office of Program Accountability and Risk Management (PARM) developed a checklist based on GAO's Schedule Assessment Guide, among other things, to evaluate programs' IMSs. PARM also plans to develop guidance on schedules which is intended to assist the Component Acquisition Executives (CAE) and acquisition program staff responsible for building IMSs and APBs. In July 2020, PARM officials reported that the schedule checklist was already being used to evaluate and ensure program IMSs adhered to GAO's Schedule Assessment Guide. In addition, PARM officials are updating and drafting guidance on schedules to assist CAEs and program staff when building IMSs and APBs. As of July 2020, PARM was still in the process of executing these efforts.

Recommendation: The Secretary of Homeland Security should ensure that the Undersecretary for Management revises the schedule development guidance in the Systems Engineering Life Cycle Guidebook to state clearly that an IMS should be used as the basis for APB schedule goals. (Recommendation 2)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: DHS concurred with our recommendation and stated that Management Directorate's Office of Program Accountability and Risk Management (PARM) was in the process of revising the Systems Engineering Life Cycle Guidebook and would clarify the language relating to IMSs to ensure guidance is consistent. As of July 2020, PARM was still in the process of revising the Systems Engineering Life Cycle Guidebook.

Recommendation: The Secretary of Homeland Security should establish and implement a time frame for completing its drafting of the AED regulations and submitting them to the Office of Management and Budget for further review. (Recommendation 1)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: According to DHS, the department was still reviewing its AED regulations in March 2020. Thus, DHS had not completed drafting the regulations or submitted them to the Office of Management and Budget for further review. DHS aims to publish the regulations by July 2020.

Recommendation: The Director of OMB should establish a process for monitoring and holding agencies accountable for authorizing cloud services through FedRAMP. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open
Priority recommendation

Comments: OMB neither agreed nor disagreed with this recommendation and as of September 2020, the office has not provided information on its actions to implement our recommendation. To fully implement this recommendation, OMB needs to collect data on the extent to which federal agencies are using cloud services authorized outside of FedRAMP and oversee agencies' compliance with using the program. According to an OMB Associate General Counsel, the agency does not have a mechanism for enforcing agencies' compliance with its guidance on FedRAMP. However, we believe that OMB can and should hold agencies accountable for complying with its policies. By implementing this recommendation, OMB could substantially improve participation in the FedRAMP program, which is intended to standardize security requirements for federal agencies' authorizations of cloud services. We will update the status of this recommendation when OMB provides information on its corrective actions.

Recommendation: The Administrator of GSA should direct the Director of FedRAMP to clarify guidance to agencies and cloud service providers on program requirements and responsibilities. (Recommendation 2)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should direct the Director of FedRAMP to improve the program's continuous monitoring process by allowing more automated capabilities, including for agencies to review documentation. (Recommendation 3)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should update security plans for selected systems to include the description of security controls and reviews and approvals plan. (Recommendation 4)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should update the security assessment report for the selected system to identify the summarized results of control effectiveness tests. (Recommendation 5)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should update the list of corrective actions for selected systems to identify the responsible office and estimated funding required and anticipated source of funding. (Recommendation 6)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should develop guidance requiring that cloud service authorization letters be provided to the FedRAMP program management office. (Recommendation 7)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of CDC to update the security plan for the selected system to identify the authorization boundary, the system operational environment and connections, a description of security controls, and the individual reviewing and approving the plan and date of approval. (Recommendation 8)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, CDC stated it has taken actions to address our recommendations, but we have not received evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CDC provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of CDC to update the security assessment report for the selected system to identify the summarized results of control effectiveness tests. (Recommendation 9)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, CDC stated it has taken actions to address our recommendations, but we have not received evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CDC provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of CDC to update the list of corrective actions for the selected system to identify the specific weaknesses, funding source, changes to milestones and completion dates, identified source of weaknesses, and status of corrective actions. (Recommendation 10)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, CDC stated it has taken actions to address our recommendations, but we have not received evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status once CDC provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to update the system security plans for selected systems to identify a description of security controls. (Recommendation 11)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to update the security assessment report for selected system to identify the summarized results of control effectiveness tests. (Recommendation 12)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to update and document the CMS remedial action plan for the selected system to identify the anticipated source of funding. (Recommendation 13)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to prepare letters authorizing the use of cloud services for the selected systems and submit the letters to the FedRAMP program management office. (Recommendation 14)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to update security plans for selected systems to identify the authorization boundary, system operation in terms of mission and business processes, operational environment and connections, and a description of security controls. (Recommendation 15)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to update the security assessment report for selected systems to identify summarized results of control effectiveness tests. (Recommendation 16)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to update the NIH list of corrective actions for selected systems to identify estimated funding and anticipated source of funding, key milestones with completion dates, and changes to milestones and completion dates. (Recommendation 17)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to submit the division's letters authorizing the use of cloud services for the selected systems to the FedRAMP program management office. (Recommendation 18)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Administrator of EPA should update security plan for the selected operational system to identify a description of security controls, and the individual reviewing and approving the plan and date of approval. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: In June 2020, EPA stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should update the security assessment report for the selected operational system to identify the summarized results of control effectiveness tests. (Recommendation 20)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA did not concur with this recommendation and as of September 2020, the agency has not provided any evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should update the list of corrective actions for the selected operational system to identify the specific weakness, estimated funding and anticipated source of funding, key remediation milestones with completion dates, changes to milestones and completion dates, and source of the weaknesses. (Recommendation 21)

Agency: Environmental Protection Agency
Status: Open

Comments: In June 2020, EPA stated it is taking action to address this recommendation, but the agency did not provide evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should prepare the letter authorizing the use of cloud service for the selected operational system and submit the letter to the FedRAMP program management office. (Recommendation 22)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA did not concur with this recommendation and as of September 2020, the agency has not provided any evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should develop guidance requiring that cloud service authorization letter be provided to the FedRAMP program management office. (Recommendation 23)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA did not concur with this recommendation and as of September 2020, the agency has not provided any additional evidence. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Chief Executive Officer of CNCS should develop an approach to ensure that all relevant participants are involved in the agency-wide process for prioritizing evidence needs. (Recommendation 1)

Agency: Corporation for National and Community Service
Status: Open

Comments: In comments on a draft of this report, the Corporation for National and Community Service (CNCS) neither agreed nor disagreed with this recommendation. Subsequently, in a June 2020 letter, CNCS stated that it agreed with our recommendation and described planned actions to strengthen its agency-wide evidence prioritization process. Among these planned actions were proposed changes to CNCS's approach for involving key participants from across the agency in the process. However, as of October 2020, CNCS had not yet provided us with documentation that would allow us to (1) assess the extent to which they address our recommendation and (2) confirm that these proposed changes were approved. We will continue to monitor CNCS's actions to address this recommendation.

Recommendation: The Chief Executive Officer of CNCS should define roles and responsibilities for all relevant participants involved in the agency-wide process for prioritizing evidence needs. (Recommendation 2)

Agency: Corporation for National and Community Service
Status: Open

Comments: In comments on a draft of this report, the Corporation for National and Community Service (CNCS) neither agreed nor disagreed with this recommendation. Subsequently, in a June 2020 letter, CNCS stated that it agreed with our recommendation and described planned actions to strengthen its agency-wide evidence prioritization process. Among these planned actions were workforce planning and hiring based on the knowledge, skills, and abilities needed for CNCS to address its evidence priorities. The letter stated that once those actions were completed, CNCS would revisit the roles and responsibilities of participants involved in the agency's evidence-building activities. We will continue to monitor CNCS's actions to address this recommendation.

Recommendation: The Chief Executive Officer of CNCS should revise written guidance for the agency-wide process for prioritizing evidence needs to ensure it identifies all relevant participants and their respective roles and responsibilities. (Recommendation 3)

Agency: Corporation for National and Community Service
Status: Open

Comments: In comments on a draft of this report, the Corporation for National and Community Service (CNCS) neither agreed nor disagreed with this recommendation. Subsequently, in a June 2020 letter, CNCS stated that it agreed with our recommendations and described planned actions to strengthen its agency-wide evidence prioritization process. However, as of October 2020, CNCS had not yet provided us with documentation that would allow us to (1) confirm that these proposed changes were approved and (2) assess the extent to which written guidance for the revised process addresses our recommendation. We will continue to monitor CNCS's actions to address this recommendation.

Recommendation: The Secretary of Labor should develop an approach to ensure that all relevant participants are involved in the department-wide process for prioritizing evidence needs. (Recommendation 6)

Agency: Department of Labor
Status: Open

Comments: In a November 2019 letter providing comments on a draft of this report, the Department of Labor (DOL) agreed with this recommendation. The letter further described actions DOL planned to take to address it. DOL stated that in fiscal year 2020 it would update its written guidance to formalize the involvement of relevant participants in department-wide evidence-building activities. However, as of October 2020, DOL had not yet provided us with documentation that would allow us to assess the extent to which its updated guidance addresses our recommendation. We will continue to monitor DOL's actions to address this recommendation.

Recommendation: The Secretary of Labor should revise written guidance for the department-wide process for prioritizing evidence needs to ensure it identifies all relevant participants and their respective roles and responsibilities. (Recommendation 7)

Agency: Department of Labor
Status: Open

Comments: In a November 2019 letter providing comments on a draft of this report, the Department of Labor (DOL) agreed with this recommendation. The letter further described actions DOL planned to take to address it. DOL stated that in fiscal year 2020 it would update its written guidance to formalize the involvement of relevant participants in department-wide evidence-building activities. However, as of October 2020, DOL had not yet provided us with documentation that would allow us to assess the extent to which its updated guidance addresses our recommendation. We will continue to monitor DOL's actions to address this recommendation.

Recommendation: The Coast Guard should conduct a comprehensive analysis of its Deployable Specialized Forces' workforce needs. (Recommendation 1)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: In November 2019, GAO reported that the Coast Guard did not fully apply a leading practice for using data and evidence when it reorganized its Deployable Specialized Forces because it had not assessed its overall Specialized Forces workforce needs, as recommended by this practice. The Coast Guard, through DHS, concurred with GAO's recommendation that it conduct a comprehensive analysis of its Specialized Forces' workforce needs. In its May 2020 180-day letter response, DHS stated that the Coast Guard identified its Maritime Safety and Security Team as the highest priority Specialized Forces unit for workforce analysis and that it is scheduled to be completed by the end of fiscal year 2021 but noted that the overall completion of all five unit types is subject to available funding and is not estimated to be completed until September 20, 2025. As GAO reported in November 2019, officials from some of these units stated that they experienced periods of underutilization, while other units with the same or similar capabilities turned down operations for lack of available personnel. Without a comprehensive analysis in place, the Coast Guard does not have the assurance that it has the requisite number of personnel in the right units to conduct the required missions. GAO will continue to monitor Coast Guard actions to address this recommendation.

Recommendation: The Coast Guard should assess the extent to which unnecessary overlap or duplication exists among Deployable Specialized Forces' capabilities. (Recommendation 2)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: In November 2019, GAO reported that the Coast Guard did not address potential overlap and duplication within its Specialized Forces. GAO identified some overlap among the capabilities of the different Specialized Forces units and the Coast Guard missions they support. The Coast Guard did not agree with the recommendation in its November 2019 response to GAO's draft report. At that time, DHS stated that GAO's conclusions illustrate a fundamental misunderstanding of the corresponding missions of Specialized Forces units. However, in technical comments provided in March 2020, the Coast Guard indicated that as of February 2020 it had not conducted the analysis necessary to fully identify potential overlap among the units. The Coast Guard stated that it is planning to begin analyzing the units this fiscal year. In its May 2020 180-day letter response, DHS stated that given current funding constrains and competing mission requirements, the Coast Guard could not consider conducting analyses not directly tied to improving mission outcomes. GAO continues to maintain that overlapping capabilities among units could indicate inefficiencies in how units are used as well as missed opportunities for use in others. Further, it is unclear why DHS and the Coast Guard simultaneously agreed to conduct the comprehensive workforce analyses of its Specialized Forces in the same 180-day letter (in response to recommendation #1 for this report), analyses that could inform an assessment of the extent to which unnecessary overlap and duplication exists among these units, while declining to address this recommendation. Without a comprehensive analysis in place, the Coast Guard does not have the assurance that it has the requisite number of personnel in the right units to conduct the required missions. GAO will continue to monitor Coast Guard actions to address this recommendation.

Recommendation: The TSA Administrator should clarify roles and responsibilities for all offices involved in the coordination of surface transportation exercises, including when these offices are to coordinate, as part of the planned revision of the Surface Division's Internal Operating Procedure for I-STEP. (Recommendation 1)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with the recommendation and will develop a standard operating procedure to clarify the roles and responsibilities for all offices involved in the coordination of surface transportation exercises, including when these offices are to coordinate, in conjunction with the planned revision of I-STEP's Surface Division Internal Operating Procedure. As part of this, TSA initiated a Surface Exercise Steering Group in January 2020 to clarify surface roles and responsibilities and to discuss a new approach for coordination of surface exercises. TSA estimates completing these actions by September 30, 2020.

Recommendation: The Administrator of TSA should document which rule review process TSA I&A uses (exigent or standard) for each new rule or rule change; (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: DHS concurred with this recommendation and agreed to document which rule review process TSA I&A uses (exigent or standard) for each new rule or rule change. In March 2020, TSA updated its SOP to require that the selected rule review process be documented for each new rule and rule change. TSA's policy change is a positive first step, but to fully address this recommendation, TSA will need to demonstrate that the selected rule review process is now being documented.

Recommendation: The Administrator of TSA should explore additional data sources measuring the effectiveness of Silent Partner and Quiet Skies rules. (Recommendation 3)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: DHS concurred with this recommendation and, in May 2020, DHS officials stated that they are reviewing data sources and assessing potential ways to assess the effectiveness of Quiet Skies and Silent Partner screening rules. DHS officials stated that they plan to fully address this recommendation by December 2020.

Recommendation: The Secretary of Transportation should direct the Administrator of FTA to identify and develop controls, such as methods to more easily identify transit expenses within applications submitted by larger entities, such as a city, county, or state government, to address the risk of duplicate funding. (Recommendation 1)

Agency: Department of Transportation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should direct the Administrator of FEMA to identify and develop controls, such as methods to more easily identify transit expenses within applications submitted by larger entities such as a city, county, or state government, to address the risk of duplicate funding. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE to revise T&E policy or guidance as necessary to fully meet the key practice for programs to test that components and subsystems work together as a system in a controlled setting before finalizing a system's design. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report DHS concurred with our recommendation and stated that it planned to update its T&E policy to specify that acquisition programs demonstrate that components and subsystems work together before finalizing a system's design. In July 2020, DHS Test and Evaluation Division (TED) officials said they were in the process of updating the policy and that it was undergoing management review with an anticipated completion in fall 2020. Once finalized, GAO will evaluate the revised policy to determine whether DHS has met the intent of this recommendation.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE, in coordination with OCPO, to develop an assessment process-including establishing performance measures-to help ensure T&E training achieves desired results. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to assess the knowledge and skill requirements for the T&E workforce and establish performance goals for the training. DHS Test and Evaluation Division (TED), in coordination with OCPO, also plan to develop strategies to address any deficiencies with the current training that do not meet the identified requirements. In April 2020, TED officials said that they developed a new survey process to obtain recurring feedback from participants on the training's impact on their ability to perform T&E duties as assigned over time to inform the annual review of the T&E curriculum. However, this effort is still in a piloting stage so the extent to which this information is used to assess the training is still unknown at this time. As of July 2020, TED was still in the process of executing these efforts.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE to revise T&E policy or guidance as necessary to specify when in the acquisition life cycle a major acquisition program manager should designate a level III certified T&E manager. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report DHS concurred with our recommendation and stated that it planned to update its T&E policy to specify when in the acquisition lifecycle acquisition program managers should designate a qualified T&E manager. In July 2020, DHS Test and Evaluation Division (TED) officials said they were in the process of revising the policy to include this specification and that it was undergoing management review with an anticipated completion in fall 2020. Once finalized, GAO will evaluate the revised policy to determine whether DHS has met the intent of this recommendation.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE to establish an internal control process to ensure that data collected and maintained on major acquisition programs' T&E managers are reliable. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to establish an internal control process to reliably collect and maintain data on acquisition programs' assigned test and evaluation managers. In April 2020, DHS Test and Evaluation Division (TED) reported taking steps to ensure the validity of this data including establishing points of contacts within each component to cross-check collected information for accuracy and having the Director review collected data on a quarterly basis beginning in third quarter fiscal year 2020. As of July 2020, TED was still in the process of improving its internal collection process, but had not completed these efforts.

Recommendation: The Secretary for Homeland Security should direct the Under Secretary for Science and Technology to assess OTE's workforce to ascertain the extent to which it has the appropriate number of staff with the necessary skills to fulfill its responsibilities. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to assess the Test and Evaluation Division's (TED) workforce by reviewing current staffing levels and vacancies against the division's roles and responsibilities. The Senior Official Performing the Duties of the Under Secretary for Science and Technology plans to use the results of this review to inform strategic hiring in future years, if needed. In February 2020, DHS released its fiscal year 2020 strategic guidance memorandum for the Science and Technology (S&T) Directorate which included a statement pertaining to resourcing S&T's test and evaluation capabilities. However, as of July 2020, S&T had not yet conducted its review of TED's workforce.

Recommendation: The Commandant of the Coast Guard should ensure that the Deputy Commandant for Mission Support implements risk management processes that more fully align with the five key steps outlined in DHS's Critical Infrastructure Risk Management Framework to better guide agency shore infrastructure investment decisions. This should include (1) setting goals and objectives, (2) identifying critical infrastructure, (3) assessing and analyzing risks and costs, (4) implementing risk management activities, and (5) measuring the effectiveness of actions taken. (Recommendation 1)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: The Coast Guard concurred with the spirit of GAO's recommendation to formalize its shore infrastructure risk management processes. As noted in their formal comment, the Coast Guard was mandated by the DHS Under Secretary for Management to follow risk management guidance outlined in the DHS Resilience Framework in March 2018. The Coast Guard reported that progress towards implementing GAO's recommendation is expected to be concurrent with the development and implementation of the Component Resilience Plan in accordance with the DHS Resilience Framework. According to the Coast Guard, the DHS-mandated Component Resilience Plan assigns a mission criticality level and resilience factor to each shore facility based on a criticality assessment, inter-dependencies between mission essential assets and functions, and risk. It will then align its current resilience factor formulation to that defined through the process in the DHS Resilience Framework. Risks identified through the Framework will be managed through a strategic combination of risk acceptance, mitigation, engineering, and operational controls. The Coast Guard stated that it intends to complete these multiple efforts by the end of 2021. In a March 2020 update, the Coast Guard stated that its Office of Civil Engineering was developing the Work Plan, newly named the 2020 Civil Engineering Program Work Plan: Initiatives and Tactics and said it would include goals and objectives for identifying and addressing infrastructure resilience gaps and resource needs in alignment with the Coast Guard's Component Resilience Plan. The Coast Guard expected to publish this Civil Engineering Work Plan by July 31, 2020, after which it said it would begin implementing and measuring the effectiveness of the actions identified in the Work Plan. In June 2020, the Coast Guard reported that it now anticipates finalizing the Civil Engineering Work Plan by September 30, 2020.

Recommendation: ASPR should develop a response personnel strategy to ensure, at a minimum, a lead ASPR liaison officer is consistently at the local emergency operations center(s) during an emergency support functions (ESF) #8 response and another liaison, if not more, is at strategic location(s) in the area. (Recommendation 1)

Agency: Department of Health and Human Services: Office of the Assistant Secretary for Preparedness and Response
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: As ASPR finalizes its federal patient movement framework, the agency should exercise the framework with its National Disaster Medical System (NDMS) partners to ensure that patients evacuated through NDMS will be consistently tracked from the start of their evacuation. (Recommendation 2)

Agency: Department of Health and Human Services: Office of the Assistant Secretary for Preparedness and Response
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: ASPR should put controls in place to ensure data on all NDMS evacuated patients are complete and accurate. (Recommendation 3)

Agency: Department of Health and Human Services: Office of the Assistant Secretary for Preparedness and Response
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: ASPR Region II should revise its Incident Response Plans for the territories to include strategies for providing chronic and primary care in isolated communities. These strategies could include the incorporation of Federally Qualified Health Centers and other local health clinics as part of a response. (Recommendation 4)

Agency: Department of Health and Human Services: Office of the Assistant Secretary for Preparedness and Response
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: ASPR should work with support agencies to develop and finalize memorandums of agreement that include information on the capabilities and limitations of these agencies to meet ESF#8 core capabilities. (Recommendation 5)

Agency: Department of Health and Human Services: Office of the Assistant Secretary for Preparedness and Response
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: ASPR should develop a strategy demonstrating how it ESF#8 core capabilities can be provided through HHS and ESF#8 support agencies if DOD's capacity to respond is limited. (Recommendation 6)

Agency: Department of Health and Human Services: Office of the Assistant Secretary for Preparedness and Response
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: ASPR should take steps to ensure the perspectives of key external parties are incorporated in the development of HHS's after-action reviews, following future ESF#8 activations. (Recommendation 7)

Agency: Department of Health and Human Services: Office of the Assistant Secretary for Preparedness and Response
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: To strengthen the mass care response to future disasters, the Secretary of Homeland Security should direct FEMA to periodically review the current structure of ESF-6 leadership roles andresponsibilities for coordinating mass care. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation. The department considers this issue to be resolved because FEMA established a working group in 2018 that reports on performance metrics and corrective actions and improvement plans. As part of that mission they are establishing a reporting system for emergency support function (ESF) coordinators to provide monthly updates on implementing corrective actions and validating improvements through exercises. We agree that these actions are important parts of effectively overseeing and evaluating ESF activities and results. However, while these efforts may address the responsibilities of ESF agencies, they may overlook the overall leadership roles of ESF agencies. To fully implement this recommendation, DHS and FEMA would need to demonstrate there is a process for reviewing the structure of ESF leadership roles on a regular basis.

Recommendation: To better clarify what mass care services voluntary organizations can provide, especially for severe or overlapping hurricanes, FEMA should strengthen its guidance to state and local governments to emphasize the importance of clearly defining roles and responsibilities related to mass care when state and local governments develop written agreements with partner organizations. This could include creating a guidance document or memo that calls attention to the issue and brings together existing resources, such as the Multi-Agency Feeding Plan Template and training materials, in a comprehensive and accessible manner. (Recommendation 2)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS and FEMA concurred with this recommendation. In their June 2020 update, FEMA said it would address this recommendation through the Individual Assistance Mass Care unit within the Office of Response and Recovery. The Individual Assistance Mass Care unit will conduct a strategic review of existing guidance and protocols related to the development of written agreements. FEMA will coordinate the review with state, local, territorial, and tribal governments (SLTT), regional staff, and other key stakeholders, and will identify common challenges encountered during the coordination process. FEMA will then develop recommendations based on stakeholder feedback and will prepare language accordingly for use in the next update of the Individual Assistance Program and Policy Guidance. FEMA anticipates that it will begin preparing language by March 31, 2021. When this language is complete we will close the recommendation.

Recommendation: To ensure assistance reaches all survivors, FEMA should develop mechanisms for the agency and its partners to leverage local community groups, such as conducting regular outreach to communicate and share aggregate information with these groups.(Recommendation 3)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS and FEMA agreed with this recommendation. In June 2020, FEMA said it plans to conduct a virtual Partnership Day meeting (to occur in increments throughout the month of July) to enable voluntary organizations to exchange information, to network and to support ongoing operations. When FEMA provides evidence that this has taken place, we will close the recommendation.

Recommendation: To ensure more accurate mass care capability assessments, FEMA should require grantees to solicit capabilities information from key mass care service-delivery providers in making capability estimates and identify these providers in their submissions. (Recommendation 4)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS and FEMA did not concur with this recommendation. The agencies said implementing this recommendation would increase the burden on grantees and could put certain communities at a disadvantage because grantees cannot control which partners participate. In addition, DHS and FEMA said that because capabilities assessments are not limited to mass care, such a requirement may have unintended consequences for other partners. FEMA plans to continue working with the mass care community to identify the best solution, including encouraging collaboration at all levels of government. Our recommendation specifies that FEMA should require grantees to solicit information from key mass care partners and to identify these partners in their submission. We recognize that grantees cannot compel partners to participate, but they can, at a minimum, invite such partners to participate in the process. We continue to believe that grantees should be required to make an effort to include mass care providers in developing their mass care capability assessments, as this is vital for developing high quality assessments. FEMA has emphasized the importance of having an active relationship and ongoing communication with key partners before disasters strike. In its Strategic Plan, FEMA states that pre-disaster coordination and communication among partners is critical to improve response and recovery outcomes. Thus, we do not believe it would be an undue burden to reach out to such partners as part of the capability assessment process.

Recommendation: To build the emergency preparedness capabilities of grantees, FEMA should develop systematic, documented protocols to determine the conditions under which it will follow up and provide feedback to grantees about mass care capability assessments. (Recommendation 5)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS and FEMA concur with this recommendation and will take steps to address it, although they didn't specify their plans.

Recommendation: To ensure assistance reaches all survivors, Red Cross should develop mechanisms for it and its partners to leverage local community groups, such as conducting regular outreach to communicate and regularly share aggregate information with these groups. (Recommendation 6)

Agency: American Red Cross
Status: Open

Comments: The Red Cross agreed with this recommendation. The organization noted several ongoing activities to engage such community groups and said it intends to continue expanding outreach, data-sharing, and engagement initiatives.

Recommendation: The Deputy Secretary of Homeland Security should ensure that S&T take steps to more fully incorporate practices for developing milestones within DHS's budget preparation guidance, into the Surface Transportation Explosive Threat Detection program. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: In September 2019, GAO reported on a Department of Homeland Security's (DHS) Science and Technology Directorate (S&T) research and development (R&D) program to develop technologies to secure mass transit systems. DHS budget guidance requires S&T to develop results-oriented milestones to track program progress. GAO found that the S&T program's milestones did not clearly link to key activities described in program plans, and thus, were not results oriented. Therefore, we recommended that DHS develop milestones to track its progress developing the technologies that fully adhered to guidance. DHS concurred with our recommendation, and in February 2020, reported that S&T's Finance and Budget Division validated that milestones for the program were compliant with DHS guidance. GAO is currently working with DHS S&T to review documentation related to the validation process in order to close the recommendation..

Recommendation: The Administrator of TSA should develop a mechanism to more routinely and comprehensively share appropriate information on the performance of mass transit security technologies (such as the annual sensor catalog and security technology assessments) with mass transit operators and stakeholders until DHS completes work on a more permanent information sharing resource. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: In September 2019, GAO reported on key mechanisms that TSA uses to collaborate and share information on identifying capability gaps and security technologies with stakeholders, including mass transit operators. We found that TSA regularly assesses commercially available technologies, but does not routinely or comprehensively share its results with mass transit operators. Therefore, we recommended that TSA develop a mechanism to routinely and comprehensively share security technology information with mass transit operators. TSA concurred with our recommendation, and in February 2020, reported implementing two of three planned efforts to better share security technology information, including steps to increase distribution of its annual publication on security technologies and to provide regular updates on assessed technologies at routine stakeholder meetings. We will continue to monitor TSA efforts with a third effort in order to close this recommendation.

Recommendation: The Secretary of Energy, in coordination with the Administrator of NNSA, should formally communicate to the relevant congressional committees concerns about, and suggested changes to, the enhanced procurement authority in a timely manner. (Recommendation 1)

Agency: Department of Energy
Status: Open

Comments: NNSA agreed with the recommendation. NNSA officials said they submitted an assessment that includes information on suggested changes to the authority to the congressional committees in March 2020. We requested a copy of the assessment and will update the status of this recommendation after we receive and review it.

Recommendation: The Commissioner of CBP should review and update policies related to land port of entry inspections in accordance with Office of Field Operations guidance. (Recommendation 1)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: CBP concurred with the recommendation and stated that it intends to implement it by January 2021. We will continue to monitor CBP's ongoing efforts to do so.

Recommendation: The Commissioner of CBP should analyze the results of the Self-Inspection Program over time and at a level necessary to identify and address potentially reoccurring inspection deficiencies at individual ports of entry. (Recommendation 2)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: CBP concurred with the recommendation and stated that it intends to implement it by November 2021. We will continue to monitor CBP's ongoing efforts to do so.

Recommendation: The Commissioner of CBP should implement a policy to conduct periodic comprehensive analyses of covert test findings. (Recommendation 3)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: CBP concurred with the recommendation and, in March 2020, it provided information on its plans to conduct a comprehensive analysis after completing several covert tests. To fully address this recommendation, CBP should implement a policy to conduct periodic comprehensive analyses of covert test findings. We will continue to monitor CBP's ongoing efforts to do so.

Recommendation: The Commissioner of CBP should develop a new target for the land border interception rate for passengers in privately-owned vehicles with major violations that sets an ambitious and realistic goal based on past performance. (Recommendation 4)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: CBP concurred with the recommendation and stated that it intends to implement it by January 2021. We will continue to monitor CBP's ongoing efforts to do so.

Recommendation: The Director of OMB should, in coordination with the Secretary of Homeland Security, establish guidance or other means to facilitate the sharing of successful approaches for agencies to address challenges in the areas of (1) managing competing priorities between cybersecurity and operations, such as when operational needs appear to conflict with cybersecurity requirements; (2) implementing consistent cybersecurity risk management policies and procedures across an agency; (3) incorporating cyber risks into enterprise risk management, and (4) establishing agencies' cybersecurity risk management strategies. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget did not say whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once OMB has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 2)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it is developing a Risk Management Framework implementation plan, which is to include a comprehensive Cybersecurity Strategy. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should update the department's policies to require (1) the use of risk assessments to inform security control tailoring and (2) the use of risk assessments to inform plan of actions and milestones (POA&M) prioritization. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it is developing a Risk Management Framework implementation plan which will include updates to USDA's process guide to ensure informed security control tailoring and updates to USDA's Plan of Actions and Milestones (POA&M) Standard Operation Procedure to inform prioritized POA&M mitigation strategies, through a consistent and repeatable security risk assessment process. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 4)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it plans to establish a governance framework for USDA Enterprise Risk Management (ERM), which will provide a platform to increase coordination between stakeholders within the cybersecurity and enterprise risk management functions. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Commerce should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to planned actions for this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Commerce should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 6)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: The Department of Commerce did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that its intends to evaluate whether there are any gaps in its cybersecurity policy pertaining to the establishment of an organization-wide cybersecurity risk assessment and will establish a plan to fill in gaps as necessary. The department added that it is making strides in the implementation of a tool that can aggregate data into a dashboard for a unified visibility across the department. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Energy should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 8)

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: The Department of Energy concurred with this recommendation. As of January 2020, the department stated that it was developing a department-wide risk management plan, to include a risk management strategy, and this would be completed by May 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 10)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services concurred with this recommendation. As of January 2020, HHS stated that it is drafting a cybersecurity risk management memo that will detail its risk management strategy, including how the department will assess, respond to, and monitor risk. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform security control tailoring. (Recommendation 11)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services partially concurred with this recommendation. As of January 2020, HHS stated that it is in the process of updating its policies to address the missing elements and plans to finalize the revisions by March 2021. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 12)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services concurred with this recommendation. As of January 2020, HHS stated that it is drafting a cybersecurity risk management memo and capability model that will include a process for an organization-wide assessment of cybersecurity risk. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Homeland Security should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 14)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that it was in the process of developing an enterprise-wide Cybersecurity Risk Management Strategy that will define cybersecurity risk tolerance thresholds and promote inclusion of cybersecurity risk management into the Department's overall risk management capabilities. The estimated completion date for this effort is July 31, 2020. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Homeland Security should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 15)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that, once developed, its Cybersecurity Risk Management Strategy will incorporate clarifications of the cybersecurity risk executive's role and will be coordinated with the DHS Office of the Chief Financial Officer, other offices within the DHS Management Directorate, and Department Components, as appropriate. The department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Housing and Urban Developing should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 16)

Agency: Department of Housing and Urban Development
Status: Open
Priority recommendation

Comments: The Department of Housing and Urban Development concurred with this recommendation. As of January 2020, the department said it planned to develop a cybersecurity risk management strategy that will determine how cybersecurity risks will be identified, framed, assessed, respond to, and monitored. The Department estimated completing this effort by August 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Interior should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 20)

Agency: Department of the Interior
Status: Open
Priority recommendation

Comments: The Department of the Interior concurred with this recommendation. As of January 2020, the department stated that it cybersecurity and enterprise risk management teams would establish a process for bi-directional communication and status reporting. The Department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Attorney General should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 21)

Agency: Department of Justice
Status: Open
Priority recommendation

Comments: In its comments on our draft report, the Department of Justice did not state whether it concurred with this recommendation. As of January 2020, . the department reported that it had an integrated strategy for identifying, prioritizing, assessing, responding to, monitoring, and reporting on cybersecurity risks. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Attorney General should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 22)

Agency: Department of Justice
Status: Open
Priority recommendation

Comments: In its comments on our draft report, the Department of Justice did not state whether or not it concurred with this recommendation. As of January 2020, the department stated that it is developing an ongoing mechanism to institutionalize coordination between its cybersecurity and ERM functions in fiscal year 2020. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Labor should update the department's policies to require (1) the use of risk assessments to inform control tailoring and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 23)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of State should update the department's policies to require (1) an organization-wide risk assessment, (2) an organization-wide strategy for monitoring control effectiveness, (3) system-level risk assessments, (4) the use of risk assessments to inform security control tailoring, and (5) the use of risk assessments to inform POA&M prioritization. (Recommendation 24)

Agency: Department of State
Status: Open

Comments: The Department of State concurred with this recommendation. As of January 2020, the department stated that it is actively working to update the applicable policies and procedures. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of State should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 25)

Agency: Department of State
Status: Open
Priority recommendation

Comments: The Department of State concurred with this recommendation. As of January 2020, the department stated that it is actively working to update the applicable policies and procedures. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Transportation should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 26)

Agency: Department of Transportation
Status: Open
Priority recommendation

Comments: The Department of Transportation concurred with this recommendation. As of January 2020, the department stated that it would update its cybersecurity risk management strategy to include the identified missing elements. The Department estimated completing this effort by October 1, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Transportation should update the department's policies to require an organization-wide risk assessment. (Recommendation 27)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation concurred with this recommendation. As of January 2020, the department stated that it would update it policies and procedures to require an organization-wide cybersecurity risk assessment. The Department estimated completing this effort by July 1, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 29)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 30)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 31)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 32)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, the department stated that it plans to develop a comprehensive risk management strategy in accordance with its updated cybersecurity program directive and plans to finalize the strategy by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should update the department's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 33)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA stated that it plans to incorporate this requirement into its updated policies by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 34)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA stated that it plans to fully document its process for an organization-wide cybersecurity risk assessment by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 35)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA described efforts under way to institutionalize coordination between cybersecurity and enterprise risk management functions and stated that this coordination will be documented in detail by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of the Environmental Protection Agency (EPA) should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 38)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, EPA stated that its strategic plans are under review beginning in the fourth quarter of fiscal year 2020. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should update the agency's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 39)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, EPA stated that it is establishing a process to review, update, and reissue its policies. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 40)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 41)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of General Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 44)

Agency: General Services Administration
Status: Open
Priority recommendation

Comments: The General Services Administration concurred with this recommendation. As of January 2020, the agency stated that it would establish a process for conducting an organization-wide cybersecurity risk assessment. The administration estimated completing this effort by June 30, 2020. Once the administration has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of the National Aeronautics and Space Administration (NASA) should update the agency's policies to require (1) an organization-wide risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 46)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. As of January 2020, the agency stated that it is working to address gaps in its cybersecurity policy. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of NASA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 47)

Agency: National Aeronautics and Space Administration
Status: Open
Priority recommendation

Comments: NASA concurred with this recommendation. As of January 2020, NASA stated that the agency is in the process of documenting its process for conducting an organization-wide cybersecurity risk assessment. NASA's planned completion date for this effort is September 30, 2020. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Chairman of NRC should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 50)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the commission has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Chairman of NRC should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 52)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the commission has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Personnel Management (OPM) should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform control tailoring. (Recommendation 53)

Agency: Office of Personnel Management
Status: Open

Comments: OPM concurred with this recommendation. As of January 2020, OPM stated that it planned to update its policies to address the missing elements. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Director of OPM should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 54)

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with this recommendation. As of January 2020, the office stated that it planned to formalize its process for an organization-wide cybersecurity assessment. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of SBA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 57)

Agency: Small Business Administration
Status: Open
Priority recommendation

Comments: SBA concurred with this recommendation. As of January 2020, SBA stated that it intends to finalize its process for an agency-wide cybersecurity risk assessment by March 31, 2020. Once SBA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Commissioner of the Social Security Administration should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 58)

Agency: Social Security Administration
Status: Open
Priority recommendation

Comments: SSA concurred with this recommendation. As of January 2020, SSA stated that it has initiated a formal process for coordination between its cybersecurity risk management and enterprise risk management teams and that this process should be fully established by the third quarter of FY 2020. Once SSA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Homeland Security should ensure that the fiscal year 2019 plan includes the statutorily required elements or discloses why any element was not included in the plan. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: DHS agreed with our recommendation and in August 2020, DHS issued the Fiscal Year 2019-2020 Border Security Improvement Plan. The plan includes a description and the status for satisfying of each of the 11 statutorily required elements. GAO has on-going work to review the plan.

Recommendation: The Director of JIATF-West should establish a vital few performance measures that are consistently measured over time. (Recommendation 1)

Agency: Joint Interagency Task Force West
Status: Open

Comments: In November 2019, DOD officials reported that JIATF-W identified measures of performance in critical mission areas that have not previously been captured, including the Counter Narcotics Operations Center, Operational Intelligence, and Mission Support units. However, it is unclear whether the measures JIATF-W identified are higher-level and part of a "vital few" rather than just additional output-based performance measures. GAO will need to review the new measures to understand whether DOD/JIATF-W's actions are aligned with the intent of the recommendation. GAO will continue to follow-up with DOD/JIATF-W on the their progress toward implementing the recommendation.

Recommendation: The Director of JIATF-West should establish specific targets that set a minimal level of performance. (Recommendation 2)

Agency: Joint Interagency Task Force West
Status: Open

Comments: In November 2019, DOD stated JIATF-W updated its Assessment Instruction to codify baseline standards and processes for collecting metrics in its directorates and would send personnel to train to improve their ability to measure performance against DOD minimal standards. However, it is unclear whether JIATF-W has set targets. We will continue to follow up with DOD/JIATF-W on their progress toward implementing the recommendation.

Recommendation: The Secretary of Homeland Security should develop outcome-based performance measures for the DHS JTFs that are consistent. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: DHS stated it concurred with the GAO recommendation. In December 2019, DHS officials stated it is overseeing the implementation of measures that contain outcome-based direction for assessing counter drug operations effects, which requires a phased approach, and added that DHS hopes to achieve two consecutive years of consistent reporting of performance measures. The estimated completion date for addressing this recommendation is June 2020. GAO will continue to follow-up with DHS on its progress towards implementing the recommendation.

Recommendation: The Chief of Border Patrol should develop and implement performance measures to assess its effectiveness at securing the northern border between ports of entry (Recommendation 1).

Agency: Department of Homeland Security: United States Customs and Border Protection: Office of the Commissioner: U.S. Border Patrol
Status: Open

Comments: Border Patrol concurred with this recommendation and in an April 2020 update and stated that it is developing new northern border security metrics. Border Patrol is in the process of evaluating them and coordinating with subject matter experts to ensure they are valid. We will continue to monitor Border Patrol's ongoing efforts.

Recommendation: The Executive Assistant Commissioner of AMO should develop and implement performance measures to assess its effectiveness at securing the northern border between ports of entry in the air and maritime environments (Recommendation 2).

Agency: Department of Homeland Security: United States Customs and Border Protection: Air and Marine Operations
Status: Open

Comments: AMO concurred with this recommendation and in a July 2020 update, stated that it has developed preliminary performance measures and established a working group to assess their effectiveness. According to AMO, they remain on track to implement the performance measures and report on them beginning in fiscal year 2022. We will continue to monitor AMO's efforts.

Recommendation: The Director of the Secret Service should develop and implement a plan to ensure that special agents assigned to Presidential Protective Division and Vice Presidential Protective Division reach annual training targets given current and planned staffing levels. (Recommendation 1)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: In May 2019 we reported that the Secret Service had not met the established training target (25 percent of work time) and lacked a plan for achieving it. We therefore recommended that the Director of the Secret Service develop and implement a plan to ensure that special agents assigned to the Presidential Protective Division and the Vice Presidential Protective Division reach annual training targets given current and planned staffing levels. The agency concurred with our recommendation. Towards addressing this recommendation, in October 2019, the Secret Service reported that the Office of Protective Operations is currently soliciting training requirements from each internal operational division, including the Presidential and Vice Presidential Protective Divisions, to determine the appropriate amount of training and associated training hours for each division. They further reported that once reviewed, the training requirements are to inform the agency's revised Human Capital Strategic Plan. The revised Human Capital Strategic Plan is to include an overview of Office of Protective Operations' training requirements and corresponding staffing needs. The Secret Service anticipates a revised Human Capital Strategic Plan to be available by the end of January 2020. The Secret Service's efforts to reevaluate the training requirements and targets are a positive first step. However, Secret Service's actions are not fully consistent with the recommendation. Specifically, in its updated response, the Secret Service stated that training hours for Presidential Protective Division and Vice Presidential Protective Division special agents training will only increase once the agency nears its ultimate staffing target. This is inconsistent with our recommendation to establish a plan to ensure these special agents reach annual training targets given current staffing levels. In the interim, affected special agents may continue to lack training required to prevent security breaches, such as that of September 19, 2019, when an intruder jumped the north fence and entered the White House. We will continue to monitor the Secret Service's progress in implementing this recommendation.

Recommendation: The Director of the Secret Service should develop and implement a policy that documents the process for collecting complete Uniformed Division officer training data and establishes the types of information that should be collected. (Recommendation 2)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: In May 2019 we reported that training data collected on the Secret Service's Uniform Division were incomplete and in certain cases unrelated to protection or lacked descriptions to clearly link the training to required skills. Further, the process used to capture the data was not consistently employed and did not include information on how or whether to capture internal on-the-job training instances, or instruction on the type of training to be captured to demonstrate that the training is protection-related training. We therefore recommended that the Director of the Secret Service develop and implement a policy that documents the process for collecting complete Uniformed Division officer training data and establishes the types of information that should be collected. The Secret Service, through DHS, concurred with our recommendation, stating that it would develop rigorous and uniform standards for collecting and reporting training data related to the Uniformed Division branch, and would work to capture additional training information. In response to our recommendation, in October 2019 the Secret Service reported that the Uniformed Division has worked with the Office of Training and Performance and Learning Management System (PALMS) team to capture Uniformed Division training requirements. The requirements are to include the 20 formalized on-the-job training programs for officers assigned to the Uniformed Division's White House, Foreign Missions, and Naval Observatory Branches, or one of the Special Operations Branch specialized units. In addition, the Secret Service stated that approximately 19 micro-training courses (also known as Roll Call Training) are currently captured within PALMS-the Department of Homeland Security's learning management system -and additional formalized on-the-job training programs are being reviewed for inclusion in PALMS. According to the Secret Service, use of PALMS should help ensure that the process for collecting and recording Uniformed Officer training is standardized and monitored. The Secret Service's efforts to capture additional training information in PALMS is a positive development. However, we have not yet observed progress towards the Secret Service's implementation of a policy that documents the process for collecting complete Uniformed Division officer training data and establishes the types of information that should be collected, as we recommended. We will continue to monitor the Secret Service's progress in implementing this recommendation.

Recommendation: The Assistant Secretary of the Countering Weapons of Mass Destruction Office (CWMD) should ensure that the office regularly collects detailed information from cities on expenditures made using program funds and compares that information to approved purchase plans to ensure that these funds were spent as approved, consistent with program goals, and that the expenditures are in keeping with the objectives of the program. (Recommendation 1)

Agency: Department of Homeland Security: Countering Weapons of Mass Destruction Office
Status: Open

Comments: The Countering Weapons of Mass Destruction Act of 2018 requires that CWMD develop an implementation plan for the Securing the Cities program that, among other things, identifies the goals of the program and provides a strategy for achieving those goals. The act requires CWMD to submit this implementation plan to Congress by December 2019. As of June 2020, DHS/CWMD had not yet completed its implementation plan for the Securing the Cities program. Depending on its content, this plan may contain key provisions that could address this recommendation.

Recommendation: The Assistant Secretary of CWMD should more fully assess cities' performance by collecting information from cities on achieving key performance metrics and program milestones and enforcing reporting requirements on performance during exercises. (Recommendation 2)

Agency: Department of Homeland Security: Countering Weapons of Mass Destruction Office
Status: Open

Comments: The Countering Weapons of Mass Destruction Act of 2018 requires that CWMD develop an implementation plan for the Securing the Cities program that, among other things, identifies the goals of the program and provides a strategy for achieving those goals. The act requires CWMD to submit this implementation plan to Congress by December 2019. As of June 2020, DHS/CWMD had not yet completed its implementation plan for the Securing the Cities program. Depending on its content, this plan may contain key provisions that could address this recommendation.

Recommendation: The Assistant Secretary of CWMD should analyze risks related to sustaining detection capabilities, work with cities to address these risks, and enforce sustainment planning requirements for future cities. (Recommendation 3)

Agency: Department of Homeland Security: Countering Weapons of Mass Destruction Office
Status: Open

Comments: The Countering Weapons of Mass Destruction Act of 2018 requires that CWMD develop an implementation plan for the Securing the Cities program that, among other things, identifies the goals of the program and provides a strategy for achieving those goals. The act requires CWMD to submit this implementation plan to Congress by December 2019. As of June 2020, DHS/CWMD had not yet completed its implementation plan for the Securing the Cities program. Depending on its content, this plan may contain key provisions that could address this recommendation.

Recommendation: The Assistant Secretary of CWMD should clearly communicate to cities how the existing program will operate until a new program is developed and implemented. (Recommendation 4)

Agency: Department of Homeland Security: Countering Weapons of Mass Destruction Office
Status: Open

Comments: The Countering Weapons of Mass Destruction Act of 2018 requires that CWMD develop an implementation plan for the Securing the Cities program that, among other things, identifies the goals of the program and provides a strategy for achieving those goals. The act requires CWMD to submit this implementation plan to Congress by December 2019. As of June 2020, DHS/CWMD had not yet completed its implementation plan for the Securing the Cities program. Depending on its content, this plan may contain key provisions that could address this recommendation.

Recommendation: The Secretary of Homeland Security should develop and implement a process to systematically review the reliability of the data used in its Border Security Metrics Report and comprehensively identify any limitations with the data and methodologies that underlie its metrics. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with the recommendation and in a May 2020 update stated that it plans to address this recommendation in its FY2019 Border Security Metrics Report scheduled to be issued in the summer of 2020. We will continue to monitor DHS's ongoing efforts to do so.

Recommendation: The Secretary of Homeland Security should ensure the communication of the limitations of the metrics identified through the systematic review in the department's annual Border Security Metrics Report. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In its comment letter, DHS concurred with the recommendation and requested that we consider it closed as implemented because the department already detailed some of the limitations in its fiscal year 2017 report, and plans to continue to identify known limitations and the progress made to mitigate previously identified limitations in future reports. As discussed in the report, we agree that DHS identified and disclosed limitations for some metrics in its fiscal year 2017 Border Security Metrics Report; however, we identified at least one additional limitation for 21 of the 35 metrics on which DHS reported that DHS did not disclose or about which it could have been more transparent. To address the intent of this recommendation, once DHS has implemented a process to systematically review the reliability of the data used in its report and comprehensively identified related limitations, it should disclose those limitations in its annual Border Security Metrics Report. In a May 2020 update, DHS stated that it plans to address this recommendation in its FY2019 Border Security Metrics Report scheduled to be issued in the summer of 2020. We will continue to monitor DHS's ongoing efforts to do so.

Recommendation: The Under Secretary for the Office of Strategy, Policy, and Plans should include the results of sensitivity analyses to key assumptions in its statistical models of unlawful entry estimates in its annual Border Security Metrics Report. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with the recommendation and in a May 2020 update stated that it plans to address this recommendation in its FY2019 Border Security Metrics Report scheduled to be issued in the summer of 2020. We will continue to monitor DHS's ongoing efforts to do so.

Recommendation: The Under Secretary for the Office of Strategy, Policy, and Plans should include measures of statistical uncertainty for all metrics based on estimates derived from statistical models in its annual Border Security Metrics Report. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with the recommendation and in a May 2020 update stated that it plans to address this recommendation in its FY2019 Border Security Metrics Report scheduled to be issued in the summer of 2020. We will continue to monitor DHS's ongoing efforts to do so.

Recommendation: The Deputy Secretary of the Department of Homeland Security should develop a mechanism that aligns processes and information sources for collecting R&D project data from DHS components to ensure that the information can be collected, integrated and result in a comprehensive accounting of R&D projects DHS-wide. (Recommendation 2)

Agency: Department of Homeland Security: Office of the Secretary: Office of the Deputy Secretary
Status: Open

Comments: As of September 2020, DHS reported that S&T was revising the related DHS Directive to improve R&D project data collection and that detailed procedures for the data collection would be described in an associated guidance document. DHS further reported that S&T would be coordinating with the Undersecretary for Management, and meeting with DHS components regarding the data collection efforts. We will continue to monitor DHS's efforts to implement this recommendation.

Recommendation: The Deputy Secretary of the Department of Homeland Security should direct Office of the Chief Financial Officer program officials to ensure that S&T take steps to more fully incorporate leading practices, such as those included in DHS's budget preparation guidance, into R&D milestones. (Recommendation 3)

Agency: Department of Homeland Security: Office of the Secretary: Office of the Deputy Secretary
Status: Open

Comments: As of September 2020, S&T reported preparing Budget Justification documents, which will include key milestones for R&D projects, and indicated that the documents will be reviewed by the DHS Office of the Chief Financial Officer. We will continue to monitor DHS's efforts related to this recommendation.

Recommendation: The Deputy Secretary of the Department of Homeland Security should develop standard processes and procedures for collecting and analyzing customer feedback, applicable to components conducting R&D, for improving the usefulness of existing customer feedback mechanisms to assess R&D efforts and for implementing such mechanisms where absent. (Recommendation 4)

Agency: Department of Homeland Security: Office of the Secretary: Office of the Deputy Secretary
Status: Open

Comments: As of September 2020, DHS stated that a new DHS Directive and Instruction is being developed related to R&D customer and program feedback. This recommendation remains open, and we will continue to monitor DHS's efforts to address it.

Recommendation: The Director of ICE should build on existing efforts to use data analytics by employing techniques, such as network analysis, to identify potential fraud indicators in schools petitioning for certification. (Recommendation 2)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of ICE should develop an implementation plan for the project aimed at strengthening background checks for DSOs; that plan should outline how the project will be executed, monitored, and controlled. (Recommendation 5)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of ICE should implement mandatory DSO training and verify that the training is completed. (Recommendation 6)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of ICE should complete the development and implementation of its plans for mandatory fraud-specific training for DSOs. (Recommendation 7)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Policy updates its policy and instruction on providing support to the Secret Service to define the requirements for producing semiannual reports of expenditures required by the Presidential Protection Assistance Act of 1976, as amended. These requirements should, at a minimum, include (1) the steps and time frames for completing updates to the policy and instruction, (2) time frames for reporting the expenditures, and (3) an oversight mechanism to ensure that the Department of Defense consistently submits these reports to specified congressional committees. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with the recommendation. As of July 31, 2019, DOD has not updated its policy or instruction.

Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Policy defines the steps, including time frames, necessary to achieve near term reporting requirements under the Presidential Protection Assistance Act of 1976, as amended, and submit the reports as required. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with the recommendation. As of July 31, 2019, DOD has not updated its policy.

Recommendation: The Director of OMB should determine a government-wide baseline level of progress in meeting physical access control system requirements, including implementation of GSA-approved systems, and should monitor progress in meeting these requirements. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: In August 2019, GAO contacted OMB to determine if any progress has been made implementing this recommendation. GAO is awaiting OMB's response.

Recommendation: The Secretary of Homeland Security should direct the ISC, in collaboration with member agencies, to assess the extent of, and develop strategies to address, government-wide challenges to implementing physical access control systems. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In August 2019, GAO learned that DHS has recently completed the "Physical Access Control System (PACS) Modernization Working Group Charter." This charter was created under the direction of the Co-Chairs of the Federal Chief Information Security Officer Council, Identity, Credentialing and Access Management Subcommittee, and the Program Director of the DHS Interagency Security Committee. The purpose of the PACS Modernization Working Group is to facilitate the implementation and use of the technology and processes related to modernizing electronic-PACS within the federal government, thereby increasing security, coordination, and compliance with national-level policies and standards. GAO is following up with DHS to obtain additional information about this effort and to determine whether it addresses this recommendation.

Recommendation: The Secretary of Homeland Security should create corresponding processes and procedures to help implement the mission, roles, and responsibilities defined in the delegation of authority or similar document to help ensure predictability, repeatability, and accountability in departmentwide and crosscutting strategy and policy efforts. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security agreed with GAO's recommendation, and finalized a delegation of authority, which is a requisite step in being able to complete this action, in December 2019. As of February 2020, however, the agency had not taken action that addresses GAO's September 2018 recommendation to create processes and procedures corresponding to the mission, roles, and responsibilities defined in the delegation of authority. To close this recommendation, PLCY will need to create such processes and procedures to help ensure predictability, repeatability, and accountability in department-wide and crosscutting strategy and policy efforts. Until DHS creates these processes and procedures, the Office of Strategy, Policy, and Plans' ability to lead and coordinate policy will continue to be limited. Taking this recommended action would enhance the department's efficiency and reduce risks associated with fragmentation in the development of department-wide and crosscutting strategies, policies, and plans

Recommendation: The Under Secretary for Strategy, Policy, and Plans should use the DHS Workforce Planning Guide to help identify and analyze any gaps in PLCY's workforce, design strategies to address any gaps, and communicate this information to DHS leadership. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: On December 3, 2019, PLCY restated its concerns with this recommendation--specifically, that due to changes in administration and secretarial priorities, PLCY has to recalibrate and base budget and staffing projections on what officials expect will be needed, rather than current needs due to changing priorities. PLCY's ability to properly align resources with current needs must remain flexible and the workforce planning guidance that GAO references does not allow for that in whole. GAO maintains that utilizing the workforce planning guidance can be done while still maintaining the desired flexibility.

Recommendation: The Under Secretary for Strategy, Policy, and Plans should enhance the use of collaboration and communication mechanisms to connect with staff in the components with responsibilities for policy and strategy to better identify and address emerging needs. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: On March 5, 2019, PLCY officials told us PLCY has instituted many cross-component efforts to more clearly define its roles and responsibilities. For example, PLCY convenes frequent engagements with components via the Immigration Policy Council, the Strategy and Policy Executive Steering Committee, the Deputies Management Action Group, and the Threat Prevention and Security Policy Council. On December 3, 2019, PLCY officials told us that the pending delegation of authority will help address this recommendation, and the delegation of authority is expected to be completed in calendar year 2020. To close this recommendation, PLCY must provide documentary evidence of collaboration and communication mechanisms to connect staff and better identify emerging needs.

Recommendation: The Commandant of the Coast Guard, in collaboration with the Secretary of the Navy, should direct the polar icebreaker program and NAVSEA 05C to update the HPIB cost estimate in accordance with best practices for cost estimation, including (1) developing risk bounds for all phases of the program lifecycle, and on the basis of these risk bounds, conduct risk and uncertainty analysis, as well as sensitivity analysis, on all phases of the program lifecycle, and (2) reconciling the results with an updated independent cost estimate based on the same technical baseline before the option for construction of the lead ship is awarded. (Recommendation 2)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: In providing comments on this report, the Coast Guard concurred with our recommendation. As of August 2020, Coast Guard officials stated that they are updating the polar icebreaker program's life cycle cost estimate to reflect information provided by the shipbuilder and anticipate completing the update in the fall 2020. We will review the updated life cycle cost estimate at that time and determine if the actions taken meet the intent of this recommendation.

Recommendation: The Commandant of the Coast Guard should direct the polar icebreaker program office to develop a program schedule in accordance with best practices for project schedules, including determining realistic durations of all shipbuilding activities and identifying and including a reasonable amount of margin in the schedule, to set realistic schedule goals for all three ships before the option for construction of the lead ship is awarded. (Recommendation 3)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: In providing comments on this report, the Coast Guard concurred with our recommendation. As of August 2020, Coast Guard officials stated that they updated the polar icebreaker program's schedule for the lead ship and are in the process of developing schedules for the follow-on ships. We will review the updated schedules once the Coast Guard provides them and determine if the actions taken meet the intent of this recommendation.

Recommendation: The DHS Under Secretary for Management should require the Coast Guard to update the HPIB acquisition program baselines prior to authorizing lead ship construction, after completion of the preliminary design review, and after it has gained the requisite knowledge on its technologies, cost, and schedule, as recommended above. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it will require the Coast Guard to update the HPIB program's acquisition program baselines prior to authorizing lead ship construction. As of August 2020, Coast Guard officials anticipate updating the acquisition program baselines by no later than February 2021. We will review the updated HPIB acquisition program baselines at that time and determine if the actions taken meet the intent of this recommendation.

Recommendation: The Assistant Secretary for Countering Weapons of Mass Destruction should develop a strategy and implementation plan to help the Department of Homeland Security, among other things, guide, support, integrate and coordinate its chemical defense programs and activities; leverage resources and capabilities; and provide a roadmap for addressing any identified gaps. (Recommendation 1)

Agency: Department of Homeland Security: Countering Weapons of Mass Destruction Office
Status: Open
Priority recommendation

Comments: DHS agreed with GAO's September 2018 recommendation and is taking actions to address it. Countering Weapons of Mass Destruction Office (CWMD) officials stated in December 2018 that CWMD plans to develop a strategy and implementation plan to help DHS guide, support, integrate and coordinate its chemical defense programs and activities; leverage resources and capabilities; and provide a roadmap for addressing any identified gaps. According to CWMD officials, the implementation plan would broadly address DHS chemical defense activities and programs to prevent, protect against, and respond to chemical incidents, including support to federal, state, tribal, and territorial operators and agencies, as well as the private sector. CWMD officials provided GAO with the completed strategy in December 2019 and plan to complete the implementation plan by December 2020. The strategy includes four overarching goals that will drive CWMD's mission in protecting American safety and security from chemical threats and incidents. We will continue to monitor the status of the implementation plan, as completion of both documents is essential to help the CWMD Office guide DHS's efforts to address fragmentation and coordination issues and would be consistent with the office's aim to establish a coherent mission.

Recommendation: The Secretary of DHS should ensure that the Commissioner of Customs and Border Protection through the Executive Assistant Commissioner for Operations Support updates the 2013 workforce assessment to account for the independent requirements organization's current workforce needs. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation. Customs and Border Protection provided an estimated completion date for their workforce assessment of September 30, 2020.

Recommendation: The Secretary of DHS should ensure that the Administrator of the Federal Emergency Management Agency establishes a policy for requirements development. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation. The Federal Emergency Management Agency plans to establish a policy for requirements development by September 30, 2020, about one year after it completes changes to its governance processes.

Recommendation: The Secretary of DHS should ensure that the Director of Immigration and Customs Enforcement establishes a policy for requirements development. (Recommendation 8)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation but has not yet taken action to implement it as of August 2020.

Recommendation: The Secretary of DHS should ensure that the Director of Immigration and Customs Enforcement establishes the planned independent requirements development organization within Immigration and Customs Enforcement. (Recommendation 9)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation but has not yet taken action to implement it as of August 2020.

Recommendation: The Secretary of DHS should ensure that the Director of Immigration and Customs Enforcement conducts a workforce assessment to account for an independent requirements organization's workforce needs. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation but has not yet taken action to implement it as of August 2020.

Recommendation: The Secretary of DHS should ensure that the Director of Immigration and Customs Enforcement establishes component specific training for requirements development. (Recommendation 11)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation but has not yet taken action to implement it as of August 2020.

Recommendation: The Secretary of DHS should ensure that the Under Secretary of Homeland Security for the National Protection and Programs Directorate finalizes and promulgates the National Protection and Programs Directorate's draft policy for requirements development. (Recommendation 12)

Agency: Department of Homeland Security
Status: Open

Comments: The National Protection and Programs Directorate changed its name to the Cybersecurity and Infrastructure Security Agency in January 2018. DHS concurred with this recommendation. The Cybersecurity and Infrastructure Security Agency estimates that it will have a final policy by September 30, 2020.

Recommendation: The Secretary of DHS should ensure that the Under Secretary of Homeland Security for the National Protection and Programs Directorate establishes the planned independent requirements development organization within the National Protection and Programs Directorate. (Recommendation 13)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation. In January 2018, the National Protection and Programs Directorate changed its name to the Cybersecurity and Infrastructure Security Agency. The Cybersecurity and Infrastructure Security Agency estimates that it will establish an independent requirements organization by September 30, 2020.

Recommendation: The Secretary of DHS should ensure that the Under Secretary of Homeland Security for the National Protection and Programs Directorate conducts a workforce assessment to account for an independent requirements organization's workforce needs. (Recommendation 14)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation. In January 2018, the National Protection and Programs Directorate changed its name to the Cybersecurity and Infrastructure Security Agency. The Cybersecurity and Infrastructure Security Agency estimates it will complete an assessment to account for an independent requirements organization's workforce needs by September 30, 2020.

Recommendation: The Secretary of DHS should ensure that the Director of the U.S. Citizenship and Immigration Services establishes the planned independent requirements development organization within U.S. Citizenship and Immigration Services. (Recommendation 21)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation. The U.S. Citizenship and Immigration Services estimates that it will establish an independent requirements development organization by September 30, 2020.

Recommendation: The Director of DHS's National Protection and Programs Directorate's Infrastructure Security Compliance Division (ISCD) should incorporate vulnerability into the CFATS site security scoring methodology to help measure the reduction in the vulnerability of high-risk facilities to a terrorist attack, and use that data in assessing the CFATS program's performance in lowering risk and enhancing national security. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and has taken steps to implement and monitor two new performance metrics intended to better demonstrate the CFATS program's effectiveness in enhancing national security and reducing national risk. Specifically, according to DHS, these new performance metrics allow for the (1) evaluation of the progress individual facilities have made in enhancing their security while part of the CFATS program, and (2) comparison of the security measures employed by CFATS-covered chemical facilities upon first entering the program against the improved and enhanced security measures contained in their approved CFATS security plans. DHS began reporting the two measures, "Average score of approved Site Security Plans" and "Average score of initial Site Security Plans", for the first quarter of fiscal year 2019. DHS stated that these measures will be used to demonstrate the percent increase in security score of facilities' security plans, resulting in a representation of the increase in the security posture across the facility population, which will be used internally to assess progress. GAO continues to monitor the results of these two new performance metrics.

Recommendation: The Commissioner of CBP should revise policy or guidance to ensure documentation of required control activities in its case management system, such as legal review of adverse actions, and data verification (Recommendation 1).

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: In February 2020, CBP provided documentation of a data verification checklist used by its Office of Professional Responsibility for the Joint Integrity Case Management System. However, CBP also needs to develop a similar tool or method to verify case management data contained in its Human Resource Business Engine system. And to fully implement this recommendation, CBP needs to revise policy or guidance to ensure documentation of control activities (data verification and legal review of adverse actions) in its case management systems. We are continuing to follow-up on the actions taken by CBP to implement this recommendation.

Recommendation: The Commissioner of CBP should monitor the duration of all cases beginning-to-end by stage and by case type (Recommendation 4).

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: In October 2018, CBP told us that it is currently updating one of its case management systems to better monitor cases beginning-to-end by stage and by case type. Once implemented, CBP's Office of Professional Responsibility will develop an internal management report that includes information on caseload and associated timelines. The estimated completion date for this recommendation is September 30, 2019. As of September 2020, we are continuing to follow up with CBP on its actions to implement this recommendation.

Recommendation: The Commissioner of CBP should monitor the timeliness of misconduct cases according to established targets for management inquiries, administrative inquiries, and criminal and non-criminal investigations using case management system data (Recommendation 5).

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: In October 2018, CBP stated that it is currently updating one of its case management systems to better monitor the timeliness of misconduct cases according to established targets. Once updated, CBP's Office of Professional Responsibility will develop an internal management report that includes information on caseload and associated timelines. The estimated completion date for this recommendation is September 30, 2019. As of September 2020, we are continuing to follow up with CBP on its actions to implement this recommendation.

Recommendation: The Commissioner of CBP should define and document the case management system data fields to be used for monitoring all established performance targets and provide related guidance to staff (Recommendation 6).

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: In October 2018, CBP stated that its Office of Professional Responsibility will define the case management system data fields used to measure established performance targets, and it will provide the appropriate guidance to staff. The estimated completion date of this recommendation is September 30, 2019. As of September 2020, we are continuing to follow up with CBP on its actions to implement this recommendation.

Recommendation: The Director of ICE should require staff to document the investigative findings (case resolution codes) of management inquiries in the case management system (Recommendation 8).

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: In November 2018, ICE provided documentation of related communication provided to staff. However, this documentation did not include revised policy or guidance documents that requires staff to document the investigative findings in the employee misconduct case management system. As of September 2020, we are continuing to follow-up on ICE's actions to implement this recommendation.

Recommendation: The Director of ICE should modify ICE's annual self-inspection program to track the status of related corrective actions to ensure they are implemented in a timely manner (Recommendation 9).

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: In October 2018, ICE stated that it is revising its policy for its self-Inspection program to track the status of related corrective actions. ICE also stated that it will review three program offices for compliance with these revised policies and procedures during fiscal year 2019. The estimated completion date of this recommendation is June 28, 2019. As of September 2020, we are continuing to follow-up on ICE's actions to implement this recommendation.

Recommendation: The Director of ICE should monitor the duration of all cases beginning-to-end by stage and by case type (Recommendation 10).

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: In October 2018, ICE stated that beginning in fiscal year 2019, a project team will develop the capability to monitor the duration of all employee misconduct cases beginning-to-end by stage and by case type. The estimated completion date of this recommendation is June 28, 2019. As of September 2020, we are continuing to follow-up on ICE's actions to implement this recommendation.

Recommendation: The Director of ICE should monitor the timeliness of misconduct cases according to established targets for management inquiries and Employee Relations specialist review of proposal and decision of disciplinary outcomes using case management system data (Recommendation 11).

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: In October 2018, ICE stated that its Office of Professional Responsibility developed guidance regarding established targets for the completion of management inquiries and will distribute the guidance to applicable staff. ICE also stated that it is developing timeliness targets for Employee Relations specialist review of proposals and decisions of disciplinary outcomes and will also distribute this guidance to applicable staff. The estimated completion date for this recommendation is June 28, 2019. As of September 2020, we are continuing to follow-up on ICE's actions to implement this recommendation.

Recommendation: The Director of ICE should define and document the case management system data fields and methodology to be used for monitoring all established performance targets and provide related guidance to staff (Recommendation 12).

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: In October 2018, ICE stated that it will work to define and document the case management system data fields and methodology to be used for monitoring all established performance targets and will provide related guidance to applicable staff. The estimated completion date for this recommendation is June 28, 2019. As of September 2020, we are continuing to follow-up on ICE's actions to implement this recommendation.

Recommendation: The Administrator of TSA should monitor the duration of all cases beginning-to-end by stage and case type (Recommendation 16).

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: In September 2020, TSA provided documentation of internal reports that measure duration. However, the reports do not provide management information on the duration of all case types from beginning-to-end and, by stage. TSA needs to provide evidence that it monitors the duration of all cases, including a description of which process stages are measured and which data fields are used to measure the total duration from beginning-to-end and by stage. We are continuing to follow up on the actions taken by TSA to implement this recommendation.

Recommendation: The Administrator of TSA should monitor the timeliness of misconduct cases according to established targets for management inquiries (fact finding) and administrative inquiries, and the proposal and decision stages, using case information system data (Recommendation 17).

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: In September 2020, TSA provided evidence of reports it uses to measure duration. However, these reports do not show how TSA performs with regards to established targets. TSA needs to provide evidence of how it monitors the timeliness of all established targets , including which specific data fields are used to measure these targets. We are continuing to follow up on the actions taken by TSA to implement this recommendation.

Recommendation: The Administrator of TSA should define and document the case management system data fields and methodology to be used for monitoring all established performance targets and provide related guidance to staff (Recommendation 18).

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: In May 2019, TSA provided guidance to its staff related to monitoring performance targets. However, these documents do not specify which system data should be used as part of the methodology for monitoring all established performance targets. TSA needs to provide documentation of guidance to staff that defines and documents all the specific case management system data field names (in the various databases, as applicable) and methodology staff should use to monitor all established timeliness targets. We are continuing to follow up on the actions taken by TSA to implement this recommendation.

Recommendation: The Commissioner of CBP should analyze the costs associated with future barrier segments and include cost as a factor in the Impedance and Denial Prioritization Strategy. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: In July 2018, we reported on U.S. Customs and Border Protection's (CBP) efforts to construct new physical barriers along the southwest border. We found that the Impedance and Denial Prioritization Strategy--CBP's decision support tool for prioritizing locations for barrier construction projects--did not include analysis of the costs of deploying barriers in each location, which can vary depending on topography, land ownership, and other factors. We recommended that CBP analyze the costs associated with future barrier segments and include cost as a factor in the Impedance and Denial Prioritization Strategy. CBP agreed with this recommendation. CBP officials stated that, after prioritizing locations, CBP conducts detailed cost estimates as part of the acquisitions process. As of January 2020, CBP officials stated that this cost information may affect how the construction projects are executed, but that it would not influence how CBP prioritizes barrier construction projects across various locations. As we have previously reported, organizations should use an integrated approach to the requirements, acquisitions, and budget processes to prioritize needs and allocate resources, so they can optimize return on investment, and maintain program affordability. To fully address our recommendation, Border Patrol needs to incorporate its analysis of the costs of barrier projects into its process for prioritizing locations for construction of barriers.

Recommendation: The Under Secretary for Management should require the Office of Program Accountability and Risk Management to assess the results of major acquisition programs' post-implementation reviews and identify opportunities to improve performance across the acquisition portfolio. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to update its policy to require more formal reporting requirements and execution criteria for post-implementation reviews. PARM also plans to initiate a study focused on assessing lessons learned and developing a tool to share them across components to improve performance of the acquisition portfolio. In February 2020, PARM approved guidance intended to standardize analysis elements for post-implementation reviews. As of July 2020, PARM was still in the process of developing a tool to share results across components, but in the interim, results from some post-implementation reviews have been shared during meetings with Component Acquisition Executives. GAO will review post-implementation reviews conducted under the new guidance and will monitor DHS's implementation of the tool to ensure the department's actions meet the intent of this recommendation.

Recommendation: The Administrator of FEMA should work with regional emergency communications coordination working group members to reach consensus on and implement an ongoing mechanism to encourage nationwide collaboration across these groups, considering the costs of one or more suitable methods, such as a national-level working group that uses virtual or other means of coordination, as appropriate. (Recommendation 1)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with our recommendation. DHS created a national RECCWG website as part of the Homeland Security Information Network in fall 2019, and began a phased roll-out of 10 regional sub-pages available to all RECCWG members can post content and share information on exercises and training. In August 2020 FEMA officials confirmed the national site and all 10 regional sites were operational. They said that briefings on how to use the website for the regions are ongoing. We will continue to follow up on DHS's actions to implement the recommendation.

Recommendation: The Secretary of Homeland Security should work with Congress to include O&S data in monthly execution reports at a major acquisition program level within current program/project activity accounts. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: DHS agreed with this recommendation and has indicated the OCFO budget division will develop a display that provides major acquisition program level data at the program project activity level by March 30, 2019. As of March 2020, DHS has developed these displays and is working to populate them with all components' data.

Recommendation: The Secretary of the Treasury, as the chair of CFIUS, and working with member agencies, should coordinate member agencies' efforts to better understand the staffing levels needed to address the current and projected CFIUS workload associated with core committee functions. (Recommendation 1)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: In commenting on the report in February 2018, Treasury concurred with the recommendation. In December 2018, Treasury noted that the Foreign Investment Risk Review Modernization Act of 2018 requires each CFIUS member agency to submit detailed spending plans annually for seven years to appropriate congressional committees, including estimated expenditures and staffing levels, and requires annual testimony for seven years from the CFIUS staff chairperson regarding anticipated resource needs. As of November 2019, GAO continues to monitor this recommendation.

Recommendation: The Secretary of Homeland Security, in collaboration with other agencies, through the planned interagency working group or another mechanism, should identify further opportunities to more effectively publicize resources to reach additional colleges. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In early 2020, the federal government created the schoolsafety.gov clearinghouse website to compile and publicize emergency preparedness resources from across multiple agencies including the Departments of Education, Homeland Security, and Justice. The website houses key emergency preparedness resources we identified during our work as well as newer information that was not part of our review, such as guidance related to the Coronavirus Pandemic. DHS issued a press release when the website was launched, but does not prominently publicize it on it website, including on its webpages that are specifically focused on colleges and universities. We will monitor the agency's efforts to publicize these resources and consider closing it at that time.

Recommendation: The Attorney General, in collaboration with other agencies through the planned interagency working group or another mechanism, should identify further opportunities to more effectively publicize resources to reach additional colleges. (Recommendation 3)

Agency: Department of Justice
Status: Open

Comments: In early 2020, the federal government created the schoolsafety.gov clearinghouse website to compile and publicize emergency preparedness resources from across multiple agencies including the Departments of Education, Homeland Security, and Justice. The website houses key emergency preparedness resources we identified during our work as well as newer information that was not part of our review, such as guidance related to the Coronavirus Pandemic. DOJ issued a press release when the website was launched, but does not prominently publicize it on it website, including on its webpages that are specifically focused on colleges and universities. We will monitor the agency's efforts to publicize these resources and consider closing it at that time.

Recommendation: The Secretaries of Defense and of Transportation should address ADS-B Out security concerns by approving one or more solutions that address ADS-B Out -related security risks or incorporating mitigations for security risks into the existing draft memorandum of agreement. These approved solutions should address operations, physical, cyber-attack, and electronic warfare security risks; and risks associated with divesting secondary-surveillance radars. The solution or mitigations should be approved as soon as possible in order to allow sufficient time for implementation.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. As of August 2018, DOD and the FAA signed a memorandum of agreement that that establishes a framework for DOD and FAA to jointly address the provision to allow certain aircraft not to broadcast and airspace monitoring and defense security issues related to ADS-B, and identifies a path to fully address the recommendations in our report. The memorandum of agreement was a first step to address the security issues we highlighted in the report; however, FAA still needs to publish a National Procedural Guidance for accommodation of DOD needs for mixed-equipment operations and operational security concerns (expected December 2018).

Recommendation: The Secretaries of Defense and of Transportation should address ADS-B Out security concerns by approving one or more solutions that address ADS-B Out -related security risks or incorporating mitigations for security risks into the existing draft memorandum of agreement. These approved solutions should address operations, physical, cyber-attack, and electronic warfare security risks; and risks associated with divesting secondary-surveillance radars. The solution or mitigations should be approved as soon as possible in order to allow sufficient time for implementation.

Agency: Department of Transportation
Status: Open

Comments: DOT concurred with this recommendation. As of August 2018, DOD and the FAA signed a memorandum of agreement that that establishes a framework for DOD and FAA to jointly address the provision to allow certain aircraft not to broadcast and airspace monitoring and defense security issues related to ADS-B, and identifies a path to fully address the recommendations in our report.

Recommendation: The Secretary of Defense should direct DOD components to implement key tasks that would facilitate consistent, long-term planning and implementation of NextGen--such as those tasks that the Deputy Secretary of Defense originally directed in 2007, or any tasks that the Secretary deems appropriate based on a current assessment of the original tasks.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. As of August 2018, DOD has not taken action regarding the eight tasks GAO identified in the 2007 Deputy Secretary of Defense memorandum on ADS-B implementation.

Recommendation: The Commandant of the Coast Guard should either develop new performance goals to address mission activity gaps, or explain in the Coast Guard's Annual Performance Report (APR) why certain aspects of mission performance are measured while others are not. (Recommendation 1)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: In October 2017, the Coast Guard concurred with our recommendation and stated that it would add new measures in future Annual Performance Reports (APRs) and explain what is measured and what is not, as appropriate. In May 2020, the Coast Guard provided GAO with its updated fiscal year 2019 APR. After reviewing the fiscal year 2019 APR, we found that the Coast Guard made revisions to the goals for the Ports, Waterways, and Coastal Security (PWCS) and Marine Environmental Protection-prevention activities (MEP) missions and added a goal for the Search and Rescue mission. However, the APR did not include additional goals or an explanation why certain aspects of mission performance are measured while others are not for the other performance goals we previously identified as not fully addressing all related mission activities. In its July 2020 update to this recommendation, the Coast Guard reported that the metrics published in the APR are measures of Coast Guard performance and not performance goals. The Coast Guard also noted that it continually evaluates the utility of its performance measures, and makes changes to individual measures, as well as its suite of measures, when doing so provides meaningful improvement. In its July 2020 update, the Coast Guard added that targets established for performance measures are intended to be realistic expectations of future performance and targets are continually evaluated and changed when current performance modify expectations. However, we continue to believe that in the absence of documentation explaining how existing performance goals address each mission, the extent to which the Coast Guard's performance goals encompass all of its mission activities is unclear. Either developing new goals to address mission activity gaps, or describing in the APR how existing goals sufficiently assess the performance of each mission could provide more meaningful information on progress in achieving Coast Guard's missions to executive branch decision makers, Congress, and the public. In order to fully implement the recommendation as intended, in instances in which performance goals do not fully address all of the respective mission activities, the Coast Guard's APR should include an explanation of the Coast Guard's rationale for why certain aspects of mission performance are measured while others are not. We will continue to follow-up on the Coast Guard's efforts to address this recommendation.

Recommendation: The Commandant of the Coast Guard should establish and follow a sound air station optimization process similar to its process for analyzing boat stations to allow it to comprehensively analyze its need for air stations and air facilities and determine what changes may be needed. (Recommendation 1)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: In 2017, GAO reported that a 2014 Coast Guard contracted analysis of selected air stations and air facilities identified overlap and unnecessary duplication but it did not comprehensively review all air stations and air facilities. The analysis determined that certain air facilities (Newport, Oregon, and Charleston, South Carolina) provided overlapping search and rescue coverage, some of which was unnecessarily duplicative. Coast Guard officials used the results of this analysis to support proposed closures of the air facilities in the President's Fiscal Year 2014 Budget. However, shortly before their planned closure date, the Coast Guard encountered strong opposition to the closures at the local, state, and Congressional levels, and did not close them. The Coast Guard agreed with GAO's recommendation that it establish and follow a sound air station optimization process and comprehensive analysis to determine what changes may be needed. In its December 2017 60-Day letter response, DHS said the Coast Guard will utilize the FY 2020 Planning, Programming, Budget, and Execution cycle to identify efficiencies in air station optimization and that the cycle is proceeding as planned. However, the response did not say whether the Coast Guard will act on findings and permanently close stations identified as overlapping, unnecessarily duplicative, and unnecessary, if any are identified. As of March 2020, the agency has identified the need for further analysis and estimates completion of these analyses in March 2021.

Recommendation: The Commandant of the Coast Guard should establish a plan with target dates and milestones for closing boat stations that it has determined, through its 9-step process and subsequent analysis, provide overlapping search and rescue coverage and are unnecessarily duplicative. (Recommendation 2)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open
Priority recommendation

Comments: In 2017, GAO reported that the Coast Guard has a sound process for analyzing its boat stations that includes clear and specific steps for analyzing the need for stations using terms that can be readily defined and measured. A 2013 analysis of Coast Guard stations identified unnecessary duplication and recommended certain stations that could be permanently closed without negatively affecting the Coast Guard's ability to meet its 2-hour search and rescue response standard and other mission requirements; however, as of August 2017 the Coast Guard had not closed any stations, nor developed a plan with time frames for closing stations even though leaders said the results of the analysis remain valid. Closing unneeded stations has historically been difficult due to public concern about the effect of closures on local communities and other factors. In some cases over the years, Congress has intervened and enacted federal laws that have affected Coast Guard's proposed closures. Nevertheless, the Coast Guard agreed with GAO's recommendation that it establish a plan with target dates and milestones for closing stations. In its December 2017 60-Day letter response, DHS said the Coast Guard Office of Boat Forces continues to evaluate the optimal number, location, and configuration of stations to better meet mission requirements, and is finalizing analysis of operational needs in Coast Guard Districts One (D1) and Five (D5). As of December 2019, the agency had completed additional analyses and reported that it was considering changes in operations for several stations. The Coast Guard estimated that it will continue to consider changes until spring 2020. However, the Coast Guard did not establish target dates or milestones for closing stations. By developing a plan with target dates and milestones for closing stations that are unnecessarily duplicative, the Coast Guard would be better positioned to improve operations and achieve cost savings over time.

Recommendation: The Commandant of the Coast Guard should take action to close the stations identified according to its plan and target dates. (Recommendation 3)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open
Priority recommendation

Comments: In 2017, GAO reported that the Coast Guard has not taken action to implement the results of its analyses which recommended station closures even though it has completed requirements to pursue some station closures. For example, a 2013 analysis of Coast Guard stations identified unnecessary duplication and recommended certain stations that could be permanently closed without negatively affecting the Coast Guard's ability to meet its 2-hour search and rescue response standard and other mission requirements. However, as of August 2017 the Coast Guard had not closed any stations, nor developed a plan with time frames for closing stations even though Coast Guard leaders said the results of the analysis remain valid. GAO reported that the Coast Guard had not closed stations because past efforts to close stations (eight attempts since 1973) were met with resistance from affected communities and instances where the Congress intervened. Nevertheless, the Coast Guard agreed with GAO's recommendation that it establish a plan with target dates and milestones for closing stations. In its December 2017 60-Day letter response, DHS said that once analyses of the need for and locations of boat stations are completed for Coast Guard Districts One and Five, the Coast Guard will commence Congressional engagement and public outreach regarding any operational changes to D1 and D5 stations, if any, including processing feedback from stakeholders before making final decisions on recommended changes. As of December 2019, the Coast Guard reported that it was considering changes in operational status for several stations. The Coast Guard estimated that it will continue to consider changes until spring 2020, which, if implemented, will be more than 7 years after it proposed station closures. By closing unnecessarily duplicative stations, the Coast Guard could be better positioned to improve its operations and achieve cost savings over time.

Recommendation: The Commissioner of CBP should clearly document the process and criteria for making decisions on funding non-owned operational requirements and communicate this process to Border Patrol sectors. (Recommendation 2)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: In September 2017, CBP concurred with our recommendation and stated that it will use the Capability Gap Analysis Process to validate its access and mobility requirements on a national level. The national priorities will be determined through requirements planning at Border Patrol stations. CBP noted that it will outline the process and criteria for making decisions on funding for non-owned operational requirements and communicate this process to Border Patrol sectors. In November 2018, CBP reported that Border Patrol developed a prioritization process related to the order of wall deployments, which will be tailored to use in determining the priority order for road investments. According to CBP, priority order is to be determined based on the analysis of quantitative and qualitative data and the operational expertise of Border Patrol station, sector and national level leadership. The process was developed by USBP's Operational Requirements Management Division, communicated to southern border sectors, and executed to establish the priority deployment order of fiscal year 2018 new road requirements. Once the prioritization process has been refined, it will be expanded to also include the maintenance and repair on existing roads. In October 2019, CBP reported that it continues to work on enhancing the existing prioritization strategy, which includes exploring implementation of a new prioritization modeling tool and methodology. Discussions on how and if the model will be effective as a prioritization tool have been delayed due to several other internal priorities and external disruptions. Therefore, and based on leadership guidance, the prioritization strategy and methodology will be delayed. CBP officials reported in June 2020 that Border Patrol's Strategic Planning and Analysis Directorate Operational Requirements Management Division personnel will conduct data calls over the upcoming weeks with Tactical Infrastructure subject matter experts from the sectors and stations to validate existing road requirements and initiate the data collection for the prioritization process. Once the process is formalized, we will determine whether CBP's efforts fully address the intent of this recommendation.

Recommendation: To strengthen CBP's trade enforcement efforts, the Commissioner of CBP should direct the Office of Trade to include performance targets, when applicable, in addition to performance measures in its Priority Trade Issue strategic and annual plans.

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: As of August 2019, the seven FY 2019 Priority Trade Issue (PTI) annual plans prepared by CBP's Office of Trade all included performance measures with performance targets, but some plans did not include baselines to measure it's trade enforcement efforts against. The Office of Trade reported that it was in the process of finalizing its FY2020 annual plans, which should be available in December 2019. In addition, the Office of Trade reported that it no longer develops a single strategic plan covering all of its PTIs and only prepares the PTI annual plans.

Recommendation: To strengthen CBP's trade enforcement efforts, the Commissioner of CBP should direct the Office of Trade and the Office of Field Operations to develop a long-term hiring plan that articulates how CBP will reach its staffing targets for trade positions set in the Homeland Security Act and the agency's resource optimization model.

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: As of June 2019, CBP stated that both the Office of Trade (OT) and Office of Field Operations (OFO) continue to take steps to address hiring gaps which include evaluating approaches to hiring and evaluating and selecting candidates for its various trade positions. For example, OT had developed a recruitment strategy for hiring regulatory auditors. OT reported that it has brought regulatory auditors onboard as a result of its strategy but experienced attrition and challenges in attaining its staffing target for this position. OT and OFO did not provide recruitment strategies for the other trade positions. OFO's Human Capital Division, along with assistance from OT and other CBP components, reported finalizing a long-term hiring plan to meet and maintain the congressional floor for certain trade and revenue positions, including those for import specialists, by the end of fiscal year 2020.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP to assess and document how the alternative technological solutions being considered will fully meet operational needs related to ultralight aircraft.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and stated that it plans to assess and document requirements related to ultralight aircraft threats and how technological solutions will address these requirements as part of U.S. Customs and Border Protection (CBP) Air and Marine Operations (AMO) air domain awareness efforts. In March 2018, CBP completed an Air Domain Awareness Capability Analysis Report that identifies current capability gaps, including those related to ultralight aircraft. CBP stated that it plans to build upon the Capability Analysis Report to identify mission needs, a concept of operations, and operational requirements to address ultralight aircraft and other threats in the air domain. In February 2020, AMO reported that, in 2019, it conducted a technical assessment of one technology and plans to assess other systems in 2020 and 2021 to help determine if they fit into AMO's larger strategic vision for persistent wide area surveillance to address ultralight aircraft and other threats in the air domain. To fully address our recommendation, CBP should assess and document how alternative solutions will meet operational requirements related to ultralight aircraft.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP and the Director of ICE to jointly establish and monitor performance measures and targets related to cross-border tunnels.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and stated that U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement will review available information and develop performance measures and targets as deemed appropriate. As of March 2020, CBP and ICE have not reported taking any actions to develop performance measures and targets. To fully address our recommendation, CBP and ICE should establish and monitor performance measures and targets related to cross-border tunnels.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP to establish and monitor performance targets related to ultralight aircraft.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred and stated that within U.S. Customs and Border Protection (CBP), Air and Marine Operations and the U.S. Border Patrol are developing a joint performance measure and targets for interdicting ultralight aircraft. However, in December 2019, CBP reported that it will no longer pursue establishing a performance measure because it found that the ultralight aircraft interdiction rate fluctuated year to year, and that the number of ultralight aircraft incidents had been trending downward. Subsequently, in September 2020, CBP officials stated that they had reinitiated efforts to develop a performance measure and target in response to our continued belief that they can be set and would help CBP monitor performance to ensure that technology investments and operational responses to address ultralight aircraft are effective. To fully address our recommendation, CBP should establish a measure and monitor performance related to ultralight aircraft.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the U.S. Customs and Border Protection (CBP)-U.S. Immigration and Customs Enforcement (ICE) tunnel committee to convene and establish standard operating procedures for addressing cross-border tunnels, including procedures for sharing information.

Agency: Department of Homeland Security
Status: Open

Comments: DHS did not concur with this recommendation. However, CBP and ICE agreed that strengthening operational procedures may be beneficial and stated that they will jointly review procedures and discuss revising and/or consolidating the procedures. In May 2018, CBP stated that it is looking for opportunities to standardize procedures for the detection, interdiction, mapping, and remediation of cross-border tunnels. To this end, CBP has plans to develop a standardized training on tunnel identification and tactics, techniques, and procedures for different types of tunnels. In addition, CBP is working to develop a consistent process that will facilitate coordination and collaboration with ICE. In March 2019, CBP reported that CBP and ICE have begun to routinely meet to collectively develop processes for using tunnel robotics, including processes to enhance communication between CBP and ICE. In September 2020, CBP and ICE reported that they do not plan to take any additional steps to address this recommendation. To fully address our recommendation, CBP and ICE should establish standardized procedures for addressing tunnels, including procedures for sharing information with one another.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commandant of the Coast Guard, Commissioner of CBP, and the Director of ICE to establish and monitor Regional Coordinating Mechanisms performance measures and targets related to panga boat and recreational vessel smuggling.

Agency: Department of Homeland Security
Status: Open

Comments: DHS did not concur with this recommendation. DHS stated that that it believes that by establishing common terminology to address our first recommendation, the RECOMs will have more reliable, usable analyses to inform their maritime interdiction efforts. However, DHS did not believe that performance measures and targets related to smuggling by panga boats would provide the most useful strategic assessment of operations to prevent all illicit trafficking, regardless of area of operations or mode of transportation. DHS also cited the recent creation of the DHS Office of Policy, Strategy, and Plans that is to work with U.S. Coast Guard, U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, and other components and offices to better evaluate the effectiveness of all operations that work to prevent the illegal entry of goods and people into the country, as appropriate. In February 2020, DHS reported that the department had not taken any further actions to implement this recommendation. We continue to believe that the recommendation is valid and will monitor any actions DHS takes that are responsive to it. For example, in response to a requirement in the National Defense Authorization Act for Fiscal Year 2017, DHS issued reports in May 2018, February 2019, and August 2020 that contain metrics and planned metrics to measure the effectiveness of border security in the maritime environment and other domains. Planned metrics that DHS does not yet have a methodology to measure across all components include situational awareness in the maritime environment, illicit drugs removal rate, and DHS maritime threat response rate. To fully address our recommendation, DHS should measure its performance related to smuggling across U.S. maritime borders.

Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to develop a cohesive strategy that includes measurable outcomes for CVE activities.

Agency: Department of Homeland Security
Status: Open

Comments: In April 2019, DHS provided the National Counterterrorism Strategy as evidence that the department is including terrorism prevention as a necessary tool to meet its missions. While the strategy discusses terrorism prevention, it does not include specific activities or efforts, identify the agencies that will lead these efforts, or describe measurable outcomes for these efforts. In June 2019, DHS indicated that CVE-style prevention work would fall under a newly formed Office for Targeted Violence and Terrorism Prevention under which it will be part of a broad counterterrorism strategy that DHS plans to have ready by this fall. We will continue to monitor DHS's progress in this area as it develops its plan.

Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to develop a cohesive strategy that includes measurable outcomes for CVE activities.

Agency: Department of Justice
Status: Open

Comments: As of August 2019, DOJ has not provided a response to our recommendation. In June 2019, DHS indicated that CVE-style prevention work would fall under a newly formed Office for Targeted Violence and Terrorism Prevention under which it will be part of a broad counterterrorism strategy that DHS plans to have ready by this fall. We will continue to monitor DOJ's involvement in these efforts as DHS it develops its plan.

Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to establish and implement a process to assess overall progress in CVE, including its effectiveness.

Agency: Department of Homeland Security
Status: Open

Comments: In April 2019, DHS provided a commissioned review of CVE programs and activities that was expected to help identify ways to measure their effectiveness. The report provides a broad assessment of past activities and suggestions for measures and metrics going forward, but does not establish a process for agencies to measure the success of their activities or overall progress of CVE efforts. In June 2019, DHS indicated that CVE-style prevention work would fall under a newly formed Office for Targeted Violence and Terrorism Prevention under which it will be part of a broad counterterrorism strategy that DHS plans to have ready by this fall. We will continue to monitor DHS's progress in this area as it develops its plan.

Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to establish and implement a process to assess overall progress in CVE, including its effectiveness.

Agency: Department of Justice
Status: Open

Comments: As of August 2019, DOJ has not provided a response to our recommendation. In June 2019, DHS indicated that CVE-style prevention work would fall under a newly formed Office for Targeted Violence and Terrorism Prevention under which it will be part of a broad counterterrorism strategy that DHS plans to have ready by this fall. We will continue to monitor DOJ's involvement in these efforts as DHS develops its plan.

Recommendation: To ensure Border Patrol has the best available information to inform future investments in TI and resource allocation decisions among TI and other assets Border Patrol deploys in the furtherance of border security operations, and to ensure that key parties within Border Patrol's Requirements Management Process are aware of their roles and responsibilities within the process, the Chief of the Border Patrol should develop metrics to assess the contributions of pedestrian and vehicle fencing to border security along the southwest border using the data Border Patrol already collects and apply this information, as appropriate, when making investment and resource allocation decisions.

Agency: Department of Homeland Security: United States Customs and Border Protection: Office of the Commissioner: U.S. Border Patrol
Status: Open
Priority recommendation

Comments: DHS agreed with the recommendation and stated that it planned to develop metrics for southwest border security operations. To fully implement it, the Border Patrol should complete its efforts to develop metrics for assessing the contributions of pedestrian and vehicle fencing to border security operations and apply these metrics when making resource allocation decisions. As of October 2019, DHS stated that they have developed and are testing the initial metrics. DHS stated that they will continue to gather data over the next two fiscal years (FY20-FY21) which will help to identify if these metrics are accurately representing realities in the field. The estimated completion date is September 2021.

Recommendation: To better inform on the effectiveness of CDS implementation and border security efforts, the Chief of Border Patrol should strengthen the methodology for calculating recidivism such as by using an alien's apprehension history beyond one fiscal year and excluding aliens for whom there is no record of removal and who may remain in the United States.

Agency: Department of Homeland Security: United States Customs and Border Protection: Office of the Commissioner: U.S. Border Patrol
Status: Open

Comments: DHS did not concur with this recommendation. DHS noted that the U.S. Customs and Border Protection (CBP) Consequence Delivery System Program Management Office (CDS PMO) uses annual recidivism rate calculations to measure annual change, which is not intended to be, or used, as a performance measure for CDS. We continue to believe that DHS should strengthen its methodology for calculating recidivism. DHS noted in its comments on our report that the recidivism rate is used as a performance measure by U.S. Border Patrol and DHS. Additionally, strengthening the recidivism rate methodology would not preclude its use for CDS as a measure of annual change, and would provide Border Patrol a more complete assessment of the rate of change in recidivism. In January 2018, CDS-PMO officials stated that the office started reporting nationwide the recidivism rates for multiple years to U.S. Border Patrol sectors for situational awareness. However, the methodology for this reported recidivism rate does not exclude aliens for who there is no record of removal. In May 2020, CDS-PMO reported that it has not taken any further steps to implement this recommendation. To fully implement this recommendation, DHS needs to further strengthen its recidivism rate methodology by excluding aliens for whom there is no record of removal. Further, DHS needs to demonstrate that it is using this updated methodology on a recurring basis and for CDS performance measurement purposes.

Recommendation: The Secretary of Homeland Security should direct the Assistant Secretary of Immigration and Customs Enforcement and Commissioner of Customs and Border Protection to collaborate on sharing immigration enforcement and removal data to help Border Patrol account for the removal status of apprehended aliens in its recidivism rate measure.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with the recommendation. In May 2017, U.S Immigration and Customs Enforcement's (ICE) Enforcement and Removal Operations directorate provided immigration enforcement and removal data on a one-time basis to U.S. Customs and Border Protection's U.S. Border Patrol. In March 2018, U.S. Border Patrol officials requested that ICE provide these data on a quarterly basis. As of July 2020, ICE stated that it had shared the data with U.S. Border Patrol on multiple occasions. To fully implement this recommendation, ICE and U.S. Border Patrol need to document and implement their plans to share the data on a recurring basis.

Recommendation: To better ensure that FAMS uses its resources to cover the highest-risk flights, in addition to considering risk when determining how to divide FAMS's international flight coverage resources among international destinations, the Director of FAMS should incorporate risk into FAMS's method for initially setting its annual target numbers of average daily international and domestic flights to cover.

Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
Status: Open

Comments: In May 2016, we found that FAMS officials considered risk when selecting specific domestic and international flights to cover, but they did not consider risk when deciding how to initially divide their annual resources between domestic and international flights. Rather, each year FAMS considered two variables--travel budget and number of air marshals--to identify the most efficient way to divide the agency's resources between domestic and international flights. As a result, we recommended that FAMS incorporate risk into FAMS's method for initially setting its annual target numbers of average daily international and domestic flights to cover. In March 2018, FAMS revised its deployment methodology to no longer set an annual target number of average daily international and domestic flights to cover. Rather, FAMS now prioritizes deploying air marshals on as many flights as possible with passengers who have been identified as potentially higher risk because they match TSA's intelligence-based screening rules, among other risk-based priorities. In August 2020, FAMS officials explained that they were evaluating their concept of operations and planned to more fully develop a risk basis for dividing its resources between international and domestic flights. By doing so, FAMS could better ensure it is targeting its limited resources to the highest risk flights and better aligning with FAMS's stated goal of using risk-based decisions to guide mission operations. As a result, this recommendation remains open.

Recommendation: To enable a more effective approach in working with states to adopt the NDRF, the Secretary of Homeland Security should direct the Administrator of FEMA to clarify with regional offices and Federal Disaster Recovery Coordinators (FDRCs) the role of the regional implementation plans in FDRC performance plans and how they will be used to assess NDRF regional implementation efforts.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and said it would take steps to implement it. According to FEMA, to achieve greater integration of FEMA's field leadership components, FEMA's Field Operations Directorate (FOD) convened a Field Leadership Working Group of senior subject matter experts to conduct a mission analysis of FEMA's Field Leadership function (which includes Federal Disaster Recovery Coordinators as well as Federal Coordinating Officers and Incident Management Assistance Teams team leads). According to FEMA, the Working Group was preparing a Field Leader Manual (FLM) for review by FOD leadership. FEMA officials told us that the 2018 Hurricane season led to the deployment of many of FEMA's FOD leaders. These deployments allowed FOD leaders to experience first-hand the connection between regional implementation plans and FDRC performance plans and FEMA said that this knowledge is being integrated into edits of the FLM. In February 2020, FEMA told us that the FOD leadership responsible for the oversight of FDRCs is still determining the timeline to update the FLM based on a realignment of the Field Leadership Cadre. This update will integrate the Federal Coordinating Officers (FCOs) and FDRCs into a single FCO title with professional development specializations in response or recovery. This integration will support all FCOs in having a common baseline of training and experience in both response and recovery. In an August 2020 update, FEMA stated that while they continue to work toward implementing this recommendation, the FOD is currently focused on COVID-19 response efforts and planning for a more severe than average hurricane season. We will continue to monitor FEMA's efforts to see what additional actions the agency takes in response to this recommendation.

Recommendation: To enable a more effective approach in working with states to adopt the NDRF, the Secretary of Homeland Security should direct the Administrator of FEMA to align the annual FDRC performance expectations with clearly defined organizational goals and priorities, consistent with key management practices.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and said it would take steps to implement it. According to FEMA, the Field Leadership Working Group will implement the elements of this recommendation alongside efforts to clarify the role of the regional National Disaster Recovery Framework implementation plans. FEMA told us that the 2018 Hurricane season led to the deployment of many of FEMA's field leaders and these deployments allowed leaders to experience first-hand the connection between FDRC performance expectations and FEMA's organizational goals. According to FEMA, this knowledge is being integrated into edits of the Field Leader Manual (FLM). In February 2020, FEMA told us the FOD leadership responsible for the oversight of FDRCs is working with their partners in FEMA's Recovery and Resilience sections, as well as with the Regions to define performance expectations for steady-state recovery planning and preparedness under the NDRF. This will include identifying who is functionally accountable for these activities, any gaps, and best practices across Regions. In an August 2020 update, FEMA stated that while they continue to work toward implementing this recommendation, the FOD is currently focused on COVID-19 response efforts and planning for a more severe than average hurricane season. We will continue to monitor FEMA's efforts to see what additional actions the agency takes in response to this recommendation.

Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and reported that the department was in the process of addressing it. Specifically, a HHS official reported in August 2020 that the department had created a team to address cloud computing best practices and intended to finalize guidance on SLA key practices by June 2021. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

Agency: Department of the Treasury
Status: Open

Comments: In August 2020, an official from the Department of the Treasury (Treasury) reported that the department was in the process of addressing the recommendation. Specifically, a Treasury official reported that the department's Office of the Chief Information Officer was working with the Treasury Senior Procurement Executive to incorporate the key practices identified in our report into Treasury acquisition policy, which was expected to be completed by January 2021. We will continue to monitor the status of this recommendation.

Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and reported that the department was in the process of addressing it. In August 2020, a VA official reported that the department's Office of Information Technology was working to re-write existing SLA documentation following a review from the Office of Inspector General but did not provide a date when the guidance would be finalized. We will continue to monitor the status of this recommendation.

Recommendation: To provide greater assurance that the Interagency Rotation Program for national security personnel will be implemented as provided in section 1107 of the National Defense Authorization Act for Fiscal Year 2013, the Director of the Office of Personnel Management, in collaboration with the Committee on National Security Personnel, should establish a clear leadership and oversight structure to guide future implementation efforts.

Agency: Office of Personnel Management
Status: Open

Comments: OPM generally concurred with the recommendations, but raised issues primarily about the roles and responsibilities that GAO addresses in the report. As of November 2019, OPM has not taken any action on this recommendation.

Recommendation: To provide greater assurance that the Interagency Rotation Program for national security personnel will be implemented as provided in section 1107 of the National Defense Authorization Act for Fiscal Year 2013, the Director of the Office of Personnel Management, in collaboration with the Committee on National Security Personnel, should work with the departments and agencies to identify and take action on necessary next steps to proceed with the program's implementation, including developing and issuing required guidance for implementation within identified timeframes.

Agency: Office of Personnel Management
Status: Open

Comments: OPM generally concurred with the recommendations, but raised issues primarily about the roles and responsibilities that GAO addresses in the report. As of November 2019, OPM has not taken any action on this recommendation.

Recommendation: To help ensure that biosurveillance-related funding is directed to programs that can demonstrate their intended capabilities, and to help ensure sufficient information is known about the current Gen-2 system to make informed cost-benefit decisions about possible upgrades and enhancements to the system, the Secretary of Homeland Security should direct the Assistant Secretary for Health Affairs and other relevant officials within the Department to not pursue upgrades or enhancements to the current BioWatch system until the Office of Health Affairs (OHA): (1) establishes technical performance requirements, including limits of detection, necessary for a biodetection system to meet a clearly defined operational objective for the BioWatch program by detecting attacks of defined types and sizes with specified probabilities; (2) assesses the Gen-2 system against these performance requirements to reliably establish its capabilities; and (3) produces a full accounting of statistical and other uncertainties and limitations in what is known about the system's capability to meet its operational objectives.

Agency: Department of Homeland Security
Status: Open

Comments: DHS told us in June, 2019 that it terminated the Biodetection Technology Enhancements program to enhance BioWatch. Additionally, DHS is transitioning to a new acquisition program called BioDetection 21 intended to replace BioWatch. We will update the status of this recommendation as we obtain more information about DHS's BioDetection 21 acquisition efforts and the extent to which these efforts are consistent with our recommendation.

Recommendation: To help reduce the risk of acquiring immature detection technologies, the Secretary of Homeland Security should direct the Assistant Secretary for Health Affairs, in coordination with the Under Secretary for Science and Technology, to use the best practices outlined in this report to inform test and evaluation actions for any future upgrades or changes to technology for BioWatch.

Agency: Department of Homeland Security
Status: Open

Comments: DHS told us in June, 2019 that it terminated the Biodetection Technology Enhancements program to enhance BioWatch. Additionally, DHS is transitioning to a new acquisition program called BioDetection 21 intended to replace BioWatch. We will update the status of this recommendation as we obtain more information about DHS's BioDetection 21 acquisition efforts and the extent to which these efforts are consistent with our recommendation.

Recommendation: To help ensure that agencies' policies and oversight are fully consistent with The Attorney General's Guidelines Regarding the Use of Confidential Informants, the Assistant Secretary of ICE and the Commandant of USCG should update their respective agencies' informant policies and corresponding monitoring processes to explicitly address the Guidelines' provisions on oversight of informants' illegal activities.

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: In December 2016, ICE issued a memo regarding changes to its policies for the registration and suitability of confidential informants. The memo included updated forms to oversee those aspects of confidential informant oversight. In April 2017, ICE officials informed GAO that the agency planned for a working group to update the Informants Handbook and the Undercover Operations Handbook. As of October 2018, ICE reported that officials had made draft updates to the handbooks and that these updates were undergoing review. In June 2019, ICE reported that the updates were expected to be finalized in July 2019. The handbook updates had not been finalized as of February 2020, and, at that time, ICE officials reported that the handbooks were undergoing additional updates related to a separate effort unrelated to GAO's recommendation. As of June 2020, ICE officials did not have an estimated completion date for finalizing revisions to the handbooks. When the updated handbooks are available for GAO's review, we will assess the extent to which they address our recommendation.

Recommendation: To increase the efficiency and improve the accuracy of the interagency UAC referral and placement process, the Secretaries of Homeland Security and Health and Human Services should jointly develop and implement a documented interagency process with clearly defined roles and responsibilities, as well as procedures to disseminate placement decisions, for all agencies involved in the referral and placement of UAC in HHS shelters.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: Since our 2015 report, DHS and HHS developed two documents to guide interagency procedures related to the processing of UAC. Specifically, in April 2018, HHS and DHS established a memorandum of agreement regarding information sharing for UAC. Subsequently, on July 31, 2018, DHS and HHS issued a Joint Concept of Operations to memorialize interagency policies, procedures, and guidelines related to the processing of UAC. However, in February 2020, we reported that DHS and HHS officials' indicated that, in practice, the agencies have not resolved long-standing differences in opinion about whether and how agencies are to share information, and what type of information is needed to inform decisions about the care and placement of UAC. In commenting on our draft report, DHS stated that its components are working with HHS to document current information sharing practices, to validate remaining information sharing gaps, and to draft a joint plan between DHS and HHS to ensure that HHS receives information needed to make decisions for UAC. In their comments, HHS officials stated that they intend to reach out to counterparts at DHS in June 2020 to discuss potential periodic updates to the Joint Concept of Operations. In August 2020, DHS informed us that the department is working with HHS to document current information sharing practices, validate gaps, and draft a joint plan between DHS and HHS, among other actions. DHS estimates that it will complete these actions by March 31, 2021. To fully address the recommendation, DHS and HHS should ensure that they have implemented procedures aimed at improving the efficiency and accuracy of the interagency UAC referral and placement process.

Recommendation: To increase the efficiency and improve the accuracy of the interagency UAC referral and placement process, the Secretaries of Homeland Security and Health and Human Services should jointly develop and implement a documented interagency process with clearly defined roles and responsibilities, as well as procedures to disseminate placement decisions, for all agencies involved in the referral and placement of UAC in HHS shelters.

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: Since our 2015 report, DHS and HHS developed two documents to guide interagency procedures related to the processing of UAC. Specifically, in April 2018, HHS and DHS established a memorandum of agreement regarding information sharing for UAC. Subsequently, on July 31, 2018, DHS and HHS issued a Joint Concept of Operations to memorialize interagency policies, procedures, and guidelines related to the processing of UAC. However, in February 2020, we reported that DHS and HHS officials' indicated that, in practice, the agencies have not resolved long-standing differences in opinion about whether and how agencies are to share information, and what type of information is needed to inform decisions about the care and placement of UAC. In commenting on our draft report, DHS stated that its components are working with HHS to document current information sharing practices, to validate remaining information sharing gaps, and to draft a joint plan between DHS and HHS to ensure that HHS receives information needed to make decisions for UAC. In their comments, HHS officials stated that they intend to reach out to counterparts at DHS in June 2020 to discuss potential periodic updates to the Joint Concept of Operations. In August 2020, DHS informed us that the department is working with HHS to document current information sharing practices, validate gaps, and draft a joint plan between DHS and HHS, among other actions. DHS estimates that it will complete these actions by March 31, 2021. To fully address the recommendation, DHS and HHS should ensure that they have implemented procedures aimed at improving the efficiency and accuracy of the interagency UAC referral and placement process.

Recommendation: To ensure that NCUA has adequate authority to determine the safety and soundness of credit unions, Congress should consider modifying the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions.

Agency: Congress
Status: Open

Comments: In July 2015, we suggested that Congress modify the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions. As of July 2020, Congress had not granted NCUA this authority.

Recommendation: To improve the military whistleblower reprisal investigation process and oversight of such investigations, the Secretary of Defense should work in coordination with the Department of Defense Inspector General (DODIG) to direct the services to follow standardized investigation stages and issue guidance clarifying how the stages are defined.

Agency: Department of Defense
Status: Open

Comments: DOD officials concurred with this recommendation and provided an update in May 2019, in which they stated that the office was preparing an issuance for coordination that will direct the services to follow standardized investigation stages and guidance clarifying how the stages are defined. DOD officials estimated that the issuance would be completed by December 31, 2019.

Recommendation: To more accurately communicate DHS's funding plans for USCG's major acquisition programs, the Secretary of Homeland Security should ensure the funding plans presented to Congress in fiscal year 2015 are comprehensive and clearly account for all operations and maintenance funding DHS plans to allocate to each of the USCG's major acquisition programs.

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with this recommendation and stated in their comments that the U.S. Coast Guard and the DHS Chief Financial Officer will develop a plan to address this recommendation by September 30, 2015, then work together to fully implement the plan. DHS estimated it would complete this effort March 31, 2016. However, the USCG encountered technical challenges during this process and was unable to implement the plan by that time. The U.S. Coast Guard has revised the estimated completion date and now anticipates it will be able to address this recommendation in fiscal year 2022. GAO will continue to assess the updated APBs as a part of its annual review of select DHS major acquisition programs to determine whether the department has addressed the recommendation.

Recommendation: To better inform Congress in the future about crop insurance program costs, reduce present costs, and ensure greater actuarial soundness, the Administrator of the U.S. Department of Agriculture's Risk Management Agency should monitor and report on crop insurance costs in areas that have higher crop production risks.

Agency: Department of Agriculture: Risk Management Agency
Status: Open

Comments: As of May 2020, the Department of Agriculture has not taken action to implement this recommendation.

Recommendation: To better inform Congress in the future about crop insurance program costs, reduce present costs, and ensure greater actuarial soundness, the Administrator of the U.S. Department of Agriculture's Risk Management Agency should, as appropriate, increase its adjustments of premium rates in areas with higher crop production risks by as much as the full 20 percent annually that is allowed by law.

Agency: Department of Agriculture: Risk Management Agency
Status: Open

Comments: As of May 2020, the Department of Agriculture has not taken action to implement this recommendation.

Recommendation: To help ensure that the respective DHS and DOD data systems contain sufficiently complete and accurate information to facilitate effective oversight of the personnel security clearance revocation and appeal process, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to take steps to ensure that data are recorded and updated in the Joint Personnel Adjudication System (JPAS) and the department's new systems, so that the relevant fields are filled.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. As of November 2019, DOD requested to close this recommendation per a closure memo signed by Ms. Nancy Spaulding. We are awaiting further documentation supporting the closure of this recommendation.

Recommendation: To help ensure independence and the efficient use of resources, the Secretary of Defense should direct the DOD General Counsel to first, resolve the disagreement about the legal authority to consolidate the PSABs (Personnel Security Appeals Board) and, in collaboration with the PSABs and the Under Secretary of Defense for Intelligence, address any other obstacles to consolidating DOD's PSABs.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation. DOD agreed with us to review legal or other impediments to consolidation, and stated that the DOD Office of General Counsel will address any unresolved disagreements about legal authority for consolidation of PSABs. DOD further commented that the DOD Office of General Counsel will work closely with the Office of the Under Secretary of Defense for Intelligence to address other issues concerning consolidation of PSABs. However, DOD commented that some DOD components disagreed with PSAB consolidation. Specifically, DOD stated that of the eleven components that provided responses to the draft report, eight concurred or had no issues or comments, while the remaining three components noted that the PSABs should remain at the component level and not be consolidated. As of July 2018, DOD stated that the DOD Office of General Counsel is conducting an ongoing review, with all legal opinions contingent upon a USD(I) funded PERSEREC study to determine the feasibility of PSAB consolidation. USD(I) is coordination with OGC in order to provide the results of the study upon completion. DOD estimates this study will be completed in the third or fourth quarter of Fiscal Year 2019. As of November 2019, DOD stated that the PERSEREC study is still ongoing. GAO will continue to monitor the completion of the study.

Recommendation: To help ensure that all employees within DOD receive the same rights during the revocation process, the Secretary of Defense should direct the Secretary of the Navy to revise Secretary of the Navy Manual M-5510.30 to specify that any information collected by the Navy PSAB from the employee's command will be shared with the employee, who will also be given the opportunity to respond to any such information provided.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. As of November 2019, DOD stated that Navy Instruction 5510.30C and concomitant manual M-5510.30 have been revised and are being coordinated throughout the Department of the Navy at every level--to include the Action Officer level. DOD stated the estimated completion date is the third quarter of FY 2019. We have no updates on whether this instruction and the manual are complete. This recommendation will remain open pending further updates from DOD.

Recommendation: To help ensure independence and the efficient use of resources, and, if the General Counsel determines that there are no legal impediments and that other obstacles to consolidation can be addressed, the Secretary of Defense should direct the Defense Legal Services Agency to take steps to implement the Secretary of Defense's direction to consolidate DOD's PSABs.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation. DOD stated that some DOD components disagreed with PSAB consolidation. Specifically, DOD stated that of the eleven components that provided responses to the draft report, eight concurred or had no issues or comments, while the remaining three components noted that the PSABs should remain at the component level and not be consolidated. One of these three components also commented that the perceived efficiencies from consolidation described in our report should be validated and that all models for consolidation should be evaluated before a decision is made that would consolidate the PSABs. DOD's comments reflect internal disagreement, which corroborates our finding that there is disagreement within DOD on the legal authority, risks, and benefits of consolidating the department's multiple appeals boards. As we also note in our report, the Secretary of Defense has already directed this consolidation. As of November 2019, DOD stated that the Office of General Counsel's determination on the legal impediments to consolidation is contingent upon the results of the PERSEREC study, which will assess the feasibility of PSAB consolidation. The study results will inform the OGC decision. DOD estimates this study will be completed in the third or fourth quarter of Fiscal Year 2019. However, the study has not been released yet. This recommendation will remain open until DOD takes steps to consolidate the PSABs.

Recommendation: To help ensure that all employees within DOD receive the same rights during the revocation process, the Secretary of Defense should direct the Secretary of the Army to revise Army Regulation 380-67 to specify that any information collected by the Army PSAB from the employee's command or by the Army PSAB itself will be shared with the employee, who will also be given the opportunity to respond to any such information provided.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. As of July 2018, DOD stated that the Army updated its PSAB guidance in 2016 to include the GAO-recommended verbiage regarding new information. Similar language will also be incorporated in Army Regulation 380-67, which is currently under revision. DOD estimates the revision will be completed in the fourth quarter of Fiscal Year 2019. As of November 2019, no further updates were provided by DOD. GAO will monitor the status of this regulation and assess whether the revised regulation meets the intent of this recommendation.

Recommendation: To help ensure that all employees are treated fairly and receive the protections established in the executive order, the Secretary of Homeland Security should direct the Commandant, U.S. Coast Guard, to revise the Coast Guard instruction for military personnel to specify that military personnel may be represented by counsel or other representatives at their own expense.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with our recommendation. As of August 2018, the Commandant of the Coast Guard issued a policy message stating that individuals may have counsel or other representatives present at the service member's own expense. According to a Coast Guard official, this message serves as interim guidance until the personnel security manual can be finalized. Coast Guard officials stated that the manual will be undergoing revision, and is expected to be updated at the end of March 2019 . We are awaiting documentation from the Coast Guard that this manual is complete. This recommendation will remain open until the Coast Guard finalizes the update to its manual in accordance with our recommendation.

Recommendation: To facilitate department-wide review and assessment of the quality of the personnel security clearance revocation process, the DNI should, in consultation with the Secretaries of Defense and Homeland Security, develop performance measures to better enable them to identify and resolve problems, and direct the collection of related revocation and appeals information.

Agency: Office of the Director of National Intelligence
Status: Open

Comments: ODNI concurred with our recommendation. As of November 2019, ODNI stated that review proceedings considerations have been a focus of the ongoing Trusted Workforce 2.0 discussions with a view toward whether policy changes were necessary. ODNI further stated that one key to further examination of this issue is to gather metrics which can inform any subsequent adjustment to the current Executive Branch revocation and review proceedings area. They stated that metrics collection has begun with a January 2019 data call which includes the capture of metrics on denials, revocations, and national security adjudications resulting in an adverse adjudication of eligibility for access to classified information or eligibility to hold a sensitive position. Metrics collected is expected to be completed in 2020. When we confirm what data fields are included in the metrics collection and whether this meets the intent of our recommendation, we will provide further updates.

Recommendation: To facilitate coordination between personnel security and human capital offices regarding how a security clearance revocation should affect an employee's employment status, and to help ensure that individuals are treated in a fair and consistent manner, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in consultation with the Under Secretary of Defense for Intelligence, to review and revise policy regarding coordination between the personnel security and human capital offices to clarify what information can and should be communicated between human capital and personnel security officials at specified decision points in the revocation process, and when that information should be communicated.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. As of November 2019, DOD stated that USD(I) has formed a working group to develop a new DOD manual that would respond to this recommendation. DOD further stated that this working group has completed the first half of the manual and will finish the initial review by the fourth quarter of FY 2019. Estimated completion date for the manual is the first quarter of FY 2020. This recommendation remains open pending the department's issuance of this manual.

Recommendation: To help ensure that the DNI report to Congress contains accurate data about the number of current DOD military and federal civilian employees eligible to access classified information, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence and the Under Secretary of Defense for Personnel and Readiness to review and analyze the discrepancies in the total number of employees and the number of employees eligible to access classified information, and take immediate steps to address the problems.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. As of August 2018, DOD stated that this recommendation is tied to recommendation 2 regarding updating information in JPAS and DISS. Officials from the Office of the Under Secretary of Defense for Intelligence (USD(I) is facilitating Data Quality Initiatives to identify where gaps may exist and ensure all pertinent data is recorded and updated in JPAS and its successor system, DISS. Officials stated that there is an annual or quarterly service specific personnel center synchronization effort to match the data in JPAS and the personnel centers. Since publication of our report through December 2017, DMDC has conducted 413 DQIs to evaluate and correct data anomalies in JPAS. Further, on a monthly basis, the Office of the Under Secretary of Defense for Intelligence (OUSD(I)), the Defense Manpower Data Center (DMDC), the Office of Personnel Management (OPM), DOD components, and industry participate in a meeting which addresses actions to improve the accuracy of information in JPAS. GAO will monitor fielding of the new system and in the process of validating DOD officials' statements that discrepancies have been substantially resolved. As of November 2019, DOD requested to close this recommendation per a closure memo signed by Ms. Nancy Spaulding. We are awaiting further documentation supporting the closure of this recommendation.

Recommendation: To help ensure that similarly situated individuals are treated consistently, and to facilitate oversight and help ensure the quality of the security clearance revocation process, the DNI should review whether the existing security clearance revocation process is the most efficient and effective approach. In this review, the DNI should consider whether there should be a single personnel security clearance revocation process used across all executive-branch agencies and workforces, with consideration of areas such as the timing of the personal appearance in the revocation process, and the ability to cross-examine witnesses. Further, to the extent that a single process or changes to the existing parallel processes are warranted, the DNI should consider whether there is a need to establish any policies and procedures to facilitate a more consistent process, and recommend as needed any revisions to existing executive orders or other executive-branch guidance.

Agency: Office of the Director of National Intelligence
Status: Open

Comments: ODNI concurred with our recommendation. As of November 2019, ODNI stated that there is not currently an ongoing effort to review the security clearance revocation process across all executive branch agencies and workforces. Instead, the Trusted Workforce 2.0 efforts is conducting an end-to-end review of the current security clearance process for the executive branch and ODNI is currently gathering metrics on adverse security actions which can inform any subsequent determination on whether the revocation process requires policy adjustment by the DNI. When we confirm what actions DNI has taken in response to this recommendation, we will provide updated information.

Recommendation: To help ensure the success of PortfolioStat, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to improve transparency of and accountability for PortfolioStat by publicly disclosing planned and actual data consolidation efforts and related cost savings by agency.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2019, OMB had taken steps to improve transparency of and accountability for PortfolioStat, as GAO recommended in November 2013. In October 2015, the agency started displaying actual data consolidation savings data on the federal information technology (IT) dashboard. As of April 2018, however, OMB was not requiring that agencies report planned PortfolioStat cost savings stating this was as a result of agency feedback, and streamlining of data collection efforts based upon the decision that reporting on realized cost savings is more valuable than reporting on planned or projected cost savings.In March 2019, OMB stated that it was "exploring better approaches to cost savings as reported by agencies to the IT Dashboard." We are following up with OMB to determine whether these approaches include publicly disclosing planned and actual data consolidation efforts and related cost savings by agency.

Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Commerce should direct the CIO to reflect 100 percent of information technology investments in the department's enterprise architecture.

Agency: Department of Commerce
Status: Open

Comments: In October 2018, the Commerce described its process for updating its IT asset inventory as part of the budget formulation process and provided a mapping of investments to its enterprise architecture as evidence that it had implemented this recommendation. However, the department did not provide any policies and procedures supporting the process it described to us. In addition, it did not provide any evidence of controls to ensure that all investments had been captured in the enterprise architecture. In January 2020, the department told us that its Office of the Chief Information Officer had new leadership and as a result the department was expected to make significant progress in addressing the recommendation this year.

Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Commerce should direct the CIO to develop a complete commodity IT baseline.

Agency: Department of Commerce
Status: Open

Comments: In October 2018, Commerce officials told GAO about actions taken that they believed addressed the recommendation and provided supporting documentation. Specifically, they stated that they send out an annual data call for bureaus to provide their IT asset inventory as part of the budget submission process. They stated they also perform department-level validation of the bureaus' inventories and aggregate them into a single department inventory. As evidence, they provided a data call memo with supporting instructions and a template for bureaus to establish an IT asset inventory. They also provided examples of three bureau inventories received in response to data calls. In addition, they provided the final aggregated inventory (for fiscal year 2017) and department-level validation of bureau submissions. However, the department did not provide any policies or procedures documenting the process they described. In addition, we could not determine whether the creation of the department-wide inventory was a one-time effort or a recurring activity. In January 2020, the department told us that its Office of the Chief Information Officer had new leadership and as a result the department was expected to make significant progress in addressing the recommendation this year.

Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Defense should direct the CIO to develop a complete commodity IT baseline.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense partially concurred with the recommendation and stated that it had efforts underway to further define the department's commodity IT baseline. In January 2019, our contact from the Office of the Chief Information Officer told us that the department had recently established an IT Purchase Request (ITPR) process for controlling spending that had a built-in IT asset inventory process that would address the recommendation. In August 2019, we received documentation on the ITPR process as part of an ongoing engagement. We are reviewing the documentation to determine whether it is sufficient to close the recommendation.

Recommendation: To improve the department's implementation of PortfolioStat, in the future reporting to OMB, the Secretary of Defense should direct the CIO to fully describe the following PortfolioStat action plan element: consolidate commodity IT spending under the agency CIO.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense did not concur with the recommendation, stating that the commodity IT construct implemented by OMB with PortfolioStat did not work with the department's federated management process. However, the department agreed that a strategy, consistent with the intent of achieving better buying power and control of commodity IT items, should be developed and implemented within the department using existing authorities and stated that it was in the process of implementing this strategy. In January 2019, the Office of the Chief Information Officer's Director for Performance Management stated that while the CIO did not have the authority to consolidate commodity IT spending, the department had taken actions he believed addressed the intent of the recommendation to gain visibility into IT spending. Specifically, he stated that the department established a policy to leverage its buying power for commodity IT purchases (for example for software licenses). In addition, the department recently established an IT Purchase Request (ITPR) process for controlling IT spending. In August 2019, we received documentation related to those actions as part of an ongoing engagement. We are reviewing the documentation to determine whether it is sufficient to close the recommendation.

Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Defense should direct the CIO to obtain support from the relevant component agencies for the estimated savings for fiscal years 2013 to 2015 for the data center consolidation, enterprise software purchasing, and General Fund Enterprise Business System initiatives.

Agency: Department of Defense
Status: Open

Comments: The department of Defense concurred with the recommendation and stated that it already reported data center consolidation savings and would continue to realize savings from the Enterprise Software Initiative, other strategic sourcing efforts and the implementation of the General Fund Enterprise Business System initiatives. Through other engagements, in August 2016, we had collected support for data center consolidation and Enterprise Software Initiative savings for fiscal years 2013 to 2015. In January 2019, the Office of the Chief Information Officer's Director for Performance Management told us that the department had not been tracking savings generated by other commodity IT initiatives due to the difficulty in doing so, however, it was tracking an "other" category of savings through OMB's integrated data collection instrument (IDC) process which he believed the intent of our recommendation. He noted that the "other" category tracks savings from various OMB IT reform initiatives. Mr. Johnson said he had sent a recent IDC report along with supporting documentation to GAO to address a recommendation made in GAO-15-296. We are reviewing the documentation to determine whether it is sufficient to close the recommendation.

Recommendation: To improve the U.S. Army Corps of Engineers' implementation of PortfolioStat, in future reporting to OMB, the Secretary of Defense should direct the Secretary of the Army to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) target duplicative systems or contracts that support common business functions for consolidation; (3) establish criteria for identifying wasteful, low-value, or duplicative investments; and (4) establish a process to identify these potential investments and a schedule for eliminating them from the portfolio.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense concurred with the recommendation and stated that, in the future, USACE would fully describe the four action plan elements when reporting to OMB. In August 2016, the department reported that it had addressed and closed the recommendation in February 2015 and cited policies, procedures, and other supporting documentation as evidence. However, the department did not provide the supporting documentation. In April 2018, the department provided several documents as evidence of its efforts to address this recommendation, including an order outlining the capital planning investment management process for the fiscal year 2017. We determined that the documents did not support the department's claims. In January 2019, the department told us it would provide an update on the status of actions to address the recommendation. As of August 2019, the department had not yet provided any update.

Recommendation: To improve the U.S. Army Corps of Engineers' implementation of PortfolioStat, the Secretary of Defense should direct the Secretary of the Army to report on the agency's progress in consolidating eCPIC to a shared service as part of the OMB integrated data collection quarterly reporting until completed.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense partially concurred with the recommendation and stated that it had efforts underway to further define the department's commodity IT baseline. In August 2016, the department reported that it had addressed and closed the recommendation in October 2014 and described several actions that it believed contributed to addressing the recommendation, including, continued improvements to data center reporting, and greater understanding of IT infrastructure costs. However, the department did not provide any documentation to support its claims. In January 2019, the department told us it would provide an update on the status of actions to address the recommendation. As of August 2019, the department had not yet provided any update.

Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the Environmental Protection Agency should direct the CIO to develop a complete commodity IT baseline.

Agency: Environmental Protection Agency
Status: Open

Comments: In September 2016, we reported that the Environmental Protection Agency's (EPA) Registry of Environmental Protection Agency Applications, Models and Databases (READ) system had a complete inventory of enterprise IT and business systems-two of three categories of IT assets that make up a commodity IT baseline-and that the agency had processes in place to regularly update this inventory to ensure its completeness (see GAO-16-511). We have been following up with EPA to obtain its inventory of IT infrastructure systems-the third commodity IT category--and determine the agency's process to ensure the completeness of this inventory. In a December 2019 update, EPA told us that it was working on a response to the recommendation.

Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Administrator of the Environmental Protection Agency should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) establish targets for commodity IT spending reductions and deadlines for meeting those targets; and (3) establish criteria for identifying wasteful, low-value, or duplicative investments.

Agency: Environmental Protection Agency
Status: Open

Comments: In November 2016, the Environmental Protection Agency (EPA) reported making progress in addressing the three action plan elements through implementation of the Federal Information Technology Acquisition Reform Act (FITARA) and efforts to assess applications in its inventory. In June 2019, the agency provided supporting documentation. We are reviewing the documentation to determine whether it fully addresses the recommendation.

Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the Environmental Protection Agency should direct the CIO to report on the agency's progress in consolidating the managed print services and strategic sourcing of end user computing to shared services as part of the OMB integrated data collection quarterly reporting until completed.

Agency: Environmental Protection Agency
Status: Open

Comments: Between July and December 2016, the Environmental Protection Agency (EPA) reported that it had implemented a managed print service contract for headquarters in 2014 and was preparing to award a new contract to also cover its regions. The agency also reported that it plans to use one of the government-wide contracts identified in OMB's policy on improving the acquisition and management of common IT for its end user computing needs. EPA, however, did not provide documentation supporting these efforts. In a December 2019 update, EPA told us that it was working on a response to the recommendation.

Recommendation: To improve the department's implementation of PortfolioStat, the Attorney General should direct the CIO to reflect 100 percent of information technology investments in the department's enterprise architecture.

Agency: Department of Justice
Status: Open

Comments: In October 2019, the department stated that its budget formulation process ensures that all investments are included in its enterprise architecture (EA). Specifically, the department stated that, as part of the budget formulation process, the EA group reviews investments and aligns them to the business areas within the EA framework by assigning them business reference model codes. To support its claims, in November 2019, the department provided a list of investments showing their alignment with the business reference model codes for the fiscal year 2021 budget formulation process. However, the department did not provide evidence of the EA group's review process. As of January 2020, we were following up with the department to obtain this evidence.

Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the National Aeronautics and Space Administration should direct the CIO to reflect 100 percent of information technology investments in the agency's enterprise architecture.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: In February 2018, NASA reported that it was making revisions to its enterprise architecture policy that would assist with ensuring that 100 percent of the agency's information technology investments are in the enterprise architecture. In July and December 2018, the agency provided updates on its efforts along with supporting documentation, though not enough to fully address the recommendation. In July 2019, the agency stated it also had efforts underway to centralize IT governance under the Chief Information Officer and this would contribute to reflect all investments in the enterprise architecture. The agency stated it would continue to update us on the status of its efforts to address the recommendation.

Recommendation: To improve the agency's implementation of PortfolioStat, the Director of the Office of Personnel Management should direct the CIO to develop a complete commodity IT baseline.

Agency: Office of Personnel Management
Status: Open

Comments: In February 2020, OPM stated that it was developing a service catalog with cost information and allocation components which together with the agency's software inventory would be used for cost avoidance moving forward. However, OPM did not provide supporting documentation. In addition, it was not clear whether the service catalog and software inventory would together include enterprise IT, IT infrastructure, and business systems, the three categories of IT assets that comprise a commodity IT baseline. We will continue to monitor OPM's efforts to address the recommendation.

Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Director of the Office of Personnel Management should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) move at least two commodity IT areas to shared services and (2) target duplicative systems or contracts that support common business functions for consolidation.

Agency: Office of Personnel Management
Status: Open

Comments: In October 2018, OPM provided evidence that it had addressed the action plan element regarding the migration of two commodity IT areas to shared services. Specifically, OPM provided an August 2016 interagency agreement showing plans to migrate its financial management system to a shared service and a May 2018 interagency agreement showing plans to migrate its human resources and time and attendance system to a shared service. However, the interagency agreements were not signed. Regarding the action plan element to target duplicative systems or contracts that support common business functions for consolidation, OPM stated did that it had targeted laptops and mobile phones for consolidation. In addition, OPM did not provide any evidence of reporting to OMB for either action plan element. In February 2020, OPM stated that, in addition to entering into an interagency agreement for its financial management system and consolidating the procurement of agency-wide laptops and cellphones using an enterprise wide contract, it was also working to close two of its five major data centers to consolidate to three. OPM said that it was gathering the documentation to support its claims.

Recommendation: To improve the agency's implementation of PortfolioStat, the Director of the Office of Personnel Management should direct the CIO to report on the agency's progress in consolidating the help desk consolidation and IT asset inventory to shared services as part of the OMB integrated data collection quarterly reporting until completed.

Agency: Office of Personnel Management
Status: Open

Comments: In February 2020, OPM stated that its IT help desk function had become a shared service starting in October 2019. However, OPM did not provide supporting documentation. In addition, OPM stated it did not have any updates on the IT asset inventory. We will continue to monitor the agency's efforts to address this recommendation.

Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Secretary of the Treasury should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO and (2) establish criteria for identifying wasteful, low-value, or duplicative investments.

Agency: Department of the Treasury
Status: Open

Comments: In September 2014, the Department of the Treasury reported that it did not plan to consolidate commodity IT spending under the agency CIO. Specifically, the department stated that commodity IT investment decisions were consolidated under the Treasury Technology Investment Review Board which is co-chaired by the agency CIO and Assistant Secretary for Management; and that it did not see the benefit of combining the budget authorities of the various bureau infrastructure investments. In regards to establishing criteria to identify wasteful, low-value, and duplicative investments, in September 2014, the department stated that the Treasury Technology Investment Review Board and Technology Advisory Working Group had established an approach that considers risk, value and cost in reviewing investment requests to identify wasteful, low-value, and duplicative investments. As of May 2019, we were reviewing documentation we received from the department in September 2018 to determine whether the recommendation has been fully addressed.

Recommendation: To improve the department's implementation of PortfolioStat, as the department finalizes and matures its enterprise architecture and valuation methodology, the Secretary of the Treasury should direct the CIO to utilize these processes to identify whether there are additional opportunities to reduce duplicative, low-value, or wasteful investments.

Agency: Department of the Treasury
Status: Open

Comments: In September 2014, the Department of the Treasury described several examples of processes it had established to identify opportunities to reduce duplicative, low-value or wasteful investments, including annual reviews of each major IT investment and monthly portfolio reviews. As of May 2019, we were reviewing updated information we received in September 2018 to determine whether the recommendation has been fully addressed.

Recommendation: To help ensure that FEMA's agencywide workforce planning and training efforts are conducted in a comprehensive and integrated manner, the FEMA Administrator should identify and document long-term and quantifiable mission critical goals that reflect the agency's priorities for workforce planning and training.

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: In October 2016, agency officials said they had contracted for the development of a Workforce Strategic Plan that is intended to assess current steady state staffing needs based on mission requirements and establish workforce models capable of determining future needs based on workload drivers. Further, they said the plan will monitor and evaluate FEMA's progress towards mission critical goals and the contribution that human capital results have made towards achieving programmatic priorities. In July 2017, they provided an updated estimate that the plan will be completed by June 2020. Pending completion of this effort, the recommendation will remain open. As of February 2020, GAO is awaiting additional information about these actions.

Recommendation: To help ensure that FEMA's agencywide workforce planning and training efforts are conducted in a comprehensive and integrated manner, the FEMA Administrator should establish a time frame for completing the development of quantifiable performance measures related to workforce planning and training efforts.

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: In October 2016, agency officials said they had contracted for the development of a Workforce Strategic Plan that is intended to assess current steady state staffing needs based on mission requirements and establish workforce models capable of determining future needs based on workload drivers. Once complete, they said the plan will identify performance metrics to track FEMA's progress towards mission critical goals regarding workforce planning and training efforts. In July 2017, they provided an updated estimate that the plan will be completed by June 2020. Pending completion of this effort, the recommendation will remain open. As of February 2020, GAO is awaiting additional information about this effort.

Recommendation: To better inform FEMA's decision-making related to agencywide workforce planning and training efforts, the FEMA Administrator should develop systematic processes to collect and analyze workforce and training data.

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: In July 2017, officials reported that FEMA's Chief Component Human Capital Office was preparing a Training Plan that will outline the collection and analysis methodology of training data with an estimated completion date of September 2018. Pending documentation of the results of these efforts, this recommendation will remain open. As of February 2020, GAO is awaiting additional information about these efforts.

Recommendation: Congress may wish to consider requiring the Departments of Justice, Homeland Security, and Treasury to collaborate on the development and implementation of a joint radio communications solution. Specifically, Congress may wish to consider requiring the departments to (1) establish an effective governance structure that includes a formal process for making decisions and resolving disputes, (2) define and articulate a common outcome for this joint effort, and (3) develop a joint strategy for improving radio communications.

Agency: Congress
Status: Open

Comments: Legislation has been enacted to provide funding for, among other things, the development of a nationwide, interoperable broadband network that is aimed at improving interoperable radio communications among public safety officials. However, the use of the broadband network by public safety users will be voluntary. In addition, officials from the Departments of Justice, Homeland Security, and the Treasury stated that, once mission-critical voice capabilities have been developed for the broadband network, their respective departments will determine whether they will use the network to support their mission-critical operations. Therefore, until the three departments have the information they need to make a decision to use the nationwide public safety broadband network to support mission critical voice capabilities, it is uncertain if the legislation will remedy these agencies' fragmented approaches to improving interoperable radio communications. As of March 2020, there has been no legislative action taken in the current Congress.

Recommendation: To provide more efficient, consistent, and effective federal oversight of the nation's food supply, Congress should consider commissioning the National Academy of Sciences or a blue ribbon panel to conduct a detailed analysis of alternative organizational food safety structures and report the results of such an analysis to Congress.

Agency: Congress
Status: Open

Comments: The 2002 Farm Security and Rural Investment Act (2002 Farm Bill) established a national Food Safety Commission charged with making specific recommendations for drafting legislative language. Among other things, the Commission was to make recommendations on how to improve the food safety system, create a harmonized, central framework for managing federal food safety programs, and enhance the effectiveness of federal food safety resources. However, as of January 2017, as far as current staff can ascertain, the Commission was never formed, and no recommendations were ever produced. Thus, although Congress acted to create a food safety commission through legislation, the substance of our matter--recommendations for analyzing alternative food safety structures--was not implemented. GAO subsequently made the same matter for congressional consideration in several later products, and the matter also appeared in the annual GAO Duplication, Overlap, and Fragmentation Report. As of March 2020, it remained unaddressed.